eCommerceNews Australia - Technology news for digital commerce decision-makers
Australia
Why SMS authentication is exposing mortgage lenders to avoidable risk

Why SMS authentication is exposing mortgage lenders to avoidable risk

Thu, 2nd Jul 2026 (Today)
Geoff Schomburgk
GEOFF SCHOMBURGK Vice President for Asia Pacific & Japan Yubico

Australia's mortgage lending sector sits on a vast repository of sensitive financial and customer identity data. From payslips and tax returns to bank statements and identification documents, brokers are custodians of the information cyber criminals value most. Yet many mortgage brokers still rely on usernames and passwords, or, at best, SMS-based multi-factor authentication (MFA), as their frontline security controls. A recent data breach highlights exactly why this approach is flawed.

The widely reported cyberattack on Australian fintech YouX in February of this year is a timely reminder that attackers do not always break in using sophisticated methods. Increasingly, they are simply logging in using compromised credentials. Whether through phishing, credential stuffing or social engineering, once an attacker can intercept a one-time SMS code, they can gain access to systems that hold highly sensitive customer data. 

Why mortgage brokers are a prime target

Mortgage brokers present a uniquely attractive target for attackers because they sit at the intersection of financial services, property transactions and personal identity. This creates a high-value concentration of sensitive data that can be readily monetised, whether through identity theft, mortgage fraud or other financial crimes.

In early March, The Commonwealth Bank announced that it had identified up to A$1 billion in home loans that may have been fraudulently secured, including cases involving AI-generated documentation. The bank has reported itself to the Australian Federal Police, and the corporate regulator, the Australian Prudential Regulation Authority (APRA), is now investigating. 

Limited security resources for mortgage brokers

Exacerbating this issue is that many broking firms are small to mid-sized businesses without dedicated security resources. They rely on a mix of third-party platforms, aggregators and legacy systems. This fragmented environment often leads to inconsistent security practices, increasing the likelihood of vulnerability gaps that attackers can exploit.

Compounding this risk is the high level of trust brokers hold with their clients. Communications from a broker are rarely questioned, making phishing campaigns significantly more effective.

The YouX breach reinforces a broader shift in the threat landscape. Attackers no longer need to breach infrastructure if they can compromise identities, which have become the primary attack surface across the financial services ecosystem.

The problem with SMS authentication

SMS-based authentication was introduced in the early 2000s as a step up from passwords, which, at the time, represented a meaningful improvement. Today, it has become a weak link and there are several proven reasons for this:

  1. SMS is inherently vulnerable to phishing - Attackers can trick users into entering both their password and their one-time code into a fake login page in real time. Since the code is valid for a short window, the attacker can immediately use it to access the broker's systems and the login appears entirely valid.

  2. SMS is vulnerable to SIM-swap attacks - Criminals can convince or coerce telecommunications providers into transferring a victim's phone number to a new SIM card. Once this occurs, all authentication codes are delivered directly to the attacker.

  3. SMS messages can be intercepted or redirected - This can be done either through malware or weaknesses in telecommunications processes. While less common, these attacks are well within the capabilities of cybercrime gangs.

The result is clear: SMS does not provide strong assurance of user identity. It verifies possession of a phone number, not the legitimacy of the person behind it. For mortgage brokers handling high-value transactions and sensitive financial data, this distinction matters.

The shift to phishing-resistant authentication

To address these risks, the industry must move beyond legacy authentication methods like SMS, which can be intercepted, replayed, or socially engineered, and instead adopt phishing-resistant approaches, such as passkeys or hardware security keys.

Passkeys, built on FIDO standards, replace passwords with cryptographic key pairs that are securely stored on a user's device. During login, authentication relies on public-key cryptography combined with device-based verification, such as biometrics or a PIN, removing the need for any shared secret that could be phished or reused.

Hardware security keys, such as YubiKeys, extend this model further by storing credentials on a dedicated physical device. Authentication requires the physical presence of the key, while the cryptographic exchange is tightly bound to the legitimate website or application. As a result, even if a user is redirected to a phishing site, authentication will fail because the domain does not match the expected one.

In both cases, the attack vectors that undermine SMS-based authentication are effectively eliminated. There are no one-time codes to intercept, no credentials to replay and no dependence on mobile networks that can be manipulated through social engineering. This is what phishing-resistant authentication looks like in practice. Aligning with evolving expectations

Regulatory expectations and industry frameworks are also moving in this direction. In Australia, the Essential Eight, provided by the Australian Signals Directorate, outlines a clear path towards stronger identity controls, with phishing-resistant MFA forming part of higher maturity levels. 

Data breaches carry not only financial consequences but also reputational damage that can be difficult to recover from in a trust-driven industry. 

Actions for mortgage lenders

The shift to phishing-resistant authentication is no longer optional for the mortgage industry. Passkeys are now widely supported and often simpler to use than passwords and SMS codes, while hardware security keys provide stronger protection for high-risk access. Together, they align security with usability by removing reliance on human behaviour, the most common point of failure.

For mortgage lenders, the question is no longer whether SMS authentication is flawed, but how long it can remain in use. As attackers increasingly target identities, legacy controls are proving wholly inadequate. And brokers that act now will be better placed to protect client data, maintain trust and meet rising expectations. Those who delay are accepting a level of risk that is no longer justified.