This is a funny little discovery when I was trying to do some quick edits on my bank statement.
Disclaimer: No, I'm not trying to mock the banking institution. And this is not really a writeup for a vulnerability of a banking statement systems at all. Just some little hurdles I wanna (slightly) rant when I wanna redact stuff for privacy.
For context, no, I'm not using it for scamming, I simply just wanted to draw a big black rectangle over my money flow on my bank statement, since I only need to send ++just++ the header part that contains my legal name, alongside my bank name and account number for my salary payment from my part time work. And yes, I need more money for multiple reasons, including and not limited to do more 1 Miss-tys on maimai... Also stretching every single RM in my wallet is really really not fun, I assure you.
Step 00: The Roadmap
*pulls out the Gru explaining meme*
I go to bank app. I download the statement. I send the statement to my laptop. I edit the statement. I got blocked by the PDF file. I save and send the edited statement.
Should be no issues all the way I suppose...? (massive massive foreshadowing)
Step 01: Get + Send statement
Look, I'm not bothered at all going through the bank's site (in my case, Maybank) when I already had the MAE app installed, where I just need the app PIN to access (almost) all the bank's features. So a quick navigation to the Statements page, look for my latest statement, then hit the Share button to directly share to my laptop via Localsend (Tech tip: Real good cross-platform file sharing app, and yes, this includes on iOS too! ... and also I lied, I actually saved a local copy first using my file manager first then Localsend it over, but hey it's the same, I just want a local copy of the statement that 's all).
Step 02: Foreshadowed
Opened a new A4-sized canvas on Photoshop, and pulled the statement PDF over. Until I got hit with this...
Yes, I can open the statement file no problemo on my PDF reader (in this case, Acrobat), and yes, no passwords even needed, but somehow Photoshop is not happy on me throwing this very file into their image editor.
So I went back to Acrobat to see what's up with a file, and yes, turns out this file is password protected since the very beginning, according to the file properties.
As for the password... I actually have no idea what it was. So I do a quick Google search with the plain 'ol "M2U statement password" keyword, and there is one article from the bank themselves... Upon further digging in the documentation, it is actually a documentation for statements sent via email... Which I conveniently don't have it enrolled (I mean I can check things in real time, then why the need for a monthly statement unless it's for business/official use?), where this can be (or not) be an important piece of the puzzle of what should be the password, either using a user-predefined password, or a combination of letters or numbers the bank predefined using some of your personal information provided to the bank (FYI, I knew this since another bank of mine actually sent the instructions in the monthly email statements, despite I actually never enrolled for it in the first place).
Plan A: Crashed and burning. Time to look for Plan B. Went back to Acrobat for more clues, and on the same panel, I 1 Miss-ty'd the bottom part:
You can't edit the file... But you can still print it. Interesting.
This gives a new realm of possibilities. Plan B is now: in Gru's tone I "print" the file. I put the "printed" file to Photoshop. I edit the file. I save the file. I send the file.
Step 03: ~~Print. Edit. Send.~~** Profit.**
Thankfully, Windows do have a pre-installed "printer driver" to "print" your files as a .pdf file. So a quick set on the "printer" to "print" the file on an A4-sized "paper", press Print, and boom, a new PDF with the statement is out.
An anticlimactic ending yes, it's a really expected ending. The "printed" file basically is just another PDF file, with no security at all and you can just drag it into Photoshop without any issue, do the redaction within minutes, export it, and sent to the person in charge for my part time agent.
Concluding words...
Security for reals? I dunno. IMO it's more on anti-tampering, since bank records can be falsified, but for the initiated, it's really a very very small hurdle to get past if bad actors are really motivated to make a 1:1 fake bank statement...
Especially those with actually good Photoshopping skills (which in my defense, I don't have that).
Side note: Upon further checking the Show Details menu while I was writing this, it seems like there are two different passwords. One is for document opening, while another is a "permissions password" where the latter looks like the very password for permissions thingy, where this looks like a password that will **not **be publicly shared/known the pattern.
Posted from my blog, the 1 Miss-ty Corner: https://1miss-ty.exeos.work/2026/01/sparkle-security-sparkle.html