Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.



robocat

109 posts

Master Geek


#320317 31-Jul-2025 01:44
quote this post

When a Westpac customer service agent calls me they ask me to tell them an SMS code.

 

 

 

An example from another provider (Wise) state: "How to tell if you're talking to us: 1 We'll never ask for your password, or for an SMS code sent to your phone."

 

 

 

Westpac normalises having a person call and then requesting an SMS code.

 

 

 

A customer cannot verify that it is Westpac that is calling them, so a threat actor could fraudulently call and request that a customer tell them an SMS code (which could cause financial harm to a customer).

 

 

 

Mentioning here because:

 

 

 

1: I have reported this to Westpac. If anybody is scammed by someone asking for an SMS code, they can argue that Westpac themselves normalized that (might help if defending a claim).

 

 

 

2: I'm interested in the opinions of security professionals about this "security" practice.

 

 

 

3: I generally find Westpac security to be crap (1: proper 2-factor authentication unavailable - they use cellphone when other banks can provide a OTP token device; 2: their firewall blocked overseas users from accessing their account - issue lasted many weeks and personally caused me some troubles while I was traveling).

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
freitasm
BDFL - Memuneh
79294 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3398586 31-Jul-2025 01:49
Send private message quote this post

You're right. This is a shocking security practice.





Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 




geek3001
64 posts

Master Geek

ID Verified
Subscriber

  #3398605 31-Jul-2025 07:53
Send private message quote this post

I have adopted a policy when dealing with banks, or any other entity that requires me to provide over-the-phone proof of who I am.

 

If they call me, then I refuse to answer any ID or security-related questions.

 

I will ONLY answer ID or security-related questions if I have called them.

 

I would also seriously question being asked to provide an SMS code or OTP over the phone. What's next, asking me for my payment card PIN ?? We have been consistently told not to share these things.

 

If needs be, I will ask for the caller's name, and then call the bank on one of their publicly advertised numbers and proceed from there as it seems much less likely that I would be talking to a scammer by that method.

 

While I appreciate that my rationale might not be fully correct, it is based upon the notion that I have no way of checking the caller's bone fides, therefore I am not providing any ID info or answering any security-related questions.


cddt
1561 posts

Uber Geek


  #3398607 31-Jul-2025 08:01
Send private message quote this post

robocat: When a Westpac customer service agent calls me they ask me to tell them an SMS code.

 

This is an absolute red flag for a scam. Are you sure you haven't been scammed? 





My referral links: BigPipeMercury




OldGeek
899 posts

Ultimate Geek

ID Verified
Lifetime subscriber

  #3398614 31-Jul-2025 08:29
Send private message quote this post




-- 

OldGeek.

 

Quic referal code: https://account.quic.nz/refer/581402


Linux
11428 posts

Uber Geek

Trusted
Lifetime subscriber

  #3398616 31-Jul-2025 08:32
Send private message quote this post

I would of refused to hand it over and taken staff members name and then laid an official complaint with Westpac

 

BNZ sends a request to the App to approve and it is the great


nztim
3819 posts

Uber Geek

ID Verified
Trusted
TEAMnetwork
Subscriber

  #3398617 31-Jul-2025 08:32
Send private message quote this post

ANZ and ASB send a notification to the official app on your phone, this is a far better practice





Any views expressed on these forums are my own and don't necessarily reflect those of my employer. 


robocat

109 posts

Master Geek


  #3398620 31-Jul-2025 08:40
quote this post

cddt:

 

Are you sure you haven't been scammed? 

 

 

It wasn't a scam: just normal business!

 

First time they were fixing THEIR cockup where they were charging my father's account every time I chose "savings". Took them over a month to work that one out - when dad saw a bill that he worked out was me. They were just calling to confirm they could transfer $1,612.75 out of my account to pay my Dad back for the erroneous transactions!

 

Second time was for detailed mortgage, income and expenses information a credit card application - no red flags there... right?

 

Personally Westpac security feels like security theatre. Both times they had called me on my cellphone but asked for the SMS code that was txted to me from a random 4 digit short number (so no way it verifies them).

 

The first time I declined and then she asked further security questions "what was your last transaction". Total bullshit.

 

My next step is to get a separate mobile number that I only use for banks.

 

At TSB, I requested an OTP token. They still confirm large transactions using SMS texts - you can't secure yourself against these arseholes.

 

My Westpac has a facility that allows 1/2 a house worth of cash to be taken out. The security for my account really matters to me. But I want that facility (optionality) so I don't want to just change banks.

 

Linux:

 

would of refused to hand it over and taken staff members name and then laid an official complaint with Westpac

 

 

 

That's a dik move. Don't take corporate decisions out on the staff that have no power. I'm not sure how to escalate it beyond emailing them a complaint and posting here about their crappy security practices.


 
 
 

Trade NZ and US shares and funds with Sharesies (affiliate link).
Earbanean
944 posts

Ultimate Geek


  #3398631 31-Jul-2025 09:12
Send private message quote this post

Just for my education (and maybe others too), why exactly is confirming a code sent by SMS a security problem, if they had called you on that mobile anyway?  Or would this be situations where they'd called a landline and were then potentially 'discovering' your mobile number?


freitasm
BDFL - Memuneh
79294 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3398633 31-Jul-2025 09:16
Send private message quote this post

Earbanean:

 

Just for my education (and maybe others too), why exactly is confirming a code sent by SMS a security problem, if they had called you on that mobile anyway?  Or would this be situations where they'd called a landline and were then potentially 'discovering' your mobile number?

