My wife locked herself out of her Internet Banking account and used the "Forgot Password" facility to reset her account. She gave her customer number, a new password, and then the system sent her a text message with an "online code" to validate the password change. Too easy by far, and pretty typical behavior for lots of web sites. The online code is about providing two-factor authentication, but in this case, you don't authenticate with the bank at all. You are relying on having a PIN on your phone, and having set the phone to not show an incoming text messages. This seems like another example of why it's a bad idea for people to have their phone and wallet together.
Does anyone know of ways in which a customer can make this system better? A CSR at ANZ Bank said there was a setting on the web site to stop the online code for password change, but this still allows password changes.