What Australian Banks Allow You to Login and Make Credit Card Purchases While Unable to Receive SMS

Ever gone overseas? Unable to roam with your mobile phone? But you've got access to WiFi and Internet.

Does your bank still allow you to log into your Internet banking?

What if you try to make a credit card purchase, does it still try and SMS your unreachable number, thereby prohibiting you from using your card while overseas?

I've got the strong feeling many Australian banks have a complete blind spot when it comes to security and practicality. Holding customers' accounts to hostage until they are back on Australian soil is hardly respectful.

There are many practical forms of 2 factor authentication that do not require you to be physically present in Australia in range of a mobile phone tower. Any bank that doesn't understand this is hardly trustworthy to hold actual money.

So let's talk about which banks in Australia aren't completely and utterly stupid and incompetent.

Comments

  • +3

    I was under the impression 2fa for card transactions is set by the merchant, they pay an additional fee for this to reduce charge back rights , and can be either sms or email.

    • +1

      BankWest require a mobile number, an Australian mobile number only, to perform credit card transactions online. No mobile number, no authentication. No Australian number, no authentication.

      So if 2FA via e-mail is available for credit card transactions I would really love to know which banks support this.

      • +11

        You call Bankwest and ask them to switch off the 2FA for the period you are travelling.
        I’ve done it for years, most recently in June

          • +3

            @[Deactivated]: I've got a Bankwest Mastercard world credit card and I've made $10K+ purchases whilst overseas with 2FA turned off without any issue. I've had the card with Bankwest for (I think) 10 or so years and travelled 20-30 times overseas without an issue.

            • @gyrex: I'm with bankwest and have never had it requested, or required, both domestically and internationally. I'd have cancelled the card if that was a requirement

              • +1

                @RMBC: If you're travelling to countries which don't have roaming arrangements established or if you're travelling internationally into areas with little to no mobile coverage, turning off 2FA is essential. I travel a lot and it's safer to turn it off when overseas.

                • @gyrex: Just saying it's never been required of me, and I've never turned it on, or off, in all my international travel or use of the card. It's the card I use everywhere overseas, and haven't ever needed to verify transactions outside of Australia

                  • @RMBC: You made online transactions while oseas or just used the card at shops? I've had BW card oseas too but on occasion it'll ask for 2fa if say buying some online airfare or train pass etc unless you have specifically asked to turn off. Once I forgot and had to call them while oseas to turn off as I couldn't purchase some tourist attraction online

                    • @gimme: Both, and never been asked for 2fa

                      I've had the card for nearly 15 years, so perhaps it's grandfathered somewhere, but never been asked for 2fa or other approvals

                      I have had phone calls at times for some transactions, but that hasn't happened for some time

                      • @RMBC: Oh I still get 2FA for SMS only when buying online while in Australia. Maybe your card is exempt?

                        • @bobwokeup: Could well be, I don't get it for any transactions, whether online, instore, in Australia, or overseas

            • @gyrex: Do you rely on their travel insurance or take on a separate one?

      • +2

        Isn't there an option to inform them if you're going overseas? That generally allows you to use it without 2FA…

        • -1

          3D Secure with BankWest has always failed in my experience if it doesn't have a phone number to SMS. It just throws an error saying "Please call BankWest customer service" - but when you call them they have no record you tried to make a transaction.

          What a bank should do and what a bank actually does seems to be two very different things.

          Hence the need for a post asking, specifically, have you experienced your bank doing the right thing in the absense of SMS availability?

          • +3

            @[Deactivated]: No, I mean, have you used the self-service option for "Going Overseas"?
            There are fields that ask which country you are going, as well as give you the option to enter a contact email, as well as overseas SMS…

            • -2

              @jatyap: I already know BankWest are unable to process a 3D Secure authentication check for a credit card transaction online if they are not supplied with a mobile phone number.

              They incorrectly inform the credit card holder to contact customer services even though customer services have no idea that a transaction attempt was made.

              What difference would it make to inform them I'm "going overseas" if they have proved, time and time again, they are unwilling to enable credit card transactions without SMS support?

