‘Days are limited’: Macquarie Bank makes huge call on two-factor authentication, warns system is not secure

The fifth largest lender in Australia has highlighted the security risk of two-factor authentication models through texts, calling the technology outdated.

According to Macquarie, traditional SMS two-factor authentication (2FA) – which is widely used in Australian banking – relies on insecure technology and often provides limited information.

Macquarie Bank head of deposits Olivia McArdle said the lack of detail in these messages means recipients may not know what they are approving and can’t distinguish whether the action was initiated by the customer or a scammer.

“We think the days of Australian banks relying solely on SMS to verify customer account activity are numbered,” she said.

The warning comes a month after the major super funds announced cyber breaches, but have yet to make models such as the 2FA standard.

In the March, hackers were able to gain access to five of the largest super funds in Australia through “credential stuffing” – which involves stolen usernames and passwords which are sold on the dark web.

The attackers exploit the fact that people often repeatedly use the same passwords for different accounts, with security measures such as multi-factor authentication (MFA) helping to slow down these types of cyber attacks.

Super Consumer Australia chief executive Xavier O’Halloran said the breach follows consistent warnings from regulators and consumer advocates around superannuation funds lagging behind on cyber-resilience and fraud protection.

“Australians are legally required to put their money into super. Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings,” Mr O’Halloran said.

“When something goes wrong, too many people are being left without support, answers, or access to their own money.”

Macquarie Bank said Australians are demanding more security than 2FA via a text message.

“The vulnerabilities are clear and customers, who are seeing the risks themselves, are voting with their feet,” Ms McArdle said.

Five tips to watch when using SMS for 2FA

Macquarie say while there needs to be more done, there are a few things Australians can watch out for to stay safe.

1. Check the detail: Due to the limitations of SMS 2FA, Aussies might not know exactly what they are approving and should not take action unless you have full confidence the SMS is from a legitmate source.

2. Impersonation scams: Scammers may impersonate your bank, urgently requesting authorisation codes via SMS to stop a scam but will actually use these codes to compromise a device.

3. Spoofing: Scammers may trick you into sharing personal or financial details via SMS. These fraudulent messages typically contain links to fake websites that prompt victims to share their sensitive banking data, with Australians urged not to click on links in a text.

4. Pop-up SMS: Scammers can deliver a pop-up or flash SMS to your phone. These appear directly on your lock screen and are not saved to your inbox to prevent them from being reported or traced.

5. Phone porting: Although this scam has reduced in prevalence, scammers can in some instances illegally transfer your phone number to another telecommunications provider without your consent. This enables them to receive all your messages and use this access to compromise your account.