They can't - if you take money of the card using a coffee machine, they don't know how about it unless they log the coffee-transaction, in which case the auther above was bound to get in trouble for getting free coffee.

Just some decent user-viewable logfiles of their logins (hour/date/browser/cookies) would be enough for them to be able to check when someone logged in.

I never understood that online emailsites didn't provide those...