              • +3

                @[Deactivated]: I don't know what country you are in, or why you wouldn't be willing to give that a try.

                But, just my personal experience, I have used that multiple times in the past and all of my credit card transactions overseas have gone through alright.
                I also have several friends who have used it in the past without any problems.

          • +1
      • +1

        I have two Bankwest cards and they have never done a verification. I've used the platinum in Thailand and China without issue, I did register that I was travelling for the periods.
        It must be something which can deactivate on a per about basis so call them if it's a problem.

  • +41

    Have you ever tried telling your bank you're travelling?

    • +2

      Tried that with ANZ, it didn't work I still needed to receive sms internationally.

    • +1

      With BW, just telling them you're travelling through the self service portal doesn't work. You have to msg or call thrm and ask to turn it off and accept some T&Cs. Once you've done that it 100% works with no issues. Done it at least 10 times

  • Because they want to make it harder for fraud and identify theft.

    Increased convenience for the user can also mean increased convenience unauthorised transactions.

    Maybe go with a bank that doesn't compensate you when there have unauthorised transactions.

  • +7

    Macquarie

    • Funny how people reviewing it on the app store have no idea why there is a need for a separate app.

    • Please no with Macquarie.

      I went overseas for an extended period of time and tried to get my mobile number changed and it took 5+ occasions on the phone the first time, including asking them on FB/Twitter. They kept saying it'd be changed, never was, had to keep calling. Even when the phone number was changed in order to log into the app, for online transactions requiring SMS verification it was still asking for SMS verification from my Australian number and each time it would lock my card, sometimes even on the weekend and their "security team" isn't available until Monday morning so I was cashless for a day or two.

      Next country it took 5+ tries and I just gave up.

    • I was just overseas and got cash out with Macquarie, no text required

    • +5

      Macquarie uses Authenticcator

  • +18

    Commonwealth bank say they require an sms, but if you have the app the code comes over that as well

    • +2

      This. The 2FA code from CBA was generated from the app first, and they have option for re-try via SMS.

    • -1

      This. Same with Bank Australia. Just need to remember to set this up before leaving and you won't have issues.

  • +2

    What is the point of your post?

  • +1

    There are very few Australian mobile carriers who refuse to adhere to the convention of ensuring that SMS get correctly routed to overseas carriers free of charge when you're abroad. I haven't personally had any issues with SMS from banks, mygov, etc during my travels.

    Whilst there are alternatives, SMS remains the simplest, lowest-common denominator for 2FA that all but the most technically illiterate can handle. Plus there are still folk running around with dumb and/or feature phones that can't run iOS or Android apps.

    If you're determined to not use SMS, as mentioned previously you may wanna consider using one of the banks like CBA that route their 2FA over push notifications for customers that use the mobile app.

    • Who uses an Australian number overseas and pays international rates. First thing you do is buy a Sim in the country you arrive in. That's why you never receive the bank SMS, because the Australia Sim is in your bag…..

      • +9

        Yeah, a lot of folk do it like that, but that actually makes things a lot harder than it needs to be.

        Turn off data on your phone, disable roaming, and leave your aussie SIM in your phone. If you're not with one of the small number of re-sellers that deliberately block international SMS forwarding, your SMS will find you in almost anywhere in the world for free.

        In my case I have a dual-sim phone so I buy a local sim for outbound calls & data, but have the aussie SIM active for inbound SMS.

        Before I switched to the dual SIM phone, I had a second travel phone for my foreign SIM. In some regards, this works better than a single phone.

      • -1

        Who uses an Australian number overseas and pays international rates.

        You don't need to pay anything to receive SMS while travelling internationally.

        • That's not the issue. The issue is that you would of course have a local SIM for using data, which means you would need to take your Aussie SIM and a SIM tool everywhere you go if you want to be able to make online purchases while out and about.

          • @chillin222: One of my main use cases for a dual sim phone.

  • Thought a gwok would be more evolved than an ewok..

