Westpac customer service asks for SMS code

Please note this sub-forum does not provide professional finance advice. You should seek advice from a licensed financial advisor.

To post in this sub-forum you must have made 100 posts or have Trust status or have completed our ID Verification.

If investing please consider our affiliate link for new accounts: Sharesies.

Forums › Finance and wealth management › Westpac customer service asks for SMS code - poor security?

1 | 2 | 3 | 4

2330 posts

Uber Geek
+1 received by user: 1252

#3400572 7-Aug-2025 09:45

robocat:

First time they were fixing THEIR cockup where they were charging my father's account every time I chose "savings". Took them over a month to work that one out - when dad saw a bill that he worked out was me. They were just calling to confirm they could transfer $1,612.75 out of my account to pay my Dad back for the erroneous transactions!

Are your accounts tied to your father's somehow? It does odd otherwise.

snj

305 posts

Ultimate Geek
+1 received by user: 221

#3400597 7-Aug-2025 11:01

tripper1000:

First you won't get scammed into 2FA'ing your own account for a scammer if you read the SMS message! It isn't just a code, it has some framing and context around it.

As much as I want to agree with you, the fact is there is evidence that this is not true in practice. Examples without even trying:

Also just need to look at how mobile phones handle SMS 2FA codes, my iPhone will recognise that a text I just got was a 2FA code and offer to enter it into a prompt, I can have my phone on Do Not Disturb and not even see the context of the message until the next time I check my notifications manually or go into Messages.

The sad truth is, people are trained to "see code, enter code", without reading the full message, just find the 6 digits and get it over with.

Thats not even getting started on companies doing absolutely silly things when it comes to 2FA-type systems. AMI is a good example, call them "We'd like to verify your identity, we will text you a code and enter it followed by a # key", never mind the fact that they're often sending it to the same phone you're calling from (which makes it laughable to start with), they're normalising giving codes over the phone.

richms

29119 posts

Uber Geek
+1 received by user: 10234

Trusted

Lifetime subscriber

#3400621 7-Aug-2025 12:20

Also the scammers will create a sense of urgency with people in order to get them to comply. They will not read the full SMS and just see the code and give it away. Scammers will have some believable crap to spin that only has to work a few % of the time

Most people will hear unauthorized transactions and panic about it and stop thinking right. The scammers have their stories worked out really well and to have a bank asking for codes in the same way that scammers do to act as the customer when blocked by 2 factor is negligent and they need to cover the losses because of their crap security.

Richard rich.ms

alasta

6899 posts

Uber Geek
+1 received by user: 3380

Trusted

Subscriber

#3400685 7-Aug-2025 14:07

It's going to be interesting when people start using the new iOS feature that allows an AI assistant to ask unidentified callers who they are and why they are calling. If my phone rings and Siri tells me it's someone calling from my bank then I would probably reject the call on the assumption that it's a scam.

Realistically the only way for my bank to communicate with me is through the instant messaging feature on their app. If I get a message about something that requires discussion then I'll call them or drop into the branch near work.

I'm surprised that anyone is still using SMS for anything let along 2FA.

robocat

114 posts

Master Geek
+1 received by user: 62

#3401021 8-Aug-2025 12:31

Banking Ombudsman update:

They wait for Westpac to go through their customer complaints process first. I'm working through that now and they know I've followed up with the Ombudsman.

If I'm not happy with the resolution, then the ombudsman can't do anything unless Westpac give me a "final position" or I've waited two months. https://bankomb.org.nz/the-complaint-process

The Ombudsman has a separate prevention wing for systemic issues rather than individual complaints.

Any knowledgeable advice on how to escalate to the prevention wing would be welcome (generic advice is less useful).

Any other Westpac customer that wants to also make a similar complaint to the Ombudsman - go ahead.

I don't often deal with lawyers or security consultants but they are not cheap. I'm willing to throw some money at this (like most working age NZers I already pay a few tithes worth of taxes, so a little extra where I'm choosing to tax myself focused directly is okay). I'd be happy for any recommendations for how to do that most effectively.

antant

119 posts

Master Geek
+1 received by user: 30

#3401242 9-Aug-2025 14:16

Thought you might find this relevant ... received this email from ANZ yesterday which I think makes it quite clear of their expectations in regards to disclosing codes.

