If you’ve ever felt a little more secure knowing your bank sends you a text message to confirm your identity, you’re not alone.

For years, SMS-based two-factor authentication (2FA) has been the gold standard for keeping our hard-earned savings safe from prying eyes.

But now, one of Australia’s biggest banks is sounding the alarm: those reassuring text messages might not be as secure as we think.

Macquarie Bank, Australia’s fifth-largest lender, has made a bold call, warning that the days of relying on SMS 2FA are numbered.

According to Olivia McArdle, Macquarie’s head of deposits, the technology is too outdated to keep up with the increasingly sophisticated tactics of cybercriminals.

SMS-based two-factor authentication was deemed outdated and insecure by a major bank. Credit: golubovy / iStock

‘We think the days of Australian banks relying solely on SMS to verify customer account activity are numbered,’ McArdle said.

The main issue? Those brief, often cryptic text messages don’t provide enough detail for customers to know exactly what they’re approving.

That means you could be giving the green light to a scammer without even realising it.

The warning from Macquarie comes hot on the heels of a series of cyber breaches at some of Australia’s largest superannuation funds.

In March, hackers managed to infiltrate five major super funds using a technique called ‘credential stuffing’—where stolen usernames and passwords, often bought on the dark web, are used to break into accounts.

The problem is made worse by the fact that many people reuse the same passwords across multiple accounts.

While multi-factor authentication (MFA) can help slow down these attacks, SMS-based 2FA is proving to be a weak link in the chain.

Xavier O’Halloran, CEO of Super Consumer Australia, didn’t mince words:

‘Australians are legally required to put their money into super. Today’s news is chilling when we know super funds aren’t doing enough to protect Australians’ retirement savings.

When something goes wrong, too many people are being left without support, answers, or access to their own money.’

Cybercriminals are finding new ways to bypass SMS-based two-factor authentication (2FA), making it less reliable than it once was.

Tactics include impersonation scams where victims are tricked into handing over codes, spoofed messages that appear to come from legitimate sources, pop-up SMS alerts that vanish without a trace, and even phone porting to hijack numbers.

These methods allow scammers to intercept or manipulate 2FA messages, giving them access to sensitive accounts.

To stay protected, experts advise taking proactive steps.

Avoid sharing codes or clicking links in messages, even if they seem urgent.

Use strong, unique passwords for each account and consider app-based authentication instead of SMS.

Always verify suspicious activity by contacting your bank directly, and routinely monitor your financial accounts for unauthorised transactions.

Macquarie’s warning is a wake-up call for the entire industry. As cyber threats evolve, so too must our defences.

Many banks are already moving towards more secure forms of authentication, such as biometrics (fingerprint or facial recognition) and app-based verification.

But until these measures become standard, it’s up to all of us to stay vigilant. Remember, scammers are counting on us to let our guard down—so let’s not give them the satisfaction!

Key Takeaways

• Macquarie Bank has warned that SMS-based two-factor authentication (2FA) is outdated and not secure enough to protect customers’ banking and superannuation accounts.
• Banks and super funds are being urged to upgrade their cyber protection measures, as recent breaches have exposed weaknesses in current security practices like SMS 2FA.
• Scammers are increasingly using tactics such as impersonation, spoofing, flash SMS, and phone porting to bypass SMS 2FA and trick Aussies into sharing personal details.
• Aussies are advised not to trust or act on suspicious SMS messages, to double-check details before approving any actions, and to avoid clicking on links in text messages.

Have you ever received a suspicious text from your bank or been targeted by a scam? Do you feel confident in your bank’s security measures? Share your experiences and tips in the comments below.

 

[Zemo]

THAT'S IT! Now the financial institutions will introduce 8-factor authentication -- that'll fix 'em ...
Meanwhile, the poor bar steward trying to find out what the message is all about can settle down and read a chapter or three of War and Peace while he's waiting.

 

[Veggiepatch]

All of my identification verifications and similar interactions with financial institutions are conducted IN-BRANCH.

NO EXCEPTIONS!!

What did everybody do 25 years ago?