  • +3

    CBA

  • When I travel I hardly book anything so I'm always booking tickets and hotels maybe one day before hand via Skyscanner, booking, Agoda ect.. When overseas I use CBA. The security code comes through via push notification on the CBA app. I also use Westpac as backup but I have to call them before hand and tell them to disable there security pin, sometimes it doesn't work but you can choose email approval

    • Why would you do that? Wont it save money to book beforehand?

      • traveling from state to state or country to country in Asia, booking a couple days before compared to a month before dosent really save you that much, in regards to hotels its pretty much the same price, i find a nice hotel on agoda, turn up and see if they will beat agodas price, most of the time they do ….

  • +4

    Oh, let me tell you about Ing in The Netherlands, that requires you to approve every login to web interface in their app. And when that app stops working, which seemingly happens after every app update in the middle of every month since the beginning of this year, you're completely locked out for weeks. And when you try enter password three times and can't confirm it in app they do lock your account and you need request new password which arrives in paper mail in two letters over 5 days time, one with login and another with temporary password. And when you try change password and getting prompt to approve it in app, which isn't working… yep, locked out again.

    SMS feels sane in comparison to what they have now.

  • If your bank offers a security token in addition to mobile 2fa, you're good to go.

  • +3

    Recently went to Europe and tried to use my amex and 28degrees mastercard. Both require sms authorisation so I ended up having to activate my mobile overseas roaming for the whole duration of my trip. The worst thing is the 28degrees card was rejected so many times in Paris (tried tapping, swiping, inserting the card and they all failed). So embarassing.

    • Which mobile provider are you with? Forcing you to activate roaming so wrong. :(

      I'm always interested to hear which of the carriers mess with the normal international SMS forwarding… this is such a dodgy thing to do for a service that is normally free by international convention.

      • I am with vodafone, switched to them before going in case I need to activate roaming and they have the cheapest daily rate. But the 2fa authentication via sms came from the credit card providers. I didn’t know if we were able to do sms forwarding for 2fas? Perhaps I’ll find out next time we’re travelling again.

    • Strange, we used 28d in Europe and we never had any issues or any 2fas. Also didn't tell 28d we were travelling. I did have an issue with Coles where i logged in to pay off my account and they blocked me as they thought I was hacked.

      • Which country did you go to? It seems like certain old eftpos machine could not read the card?? I didn’t have any issue at all with 28d card in Singapore.

        • France, Belgium, Germany, Czech and Budapest.

          • @MeesusEff: Lucky you! Yeah I can use the card for some merchants in France, some can’t. So strange.

    • Hey, I used my 28deg in Europe without any issues. I did notify them (online) that I would be travelling. Did you do this as well?

      • I did, because they blocked my card the first time I used it for hotel deposit. It seems more of the machine issue? Some merchants were ok, some could not read the card. Even different stores/restaurants in Disneyland Paris can read the card, some can’t. So strange!

    • tried tapping, swiping, inserting

      We're still talking about a credit card, yes? ( ͡° ͜ʖ ͡°)

  • +3

    port your number to a carrier that supports roaming, sms delivery is free. put that sim in a second phone or swap it into your phone when you know you're expecting an sms.

      • +2

        If you’re going to a place like that, use cash. It’s really not that hard.

    • Not always possible to port out. You might have a lot of prepaid credits that you don't want to lose. As an ozbargainer, my family's mobiles are on 365 day prepaid plans, and I wouldn't want to port out and lose $100+ of prepaid credit. Catch mobile, for instance doesn't support roaming.

      • They have enabled roaming since last week which is great news because it was a concern for me.
        I spoke to them today.

  • +4

    Commbank and Westpac allow you to login to your internet banking overseas. Been using both for years overseas. Doesn't trigger any SMS or similar.

    When I use my Commbank or Westpac credit cards overseas they work just the same as in Australia. There are no SMS codes or anything else when I make a credit card purchase. You just tap the card at the shop/restaurant/hotel/etc and it works. If over AU$100 you enter your PIN, just like here. ATM withdrawals work as normal too.

    I normally lock my cards for international use via internet banking when I'm in Australia, just as a precaution, then unlock when I'm going overseas. I also set the countries I am travelling to and the dates in my internet banking so the fraud detectors don't get triggered.

