Westpac customer service asks for SMS code

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Westpac customer service asks for SMS code - poor security?

1 | 2 | 3 | 4

1110 posts

Uber Geek
+1 received by user: 377

#3398668 31-Jul-2025 11:10

robocat:

https://bankomb.org.nz/five-things-your-bank-should-never-ask-you says:

Your bank should never:

ask you for texted codes, passwords or PIN numbers
LOL!

I guess this comes down to the definition of "ask you". If that means giving a code to a person over the phone, then I assume Westpac would never do that. As I understand it, the codes are just intended to be entered into their app? Clearly entering passwords or PIN numbers into an app is not a breach of this regulation and not what Ombudsman is referring to. i.e. because that's a legit way to log into an app, website, ATM, etc.

The security risk comes from scammers asking you for a code over the phone - but that's different from the bank breaking a regulation by their use of the codes.

robocat

114 posts

Master Geek
+1 received by user: 62

#3398671 31-Jul-2025 11:20

Earbanean,

Don't assume! I'm reporting that the issue is that the customer service agents are asking for the code over the phone as part of the Westpac security flow to verify me using "2 factor authentication". Especially weird when they have just called my phone! I've brought it up on geekzone to double check that other people think the practice is as terrible as I think it is. It isn't the fault of the agents and I don't want to cause them grief. The issue is that Westpac have designed horrific security processes!

I've now emailed a complaint to the banking ombudsman... Let's see if they have any teeth.

Earbanean

1110 posts

Uber Geek
+1 received by user: 377

#3398675 31-Jul-2025 11:30

robocat:

Earbanean,

Don't assume! I'm reporting that the issue is that the customer service agents are asking for the code over the phone as part of the Westpac security flow to verify me using "2 factor authentication". Especially weird when they have just called my phone! I've brought it up on geekzone to double check that other people think the practice is as terrible as I think it is. It isn't the fault of the agents and I don't want to cause them grief. The issue is that Westpac have designed horrific security processes!

I've now emailed a complaint to the banking ombudsman... Let's see if they have any teeth.

Wow, didn't realise they did that. I've had various bank websites/apps ask for a code as verification for an online/app originated transaction, but didn't realise any would do that over the phone. I guess I don't really do much if anything over the phone.

mattwnz

20515 posts

Uber Geek
+1 received by user: 4795

#3398695 31-Jul-2025 13:08

Slingshot do this now for the security

snj

305 posts

Ultimate Geek
+1 received by user: 221

#3398728 31-Jul-2025 14:48

I've made a point of reminding my Mum who banks with Westpac (and gets calls from them about investments about to roll over).

Told her if she gets Westpac sending 2FA codes while on a cold call or asking personal information questions to just say "Oh so you're a scammer, I'm going to report this to Westpac's Fraud department, goodbye".

Hopefully if that happens, they might get the idea they're hypocrites.

MikeAqua

8024 posts

Uber Geek
+1 received by user: 3817

#3398732 31-Jul-2025 15:00

I knew some people who won a sizeable banking ombudsman case against another bank because of this practice.

Mike

AliExpress

Shop now on AliExpress (affiliate link).

richms

29098 posts

Uber Geek
+1 received by user: 10209

Trusted

Lifetime subscriber

#3398733 31-Jul-2025 15:06

Incoming calls need to prove who they are, not the other way around. Cold call me and ask me personal information or for a code or anything and I will just hang up after telling you to f off.

Richard rich.ms

robocat

114 posts

Master Geek
+1 received by user: 62

#3398840 31-Jul-2025 17:17

geek3001:

I have adopted a policy when dealing with banks, or any other entity that requires me to provide over-the-phone proof of who I am.

I will ONLY answer ID or security-related questions if I have called them.

A fine waste of time game everybody can play.

A Westpac lending team guy just called me with a caller id of +64 9 375 99xx, then he said he needed to check something (maybe I've now been tagged as trouble). The same guy called back a minute later on NO CALLER ID (that's weird). I said I couldn't verify that it was Westpac calling, so he said to call back on 0800 177 277 and ask for $Bob. A quick Google confirms that number is the Westpac personal loan team. Called that number, automated system said wait time was 3 minutes, but after waiting 5 minutes $Bob emailed to say he needed to finish for the day...

I'm in a surly mood about this because I went to the crypto meetup yesterday. I don't have any crypto because I can't see how to secure myself (especially from pipewrench cryptanalysis) plus I worry about future taxation issues. So I'm on a security binge at present.

End of day and I still haven't heard back from the banking ombudsman (or fromm Westpac about my security complaint).

Maybe time for me to apply for a credit card from a different bank. I do have a sleeper account with TSB. I love their service levels. The back office security of small banks scares me more than Westpac's (don't look closely if you know what's good for you).

cddt

1965 posts

Uber Geek
+1 received by user: 1904

#3398946 1-Aug-2025 06:37

robocat:

A Westpac lending team guy just called me with a caller id of +64 9 375 99xx, then he said he needed to check something (maybe I've now been tagged as trouble). The same guy called back a minute later on NO CALLER ID (that's weird). I said I couldn't verify that it was Westpac calling, so he said to call back on 0800 177 277 and ask for $Bob. A quick Google confirms that number is the Westpac personal loan team. Called that number, automated system said wait time was 3 minutes, but after waiting 5 minutes $Bob emailed to say he needed to finish for the day...

