[tptacek]

All major banks have systems whose job is to have a notion of normal and abnormal transactions. Any bank operating at the level of the majors should be able to pick out the $100k electronic funds transfer, which is probably the only customer-not-present paperless ACH transaction of that size in the history of the relationship for a regional construction firm, and require callback authorization for it. That's all they had to do.

The point isn't that the bank should be universally responsible for fraud. It's that the responsibility for fraud does not end exactly at the login prompt.

[ecaradec]

Agreed and this is something that you can't say you are aware of because banks do not communicate of internal security measure checks. As an example : I paid 1c on my own website via paypal while doing paiement integration test, and the transaction was blocked. I received a text message that told me to call the bank to authorize the paiement. I asked if it would block again for another test, but they have consigns to not answering that kinds of questions and I'm glad they did ;)