NEWS
SMS Authentication Is Failing Australian Mortgage Brokers
Australian mortgage brokers hold sensitive loan data but still rely on SMS MFA. The YouX breach and CBA’s $1B fraud case show why SMS is the wrong perimeter.
SMS authentication is still the frontline guard on Australian mortgage brokers’ most sensitive borrower files, and the YouX breach disclosed in February has shown exactly what happens when that guard fails. The hack exposed the personal and financial data of 444,538 unique borrowers and more than 8,000 broker employee password hashes, and a separate $1 billion in suspected fraudulent home loans is now under investigation at Commonwealth Bank of Australia. Both stories point to the same working assumption: the attacker already had, or was able to acquire, valid credentials, and SMS one-time codes did not stop them. Across the Australian financial services sector, the primary attack surface has shifted from infrastructure to identity, and SMS-based multi-factor authentication now sits on the wrong side of that line.
The Broker Data Problem
Mortgage brokers sit at the intersection of three things attackers value: financial services, property transactions and personal identity. A single loan file can carry a borrower’s income, debts, government-issued ID, employer details and the broker’s own client roster. Concentrated in firms that are often small to mid-sized businesses without dedicated security staff, that cache is both deep and lightly defended.
Communications from a broker are rarely questioned by clients, which makes phishing unusually productive in this channel. The same trust that closes a loan also opens a credential-harvesting page. Smaller brokers lean on a mix of third-party platforms, aggregators and legacy systems, and the inconsistency between them creates exactly the kind of vulnerability gaps attackers prefer, a pattern now visible in how banks are now responding to AI-driven deepfake fraud across the broader sector.

What 444,000 Borrowers Looked Like at YouX
Australian fintech youX confirmed in a 17 February 2026 update to its disclosure statement that it had “identified that personal information may have been compromised,” and a threat actor had already begun releasing a sample of the data. The hacker claims the dataset, exfiltrated from a MongoDB Atlas cluster, ran to 141 gigabytes and reached across more than 90 downstream lenders. Cybersecurity researcher Jeremiah Fowler had first identified the unsecured instance in March 2025 and reported it to youX; the threat actor said the database was “still easily accessible 10 months later.”
| YouX breach record | Number |
|---|---|
| Unique borrowers affected | 444,538 |
| Loan applications exposed | 629,597 |
| Australian driver’s licences copied | 229,236 |
| Residential addresses | 607,822 |
| Broker organisations with data exposed | 797 |
A breach tally now sits in the public domain, and the components are the parts a fraudster would hand-pick first. The single number that ties this breach back to the SMS-authentication problem is the batch of more than 8,000 password hashes belonging to broker employees, since those credentials paired with a one-time SMS code give an attacker a clean login to a broker’s loan origination system. The remaining fields in the same dataset give the attacker everything they need once they are inside.
The figures in the table above are the ones the threat actor published, and youX has not yet independently verified them. They came out of the same unsecured MongoDB Atlas cluster.
How a $1 Billion Fraud Case Fits the Pattern
On 27 February 2026, Commonwealth Bank of Australia reported itself to the police and the corporate regulator over fears that about $1 billion in home loans were obtained fraudulently. The bank’s own review flagged doctored applications, including documents created with artificial intelligence, as well as suspect deposits and shell companies. The AFR reported that if every suspect loan is confirmed as improperly obtained, it would be the largest fraud against an Australian bank.
CBA’s case and the YouX breach are not the same incident, and the bank has not said the two are linked. They share a working assumption: the attacker already had, or was able to acquire, valid broker or customer credentials, and the rest of the fraud became a paperwork problem. Loan files drafted on the back of stolen identities, with payslips synthesised from real names and addresses, are precisely what a 444,538-borrower dataset enables.
Why SMS MFA No Longer Holds
SMS-based authentication was a meaningful step forward when it arrived in the early 2000s. Twenty years on, attackers have built reliable ways around it, and three are worth naming. The same in-bound one-time code that brokers treat as a final checkpoint is also the one criminals most reliably intercept.
