Wells Fargo looks at multiple factors to authenticate users including name and password, a token in some cases, behavior such as the IP address the user comes in from and what he wants to do.
Those innocuous traits led investigators to initially believe the computer access from China using Bob's credentials was unauthorized -- and that some form of malware was sidestepping strong two-factor authentication that included a token RSA key fob under Bob's name.