> It's no different from bank login in the end, once someone has it, it can be transferred at will.
Bank login credentials do not confer undisputed ownership of an account. If someone unauthorized gets ahold of them, the bank doesn't throw up its hands and say "welp, nothing we can do now, the account just belongs to the hacker".
At least partly because they're not allowed to do that because there are specific rules about it. If banks could just say "so sad, too bad", they absolutely would. I know someone who had to resort to the financial ombudsman to get their money after a hack because the "bank" (Revolut or Monzo) would not engage with them to even acknowledge anything had happened.
Bank login credentials do not confer undisputed ownership of an account. If someone unauthorized gets ahold of them, the bank doesn't throw up its hands and say "welp, nothing we can do now, the account just belongs to the hacker".