Real-time phishing comes first. A fake login page can ask for both the password and the one-time code at the same moment the genuine site does, and forward the pair upstream before the code expires. The login looks entirely legitimate because, to the broker system, it is. SIM swap is the second vector, and the data behind it has moved faster than the controls designed to catch it.
- Cifas 2025 Fraudscape: SIM swap incidents in the UK rose 1,055% in 2024.
- Cifas 2025 Fraudscape: UK SIM swap cases went from 289 to nearly 3,000 in 2024.
- Cifas 2025 Fraudscape: estimated SIM swap losses exceeded £5.35 million in 2024.
- US arbitration, March 2025: $33 million award after a SIM swap drained a crypto account.
- Catch rate: fewer than 1 in 200 SIM swap attempts are currently flagged as fraudulent before the number is moved.
The third path is interception through malware on the device or weaknesses in telecommunications signalling. It is rarer than the first two, but well within the capability of organised cybercrime groups, and the consequence for the broker is identical to the more common paths.
The latest figures show a tenfold rise in SIM swap fraud cases over the past year. This uptick signals that attackers are exploiting the fundamental insecurity of SMS-based second factors.
That assessment came from Shaun Cooney, Chief Product and Technology Officer at Promon, in published commentary on the Cifas data.
What Phishing-Resistant Authentication Actually Looks Like
Two approaches have moved from niche to mainstream over the last three years, and both are explicitly designed to remove the failure modes that hit SMS. Each replaces the shared secret that phishing kits target with a cryptographic exchange that cannot be replayed or proxied. Industry bodies and vendors have now documented both approaches in enough detail that brokers and lenders can compare them against their own login flows. The two forms in widespread use are passkeys and hardware security keys.
- Passkeys built on FIDO2/WebAuthn store a cryptographic key pair on the user’s device, and verification runs through public-key cryptography plus a local unlock such as biometrics or a device PIN. See how FIDO2 passkeys replace passwords without a shared secret in the FIDO Alliance’s public reference.
- Hardware security keys such as YubiKeys move the credential onto a dedicated physical device, so authentication requires the key to be present and the cryptographic exchange is bound to the legitimate site’s domain. See how YubiKeys use FIDO2 to block phishing at the domain level in the vendor’s own documentation.
Both approaches also remove the dependence on mobile networks that makes SMS-based controls brittle. Passkeys in particular are now supported across the major browsers and operating systems, and in most cases they are faster to use than typing a six-digit code. For brokers and lenders still running SMS, the move to either form is the largest single reduction in account-takeover risk available this year.
The Australian mortgage industry’s experience with the YouX breach shows what those reductions look like in practice, since the attacker already had everything a successful SMS-based login would have asked for. Replacing SMS with phishing-resistant MFA on broker and customer logins closes the path the YouX threat actor already walked. For lenders still treating one-time SMS codes as a security control, the shift is no longer a roadmap item, it is the floor. CBA’s separate referral to police is the second piece of evidence that the same identity-first attack model is now reaching loan origination.
Where Australia’s Essential Eight Now Lands
Australia’s cyber regulator has been moving the same direction for some time. The November 2023 Essential Eight maturity model changes introduced a requirement for phishing-resistant multi-factor authentication at Maturity Level Two, with FIDO2/WebAuthn cited as the example standard. The same update added a requirement for phishing-resistant MFA on workstation sign-in, with smart cards, security keys and Windows Hello for Business named as acceptable forms.
For mortgage brokers, the practical reading is straightforward: SMS one-time codes are an artefact of the lower maturity levels, and the regulator has now signalled that anything touching sensitive customer data has to move up. Smaller brokers will not need a separate security team to comply. Passkeys can be rolled out through the same identity providers their loan origination systems already use, often without any custom integration. The capital cost is the hardware key for high-value transactions, not the migration itself.
What Mortgage Lenders Should Change This Quarter
Three actions cover most of the risk for any broker or lender still running SMS as the primary second factor. None of them require a flag-day cutover, and each removes a distinct point of failure.