    Never had a single issue with Commbank or Westpac cards overseas, everything works exactly the same as at home. I travel a lot overseas, up to 6 months of the year sometimes. This is to the USA, across Europe, some of the Middle East and across Asia. Been doing that for 25 years without an issue.

    Not quite sure what you're on about re "Holding customers' accounts to hostage until they are back on Australian soil is hardly respectful.". Never heard of such a thing. I had NAB cards in the past too, never had an issue there either.

  • I bank with westpac. When overseas I receive sms token on my Australian number. I am with Lebara. Incoming SMS is free of any international roaming charges. So, when you are expecting any SMS for validating your transactions, make sure the Australian SIM is in a mobile phone and switched on. You should receive the SMS.
    I also have 28 degrees card. The mastercard payment portal sends a sms on the Australian number. If I say in the verification screen that I did not get the sms, it asks me a secondary verification question, which usually is my credit limit.

    I also have Citibank Platinum Debit. This sends tokens on the App. So, a working Australian number is not required. However, I only use is for withdrawing cash in local currency from the ATMs, for which no token numbers are required.

  • I don't have an issue regarding the OP's problem, but I have a related one.

    My phone company has just "improved" the security on its software that lets customers access and change their details and pay their bills, by only making it accessible by logging on through a link they now ONLY send by SMS. Previously you could choose SMS or email, which meant you could access the software on your PC. Now that link is only sent by SMS, meaning you can only get into your own account on your phone. How that's supposed to work if the problem is you lost or damaged your phone or your SIM card, I don't know.

    I need to be able to do it on my PC with its full size screen and keyboard, with accessibility tools only available on my PC, not on my phone.

    I'm going to have to switch to another phone company. What I'm afraid of is because they've all been told to smarten up their security to stop phone accounts being hijacked, they're going to be doing it.

  • When 28 degrees card was GE they used to have a option to put your date of birth and credit limit instead of sms if phone was unavailable. Unfortunately when changed to latitude they removed this option.

    In my experience it's best to change to a carrier that is has roaming available in that country. Latey have found vodaphone to be ok for my recent travels as Boost still have no service overseas till end of this year.

    I have been using vodaphone prepaid number in Thailand
    With no credit or cost can still recieve txt for free.. just check the country's you wish to travel are covered

    Other option is if your phone allows calls over wifi can get txt that way seems to work well with Telstra and a Apple phone not sure otherwise

  • Get a bank that doesn't use SMS for 2FA. Bendigo Bank is one, but since their password is a set length of 8 characters (no more, no less) then I would not recommend them for good security policies.

    I've got something like 30 accounts in Authy for code generation (including ones that used the stupid Symantec VIP Access app with an alternative) and that means I've still got access to 2FA codes on my mobile/iPad/PC irrespective of an internet connection.

  • +5

    turn on wifi calling, problem solved

    I can get calls and sms while travelling overseas at no extra cost

    • +1

      I thought wifi calling cannot receive sms when you are overseas with no roaming enabled?? Boost for rescale didn't have roaming

      • +1

        Just got back from Malaysia/Singapore with Boost. Nil issues receiving SMS via WiFi. No charge for roaming either way with their prepaid services.

        • Thanks for sharing, that’s who I’m with and we’re planning a trip soon so this is super helpful.

  • +1

    Had this problem. I bank with NAB. You can log in from OS no probs, but if you need to verify anything…you need the Oz mobile number. I set up a Wise card before I went OS and that needs a mobile too…but they also offer to send the 2FA to your whatsapp so that you are able to change your Oz mobile number to your local mobile number while you are away. When I went to change the number back to my Oz number they wanted a selfie of me holding my passport with details visible to prove I was who I say I was. Phone number was switched back within 30 mins.

  • Whilst less of an issue now given new telco 2FA rules (provided telcos do their Job), I agree he is right about sms being used for authentication being dumb, but for different reasons- it is a vulnerability for sim jacking. 2FA is much more secure through the use of an authenticator app.

    https://www.channelfutures.com/security/microsoft-authentica…

  • +2

    I see OPs point. SMS is not secure, and subject to failure.
    The US NIST recognise this and are restricting its use for gov.
    I do wish all the banks would bring on app based MFA.

