A lot of banks still don t employ two-factor authentication for making transactions. The solution to this huge problem is actually quite simple. Make the receiving bank account number a part of the authentication process. Either send along the number with the SMS or use it as an (additional) challenge when using a token. The user knows where the money is supposed to go. It s a silly excuse and does not take away that this is the only real solution. Static responses passwords should have been abandoned no later than 2007.
Source: https://threatpost.com/heres-how-fix-online-banking-fraud-022510/73592/