- Move all broker and staff sign-in to phishing-resistant MFA, starting with systems that hold customer loan files, ID documents and bank statements.
- Switch customer-facing portals to passkeys where the platform supports them, and keep a hardware security key option for high-value transactions such as payout authorisations.
- Audit identity recovery paths, since account recovery is where SMS most often lingers and is also where attackers concentrate after a credential dump.
Each of those changes cuts off one of the paths the YouX attacker has already shown they can walk. The first removes the credential-and-SMS-code combination that the YouX password hashes were clearly aimed at. The second removes the SMS path from the customer side, where the same code-replay techniques apply. The third closes the recovery back door, which is the path attackers most often walk in the days after a credential dump like the one YouX disclosed.
For lenders running their own broker platforms, the audit has a second layer: aggregator integrations and API keys held by partner brokers are also a recovery risk. Most major loan origination systems now support FIDO2 at no additional licensing cost, so the gap is process and rollout, not technology. The migration is also where the Australian Signals Directorate’s Essential Eight Maturity Level Two requirement now lands for any organisation holding customer data.
For lenders still running SMS as the primary second factor on broker or customer logins, the question is no longer whether the control is failing. It is how long the data behind it can stay useful to the people on the other side of the screen.
Frequently Asked Questions
What is phishing-resistant MFA?
Phishing-resistant multi-factor authentication is a form of MFA that cannot be defeated by a real-time phishing site, a SIM swap or a stolen one-time code. The two forms in widespread use are passkeys built on the FIDO2/WebAuthn standard and hardware security keys such as YubiKeys, both of which rely on public-key cryptography rather than a shared secret that can be intercepted.
Why is SMS MFA no longer considered secure?
SMS MFA verifies possession of a phone number, not the identity of the person holding it. SIM swap fraud in the UK rose 1,055% in 2024 according to the Cifas 2025 Fraudscape report, and fewer than 1 in 200 SIM swap attempts are currently flagged as fraudulent before the number is moved. A real-time phishing kit can capture a password and a one-time SMS code at the same moment and replay the pair within seconds.
What happened in the YouX data breach?
Australian fintech youX confirmed in a 17 February 2026 update to its disclosure statement that personal information may have been compromised. The threat actor has since published a sample of the data, which the firm says contains the personal and financial details of 444,538 unique borrowers, 229,236 Australian driver’s licences and more than 8,000 broker employee password hashes.
What is Commonwealth Bank’s $1 billion fraud case?
On 27 February 2026, Commonwealth Bank of Australia reported itself to the police and the corporate regulator over fears that about $1 billion in home loans had been obtained fraudulently. The bank’s own review flagged doctored applications, including AI-generated documents, suspect deposits and shell companies.
What does Australia’s Essential Eight require now?
The November 2023 update to the Essential Eight maturity model, issued by the Australian Signals Directorate, requires phishing-resistant multi-factor authentication at Maturity Level Two for organisational systems, with FIDO2/WebAuthn cited as the example standard. Workstation sign-in must also use phishing-resistant MFA at Maturity Levels Two and Three.
Are passkeys and YubiKeys the same thing?
No. Passkeys are cryptographic credentials typically stored on a phone or laptop and unlocked with biometrics or a device PIN, while YubiKeys are dedicated hardware security keys that store the credential on a physical device which must be plugged in or tapped to authenticate. Both are phishing-resistant and both use the underlying FIDO2 standard.
Disclaimer: This article is for informational purposes only and is not financial, legal or security advice. Authentication decisions involve specific risk, regulatory and cost trade-offs that depend on each organisation’s systems and threat model. Figures cited are accurate as of publication and may have changed since. Consult a qualified cybersecurity professional before making changes to authentication controls.
-
NEWS4 weeks agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
GAMING3 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
AI1 week agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
APPS3 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI1 week agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
CRYPTO2 months agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
AI4 weeks agoVinRobotics’ VR-H3 Debuts at Vienna, VinFast Is Next