A few weeks ago a guy on reddit was complaining about being scammed because he looked up the number he had been called from. Google's "AI assisted search" confirmed the number was a BNZ number. However, the actual BNZ page it linked to referenced a different number. Yet another example of where "gen AI" cannot be relied upon (as if we needed any more).

My referral links: BigPipe | Mercury

Batman

Mad Scientist
30012 posts

Uber Geek
+1 received by user: 6217

Trusted

Lifetime subscriber

#3398999 1-Aug-2025 07:28

nztim:

ANZ and ASB send a notification to the official app on your phone, this is a far better practice

I applied on my ANZ app for an additional joint credit card for wife.

They rang me and asked to speak to wife and asked her all sorts of "ID" questions and I said sorry, I'm hanging up, bye.

She has an app so I'm not sure why she had to give them her private details.

Also I've had the card for years and she is a customer for years.

I find BNZ the best at the moment.

snj

305 posts

Ultimate Geek
+1 received by user: 221

#3399025 1-Aug-2025 09:55

Batman:

I applied on my ANZ app for an additional joint credit card for wife.

They rang me and asked to speak to wife and asked her all sorts of "ID" questions and I said sorry, I'm hanging up, bye.

She has an app so I'm not sure why she had to give them her private details.

Also I've had the card for years and she is a customer for years.

I find BNZ the best at the moment.

If it's like ASB, it's because these days they've got to comply with the responsible lending code, adding as joint cardholder (i.e. joint liability) would trigger the additional checks (as opposed to additional cardholder).

They need a better way of doing it though... maybe something like secure bank mail/banner in Internet Banking "We need to discuss your application before approval, please make an appointment to speak to someone and at the nominated time call 0800 [main bank number] and enter code UVWXYZ". I recall ASB was a cold call (at least it was in 2021-ish), but I seem to recall they provided enough information to establish it was a legitimate call before they asked anything invasive.

That sort of solution would also solve OP's issues with their interactions with Westpac if they'd done that. SMS from Westpac "We need to discuss your application, important details are on Internet Banking regarding next steps. Please login and check, we will never send links or ask for One Time Codes...", then information as a banner on mobile/internet banking with an in-app 'book a call time' screen. Follow up 15 minutes before, reminder to login to Internet/Mobile Banking "Reminder: Your appointment is at 3:30PM, login for 0800 number and meeting code".

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

1024kb

1197 posts

Uber Geek
+1 received by user: 519

ID Verified

Lifetime subscriber

#3400103 5-Aug-2025 09:39

Not only do Co-operative Bank use the SMS method, but their app password has complexity limitations! The only requirements are 8 characters, 1 of which must be a letter & 1 must be a number. Upper / lower case is not a requirement & special characters are not allowed. You can enter special characters & they'll be accepted as part of your new password but within a few days the system will forget your password & you'll need to set a new one. The amateur approach to account security is scary. I've attempted several times to discuss this with a decision maker but they refuse to escalate.

Megabyte - so geek it megahertz

robocat

114 posts

Master Geek
+1 received by user: 62

#3400115 5-Aug-2025 10:49

1024kb:

Co-operative Bank. The amateur approach to account security is scary.

I think it was that bank I am thinking of when I said "The back office security of small banks scares me". I think I saw them using XP well past its use by date. I think they have home grown back office software written in Jade. Those kind of practices in a bank are frightening. Even though I love the small banks and would rather use them (TSB have been amazing for me).

Meanwhile on-topic:

the ombudsman has replied and will be following up with Westpac. Let's see how that works.

And I emailed a reply that I couldn't verify they were calling. I've been told to go into a branch for some reason (I think to call them?). Who knows. Certainly asking Westpac to verify themselves when they call just causes a bunch of hassle that I'm not sure is worth it.

I think my next step is to open an ANZ account - I've always liked their branches in Asia...

I'm annoyed HSBC stopped doing retail in New Zealand -and their branch in Uruguay was useful to me.

MadEngineer

4591 posts

Uber Geek
+1 received by user: 2570

Trusted

#3400467 6-Aug-2025 20:57

In case it's not obvious to anyone reading this thread, take this example:

A friend sends you a Facebook message asking if you can help them with their Facebook account. Of course you agree. They then tell you that they're trying to reset their password or some story, and that you're about to be sent a verification code for which they want you to provide to them. You're someone that they've chatted with recently on Facebook and the account function needs someone like yourself.

Once you provide it, you find yourself locked out of your own Facebook account as you've not helped your friend at all, rather you've helped someone that has just done the same to your friend and the code you were sent and passed on was the 2FA for the password reset to your account. Now someone is pretending to be you, sending the same to all your friends.

How on earth would one know someone's not trying to get into your Westpac account using the same tactic?

You're not on Atlantis anymore, Duncan Idaho.

tripper1000

1648 posts

Uber Geek
+1 received by user: 1176

#3400510 7-Aug-2025 09:00

People are getting a bit off-track here.

First you won't get scammed into 2FA'ing your own account for a scammer if you read the SMS message! It isn't just a code, it has some framing and context around it.

ASB SMS states why you are receiving the SMS.

"Login Authorisation...."

"Outgoing Payment approval..."

followed up with:

"...call us if this wasn't you."

Yes, SMS is weak, but weakness is actually that your bank security is as weak as your phone companies security. Scammers first disconnect your phone and get their phone connected to your phone number by tricking your phone company into give them a replacement SIM (replacing a "lost" SIM etc) and from there they directly receive the 2FA SMS and all you know is that your phone has lost connection and later, that your bank account is empty.

1 | 2 | 3 | 4