Maybe the bank should've used this method to prevent the problem in the first place by just checking that the referer request header was from their domain.
You can spoof referrers, you just need some browser extension (or, if using python and requests, doing requests.get(url, headers={'referer': my_referer}) )
The article mentions that unauthorized transactions were indistinguishable from legit ones:
>Also their engineers made it clear that unauthorized transactions like this and later shown below would not be distinguishable from other legitemate transactions.