HAVE AN IN-BRANCH FACE TO FACE MEETING WITH A REAL HUMAN BEING!

Anybody who conducts financial business of any kind by digital or similar means, is a goose. Don't make the excuse that the nearest branch is 50 kilometres away and too far to drive. It could well save you thousands of dollars!

 

[Sherril54]

The perils of on line transactions once again highlighted, and yet these transactions are being forced on customers. Any breach of saftey would be considered collateral damage. Let`s face it Banks, Business or any financial insitutions could not care about their customers, So how do you fight back??

 

[KatKop]

All of my identification verifications and similar interactions with financial institutions are conducted IN-BRANCH.

NO EXCEPTIONS!!

What did everybody do 25 years ago?

HAVE AN IN-BRANCH FACE TO FACE MEETING WITH A REAL HUMAN BEING!

Anybody who conducts financial business of any kind by digital or similar means, is a goose. Don't make the excuse that the nearest branch is 50 kilometres away and too far to drive. It could well save you thousands of dollars!

Well, that's all good if your bank is at all available, even if a 100km away, but some of us enjoy travelling—locally and overseas. How do you suggest we handle verifications in those situations?

 

[Wayneo]

I’m obviously a goose we bank with ING they have no ATMs no branches just a head office in Sydney.

 

[Vio Kot]

So we are forced to interact digitally with our bank and business dealings and no matter how secure we try to make things we still get shot in the foot with no responsibility from those forcing this on us.

 

[Toni Wrinkles]

personally I don't think fingerprint or face recognition will be much better thanks to AI technology, what if your fingerprints don't work, and AI can recreate your face etc now ........in the wrong hands the world is in trouble and I mean the battlers of this world.

 

[Leenie]

All of my identification verifications and similar interactions with financial institutions are conducted IN-BRANCH.

NO EXCEPTIONS!!

What did everybody do 25 years ago?

HAVE AN IN-BRANCH FACE TO FACE MEETING WITH A REAL HUMAN BEING!

Anybody who conducts financial business of any kind by digital or similar means, is a goose. Don't make the excuse that the nearest branch is 50 kilometres away and too far to drive. It could well save you thousands of dollars!

I still go into my bank, no way will I do otherwise,money is too hard to get without some one thinking they can help themselves.

 

[Veggiepatch]

I’m obviously a goose we bank with ING they have no ATMs no branches just a head office in Sydney.

Change banks.

You are dealing with an Australian subsidiary of a Dutch owned multinational financial institution.

 

[Veggiepatch]

Well, that's all good if your bank is at all available, even if a 100km away, but some of us enjoy travelling—locally and overseas. How do you suggest we handle verifications in those situations?

If you enjoy travelling overseas, evidently, a 100 km drive is a "spit in the ocean"

 

[7777]

Cybercrime is possible because peoples money is held in banks via technology.
This is only a suggestion. Close all electronic ATMs and on line banking.
What if for the sake of saving guarding our money, we step back in time, and walk to the bank and deposit our money, that would be safely kept in the banks safes. If you required money, you just go to the bank, and withdraw the sum requested. For larger sums, a cheque could be written for the requested sum. We would be going back in time, but it would stop cybercriminals in their footsteps.
We are such an advanced society, why can no one find a way to stop these cybercriminals.The government can see that cybercriminals are helping themselves to our money, and yet there are no signs that the government is doing anything to stop cyber crime.
And so we have two alternatives, manually deposit and withdraw money in person at a bank and keep out money safe from cybercriminals, or continue electronically depositing and withdrawing your money, leaving the doors open to cybercriminals to help themselves to your hard earned cash. Obviously with the choice of the first alternative, we would need a compassionate, caring, kind, generous, selfless prime minister who would agree to this way of safeguarding our money.

 

[Sherril54]

In our current world money talks, no doubt about it. The banks and financial world would have to take a long hard look at their customers wellbeing and wishes if they were cleaned out. I mean withdrawing your money and putting it somewhere that suits your needs. I`m with Newcastle Permanent so far there has been no pressure to bank online. It is available but not a requirement. Why don`t you start poking around, you may find something else that suits you.