An example from another provider (Wise) state: "How to tell if you're talking to us: 1 We'll never ask for your password, or for an SMS code sent to your phone."
Westpac normalises having a person call and then requesting an SMS code.
A customer cannot verify that it is Westpac that is calling them, so a threat actor could fraudulently call and request that a customer tell them an SMS code (which could cause financial harm to a customer).
Mentioning here because:
1: I have reported this to Westpac. If anybody is scammed by someone asking for an SMS code, they can argue that Westpac themselves normalized that (might help if defending a claim).
2: I'm interested in the opinions of security professionals about this "security" practice.
3: I generally find Westpac security to be crap (1: proper 2-factor authentication unavailable - they use cellphone when other banks can provide a OTP token device; 2: their firewall blocked overseas users from accessing their account - issue lasted many weeks and personally caused me some troubles while I was traveling).