First, the crooks managed to either infect a legitimate Web site, or setup a fraudulent site to lure victims. Second, they must have presumably managed to sidestep any anti-virus that was installed. Third, bypass one-time-password authentication by making certain that the attacker has commandeered the browser session during a banking transaction. They then fake the statement presented to the consumer online. And, finally, craft transactions so that they avoid detection by the anti-fraud controls the bank may have in place. That sophistication reveals the level of motivation, and skill, banks and consumers are up against.