BNZ also has similar advice on their website ...

If Westpac are suggesting you should disclose the codes, that's certainly an outlier.

Lenovo

Shop now for Lenovo laptops and other devices (affiliate link).

Handle9

11949 posts

Uber Geek
+1 received by user: 9718

Trusted

Lifetime subscriber

#3401920 11-Aug-2025 23:48

robocat:

Maybe time for me to apply for a credit card from a different bank. I do have a sleeper account with TSB. I love their service levels. The back office security of small banks scares me more than Westpac's (don't look closely if you know what's good for you).

If you want a bank that is a clown show, seemingly run by Outlook and Excel and populated by nice people then TSB is the bank for you.

Honestly just don't. Their systems are appalling.

Earbanean

1119 posts

Uber Geek
+1 received by user: 379

#3401948 12-Aug-2025 09:11

antant:

Thought you might find this relevant ... received this email from ANZ yesterday which I think makes it quite clear of their expectations in regards to disclosing codes.

BNZ also has similar advice on their website ...

If Westpac are suggesting you should disclose the codes, that's certainly an outlier.

Westpac isn't an outlier. These other banks aren't necessarily saying they don't use SMS codes for authentication. They're just saying things like "Don't give out...", "Don't share verbally...", etc. I know for a fact that ANZ definitely do use SMS codes to authorise online banking payments - because I got one a day ago when I did a transfer from a rugby club bank account that I'm a signatory on. I've no experience with BNZ.

alasta

6899 posts

Uber Geek
+1 received by user: 3380

Trusted

Subscriber

#3402033 12-Aug-2025 12:13

BNZ most certainly do not use SMS, otherwise I would have moved my custom elsewhere long ago.

Earbanean

1119 posts

Uber Geek
+1 received by user: 379

#3402065 12-Aug-2025 13:44

alasta:

BNZ most certainly do not use SMS, otherwise I would have moved my custom elsewhere long ago.

Out of interest, where would you have moved your custom to?

alasta

6899 posts

Uber Geek
+1 received by user: 3380

Trusted

Subscriber

#3402070 12-Aug-2025 14:04

Earbanean:

Out of interest, where would you have moved your custom to?

I would have got my mortgage broker to provide advice on that, but I suspect ASB would be the most likely contender.

Lego

Shop now for Lego sets and other gifts (affiliate link).

Earbanean

1119 posts

Uber Geek
+1 received by user: 379

#3402101 12-Aug-2025 16:18

alasta:

Earbanean:

Out of interest, where would you have moved your custom to?

I would have got my mortgage broker to provide advice on that, but I suspect ASB would be the most likely contender.

Again hypothetical, but if the few banks that don't use SMS authentication all had slightly higher (say 10 basis pts) mortgage rates, would you still move because of the SMS?

alasta

6899 posts

Uber Geek
+1 received by user: 3380

Trusted

Subscriber

#3402102 12-Aug-2025 16:26

Earbanean:

Again hypothetical, but if the few banks that don't use SMS authentication all had slightly higher (say 10 basis pts) mortgage rates, would you still move because of the SMS?

Yes.

Asteros

363 posts

Ultimate Geek
+1 received by user: 189

#3402165 12-Aug-2025 19:07

alasta:

BNZ most certainly do not use SMS, otherwise I would have moved my custom elsewhere long ago.

Ive had 2 factor SMS from Kiwibank, ANZ and Westpac. I get 2 factor app notifications from BNZ and ASB.

alasta

6899 posts

Uber Geek
+1 received by user: 3380

Trusted

Subscriber

#3402333 13-Aug-2025 08:56

Whilst app based 2FA is much better than SMS, it's still not ideal because it's dependant on you having access to a specific device (i.e. your iPhone). This becomes a problem if, for example, the device is damaged or the battery is flat. I would prefer the industry standard rolling code system that you can use to log into things like Google.

1 | 2 | 3 | 4