Sure, there are security measures in place. If someone has a remote access trojan that lets them run arbitrary code on your PC, then the IP address is going to show “your house”.

This sort of event is extremely unlikely, and in most cases reversible, that’s the thing about banks, transactions aren’t really permanent if you can get a court order.

>Hi, this is your bank. Please reply with your account number and passcode to confirm that we are messaging the correct person.

You’d be shocked how many people fall for that and because they’re that “stupid” barely any of them will have 2FA on.

Many users don’t have 2 factor authentication enabled, even for new devices. Sometimes the user is convinced to give an attacker the OTP codes for 2 factor authentication

No one is having their bank accounts hacked. Banks have significant protection against anyone accessing their networks and internals. It’s not happening.

When someone says their account was “hacked”, they really mean they were scammed and unintentionally gave their login info to a malicious 3rd party pretending to be the bank. This is usually called social engineering or phishing. The other option is that they’ve installed malicious software unintentionally on their computer, and that software recorded their username and password and sent it to the malicious 3rd party.