No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
No need for that at all, all the customer has to do is claim that an ACH withdrawal from their account was unauthorized and the bank will reverse it.