My old credit union required your password to be exactly six (6) characters with one upper case and one special character. They then added in "2FA" over phone or SMS. One day I clicked the "forgot password" link and was able to reset my password using only SMS bypassing the password part entirely. Not even a verification email.

Could you actually transit money from online banking?

I've found this to rarely be the case, and when it is there are additional verification steps / notifications that give you a chance to stop it (if it's a new payee).