 

 

If a scammer gains access to your bank account login and password (through some malware for example), they could login to your account and try to start a money transfer.

 

When confronted with the "We have sent a SMS to confirm this transaction", he could call you and pretend to be from the bank:

 

"Hi @Earbanean, I'm from Bank of Scam and there's something weird on your account. We just sent you a SMS to confirm you are the right person. Could you confirm the number in the SMS?"

 

You, not aware or busy with something, read the number. The scammer enters it online and your money is gone.

 

An app notification is much harder to fake. If someone from the bank calls you only their internal systems could send a notification to the app, that reads "I'm confirming this is from the bank"





Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


Earbanean
944 posts

Ultimate Geek


  #3398634 31-Jul-2025 09:26
Send private message quote this post

freitasm:

 

If a scammer gains access to your bank account login and password (through some malware for example), they could login to your account and try to start a money transfer.

 

When confronted with the "We have sent a SMS to confirm this transaction", he could call you and pretend to be from the bank:

 

"Hi @Earbanean, I'm from Bank of Scam and there's something weird on your account. We just sent you a SMS to confirm you are the right person. Could you confirm the number in the SMS?"

 

You, not aware or busy with something, read the number. The scammer enters it online and your money is gone.

 

An app notification is much harder to fake. If someone from the bank calls you only their internal systems could send a notification to the app, that reads "I'm confirming this is from the bank"

 

 

Ah, I see.  So the SMS code would be legit from the bank and the scammer needs to get it.  I'd been thinking in terms of the scammers sending a code to your phone, which I couldn't really see the point of.

 

I guess in the case above from an unsolicited call I'd (hopefully) question why they'd send a code to the number they were ringing anyway - since my only number is my mobile.  However, I'd say a lot of people definitely wouldn't.  Particularly someone like my mum.  So yep, a bit of a problem.


freitasm
BDFL - Memuneh
79294 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3398637 31-Jul-2025 09:33
Send private message quote this post

The scammer only needs to get it right once. You have to get it right all the time. It's an imbalance. A lot of people will fall for it.





Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


concordnz
474 posts

Ultimate Geek

Trusted
EMT (R)

  #3398653 31-Jul-2025 10:27
Send private message quote this post

A complaint to Westpac will achieve nothing

 

(but I agree it's unacceptable practice)

 

 

 

You have 3 options.

 

1) Banking Ombudsman (but you need to identify and articulate the failing accurately )

 

2) Privacy Commissioner (Maybe? )

 

3) I'm sure there's a Cyber Commissioner office - but I can't recall the official name/title.

 

4) Raise it with our National Cyber Security Centre.

 

 

 

Or raise it with all four offices.

 

 

 

You need to go higher than Westpac themselves, if you want any 'actual' change - otherwise you are just shouting into a black hole. - if you just want to vent with no change, then sure raise it wit Westpac.

 

 

 

If you want 'real change' - and an improvement in your personal banking security - raise it with the national organisations.

 

 

 

 


Earbanean
944 posts

Ultimate Geek


  #3398658 31-Jul-2025 10:43
Send private message quote this post

To be fair, the only point of complaining to Westpac (and higher) would be to protect the general population - and that's certainly a valid endeavour if you have the time.  However, to protect yourself and your family, is much quicker and simpler.  Just discuss the scam and agree to never give codes to unsolicited callers.


robocat

109 posts

Master Geek


  #3398659 31-Jul-2025 10:48
quote this post

concordnz:

 

1) Banking Ombudsman (but you need to identify and articulate the failing accurately )

 

 

https://bankomb.org.nz/five-things-your-bank-should-never-ask-you says:

 

Your bank should never:

 

  • ask you for texted codes, passwords or PIN numbers

LOL!

 

I had looked into the ombudsman but I didn't bother with a complaint because (1) it looked like they had no teeth - it appears to be a private organisation and is not like the UK ombudsman, and (2) I hate feeling like I'm wasting my time

 

 

 


FYI Here's the text of the SMS sent from telephone number 4582 (shortcode):

THE TXT:

 

From Westpac: Your verification code for account access is 123456

 

If you were not expecting to receive a code, please call us on 0800 400 600 or if calling from overseas +64 9 912 8000. Alternatively you can visit your local Westpac Branch.

 


freitasm
BDFL - Memuneh
79294 posts

Uber Geek

Administrator
ID Verified
Trusted
Geekzone
Lifetime subscriber

  #3398666 31-Jul-2025 11:07
Send private message quote this post

Even those phone numbers in the SMS shouldn't be there. Banks should always tell people to call the numbers on their cards or the numbers from the official website. And obiously the SMS shouldn't have a link to anywhere either - because phone numbers and links on SMS could be just going to the scammers.





Please support Geekzone by subscribing, or using one of our referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies | Hatch | GoodSync 


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.