No guessing is required. The legitimate bank account owner can simply log in on a different IP with a changed MAC address (say on an insecured wifi spot), pretend to check his statement, and then afterwards claim that his account was comprimised to reverse the ACH transaction he himself had initiated.
Psst. Changing the MAC doesn't help make you more anonymous. Once you go past the first router they can't see your MAC anyway, unless the protocol sends it itself (ie, some consoles/games/etc) and HTTP doesn't do that.