    Citibank recognise the sheer stupidity of using SMS and do offer app based codes.

  • +1

    It's been a number of years since I travelled or used it, but Citibank used to use an app that generated the code instead of an SMS. Maybe have a look if they still do that?

  • +7

    Several people have already told you the banks that give you 2FA via app (CBA, Citibank) but you seem determined to leave inflammatory replies to comments you disagree with while ignoring those answering you with viable options.

    Do you actually just want an echo chamber to be mad in?

  • -1

    What phone companies don’t allow free receiving of SMS?

    Turn your data off, don’t answer calls. Simple.

  • +1

    Suncorp uses an app for their 2FA.

  • +1

    Yeah this drives me crazy. I’m with NAB and they are so behind the times.

  • +2

    Using SMS as 2FA is very insecure.

    2FA should only be done through push notifications or emails.

    Sim swap hacks are a thing.

    • +1

      Email is also very insecure too though… but I do agree it's better than SMS.

      • Yep Authenticator apps are the safest.

      • Not if to login to your email you need push notification 2FA.

        • A hacker doesn't need to login.

          Email is not a secure communications medium, and an email mailbox is not a secure storage system.

  • I use freeforward app on my spare phone, so every sms forwarded to my main phone. That way i can screen which call or sms is important/ spam. All my fam n friends calls me on my whatsapp

  • Used ING to log in without 2FA. Not sure it's even an option. But we can elect dates and destinations that we're overseas.

  • +1

    I had this issue with ING in Europe. I contacted them they said it was Visa's fault and they couldn't do a thing about it. Infuriating and really curtailed our trip.

  • -2

    Be honest with yourself. Do you truly believe that you're smarter than the risk management professionals in banking?

    • -3

      Much, much, much, much, much smarter.

      It's possible that I'm not - and that the risk management professionals are completely ignored by CTOs that wouldn't know electricity if they stuck their fingers in a socket.

      But the implementation is completely divorced from risk if the only method of 2FA is SMS.

      • +1

        But 2FA sms is NOT the only method… there are multiple ways, all you need to do is to let your bank know that you're travelling overseas lol

        • -4

          Which bank? This thread is specifically asking which bank allows you to make transactions and log in without SMS.

          If you know a specific bank that will enable this if you just tell them you're travelling outside then name it.

          Don't assume all banks provide this service in Australia. The 3D secure implementation by some banks, specifically BankWest, is woefully incomplete. BankWest, if it can't SMS, throw a message on the screen to say call customer service - but when you call them they have no record you attempted to make a credit card transaction. That's a completely dysfunctional implementation of the protocol.

          "lol"

          • +4

            @[Deactivated]: You don't get out much, do you?

          • +7

            @[Deactivated]: Literally your bank - BankWest.

            https://www.bankwest.com.au/help/travel-international/sms-co…

            "You can also set up PIN or fingerprint login within the Bankwest App to make payments and transfers while you’re away without the need for SMS code".

            A simple Google search. Much, much, much, much, much dumber. Humble yourself.

            • -3

              @FareEvader: I see you've never used a BankWest credit card before.

          • +8

            @[Deactivated]:

            Which bank?

            BankWest will do it for you.

            Just gotta ask nicely which I sense may be difficult.

    • When the risk management professionals do not consider a second layer of security, then yes. They do not belong in that position, and are likely part of an older generation who can not understand the risk involved in online banking today.

      I have personally setup security systems for online based services, and can tell you that SMS is NOT secure in the slightest. Many other comments on here clearly demonstrate why.
      2FA using an authentication app which generates new keys to input at login is the best, and simplest, way to implement a higher level of security for customers.

      Banks who are incapable of seeing this need to back their beliefs up with the promise of returning funds to customers whose accounts have been breached.
      I would imagine the banks see returning funds of those who have legitimately been breached as lesser cost, then that of implementing such security features into their system.

Login or Join to leave a comment