In response to a significant cyber threat, Melbourne-based ANZ Bank has announced its plans to eliminate traditional passwords for its digital banking services. This move comes amid revelations that hackers have successfully bypassed multi-factor authentication to steal the banking credentials of thousands of Australians. ANZ Bank, a major player in the banking sector with assets exceeding AU$1.23 trillion, is set to implement passwordless authentication for its ANZ Plus Web Banking service by mid-2025. This initiative will position ANZ as the first Australian bank to adopt such an advanced security measure, aiming to protect customers from data breaches and phishing attacks.

The urgency of this security upgrade is underscored by a recent warning from cybersecurity firm Dvuln. The company has reported that cybercriminals used infostealer malware to compromise the banking credentials of over 30,000 Australian internet banking users between 2021 and 2025. The stolen data, including details from customers of major banks like CommBank, ANZ, NAB, and Westpac, has been traded on platforms such as Telegram and the dark web. Dvuln notes that the actual number of affected users could be much higher due to undetected infections and private trades of compromised credentials.

Dvuln has also highlighted the limitations of traditional multi-factor authentication systems. Infostealers can exploit these systems by capturing authentication cookies and session tokens, allowing them to access authenticated sessions and defeat anomaly detection mechanisms. This raises concerns about the effectiveness of current security measures in preventing identity theft and fraudulent transactions, prompting the need for more robust solutions like passwordless authentication.

This push for enhanced security measures is part of a broader trend in financial regulation. The Australian government recently passed the Scams Prevention Framework, which holds social media companies, banks, and telecommunication firms accountable for consumer scam losses, with potential fines of up to AU$50 million for non-compliance. This legislation mandates banks to verify payee identities, ensuring transparency in financial transactions. Similarly, Singapore’s monetary authority announced plans to phase out auto-generated one-time passwords, advocating for digital tokens as the sole authentication method to prevent phishing attacks.

These developments highlight a global shift towards more secure and user-friendly banking solutions. By adopting passwordless authentication and digital tokens, banks aim to provide customers with safer ways to manage their finances, protecting them from increasingly sophisticated cyber threats. This transition is expected to enhance the overall security landscape of the financial sector, safeguarding consumer data and maintaining trust in digital banking services.