>> So, what should Citi do? Optimize for security and shut down that feature from their website, or optimize for being able to just wire some money in a rock solid fashion?
In practice what Citi does is neither of these absolute extremes; it just flags transactions over a certain amount (I believe it's generally $5K) and any transactions that the Citi systems deem suspicious. Anything in these categories yields a notification to the account holder, and the transfer has to be confirmed via phone before the funds are released. This is a variation of the "Are you sure you want to do this?" messagebox confirmation in programming.
In practice what Citi does is neither of these absolute extremes; it just flags transactions over a certain amount (I believe it's generally $5K) and any transactions that the Citi systems deem suspicious. Anything in these categories yields a notification to the account holder, and the transfer has to be confirmed via phone before the funds are released. This is a variation of the "Are you sure you want to do this?" messagebox confirmation in programming.