Online banking has become an essential part of managing money for many Australians, especially those who appreciate the convenience of handling finances from home. While technology has made banking easier, it has also brought new challenges regarding keeping your personal information and money safe.
Cybersecurity threats constantly evolve, so staying informed about the best ways to protect yourself when using online banking services is essential. If you’ve ever felt a little uneasy about those text messages your bank sends to confirm your identity, you’re not alone—and you might have good reason to worry.
Macquarie Bank, Australia’s fifth-largest lender, has sounded the alarm on the security risks of SMS-based two-factor authentication (2FA), calling the technology outdated and increasingly vulnerable to cybercriminals.
SMS 2FA has been the go-to method for banks to verify customer activity for years. You know the drill: you log in, get a code sent to your phone, and enter it to prove it’s you.
However, according to Olivia McArdle, Macquarie Bank’s head of deposits, this method shows its age and cracks.
‘The days of Australian banks relying solely on SMS to verify customer account activity are numbered,’ McArdle warned.
The problem is that those text messages often don’t provide enough detail to know exactly what you approve. Worse, they can be intercepted or spoofed by scammers, leaving you exposed.
This warning follows a major cyber breach involving five of Australia’s largest super funds.
Hackers used ‘credential stuffing’, where stolen usernames and passwords (often bought on the dark web) were used to break into accounts.
The attack highlighted a worrying truth: many people reuse passwords across multiple sites, and not all institutions have robust multi-factor authentication (MFA).
Xavier O’Halloran, Super Consumer Australia’s chief executive, didn’t mince words: ‘Australians are legally required to put their money into super. Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings.’
‘When something goes wrong, too many people are being left without support, answers, or access to their own money.’
Customers are demanding more security
It’s not just the experts who are concerned. Macquarie Bank says customers themselves are starting to demand better protection.
‘The vulnerabilities are clear and customers, who are seeing the risks themselves, are voting with their feet,’ said McArdle.
So, what’s next? Many banks are now looking at more secure alternatives, such as app-based authentication, biometrics (like fingerprint or facial recognition), and hardware security keys. These methods are harder for scammers to intercept or fake.
While the industry catches up, there are steps you can take right now to protect yourself. Macquarie Bank offers these five tips:
- Check the details: If you receive a 2FA SMS, ensure you know exactly what you approve. If you’re unsure, don’t act—contact your bank directly.
- Beware of impersonation scams: Scammers may pose as your bank and urgently request codes to ‘stop a scam’. Never share your code unless you’re sure of the source.
- Watch out for spoofing: Fraudulent texts may contain links to fake websites. Never click on links in unsolicited messages, and always navigate to your bank’s website directly.
- Pop-up SMS scams: Some scammers use pop-up or flash SMS messages that appear on your lock screen and aren’t saved to your inbox, making them harder to trace. Treat any unexpected pop-up with suspicion.
- Phone porting attacks: Although less common now, scammers can sometimes transfer your phone number to another provider, giving them access to your messages. If your phone suddenly loses service, contact your provider immediately.
The move away from SMS 2FA is part of a broader shift towards stronger, more user-friendly security. App-based authentication, for example, can provide more information about what you approve and is much harder for hackers to intercept.
Biometrics add another layer of protection, using something you are (like your fingerprint) rather than something you know (like a password).
For now, the best thing you can do is stay vigilant. Use unique, strong passwords for every account, enable the highest level of security your bank offers, and never share your codes or personal information with anyone, even if they claim to be from your bank.
Have you ever been targeted by a banking scam, or are you concerned about your bank’s security measures? Are you comfortable with SMS 2FA, or do you want to see more advanced options? Share your experiences and thoughts in the comments below—your story could help others stay safe!
Also read: Millions of Australians left guessing as banks hide savings rate changes
