oof, I guess that's how terrible precedents are formed. The argument of the plantiff is all wrong - it's not that the bank failed to secure some nebulous "online account", it's that the bank performed an unauthorized transfer by whatever means. Online banking credentials aren't proof of identity, and banks have continually rejected capability security (which in this case would have taken the form of dynamically-generated secrets that enable one transfer up to $X). If they can't afford to eat ~$100k every time their mostly-reversible system gets taken advantage of, they shouldn't default to offering the ability to transfer $100k to the Internet in the first place.

(and clearly bitcoin is the polar opposite, based on capabilities and being irreversible, for now)