Outside of the US, the banks do tell the criminals - otherwise the banks would be the hook. This is the fundamental difference between the US and the RoW: in the US, fraudulent withdrawals are the depositors problem[1] which banks don't expend too much effort into, elsewhere, it's the banks' problem, consequently banks go the extra mile to prevent fraudulent withdrawals, and when it does happen, are quick to make the depositor whole.
1. This and "identity theft" are emblematic of a mostly American tendency to pass the buck (and losses) to the least powerful and least informed entity (the depositor) for fraud committed against financial institutions using depositor's information.
I think they already know, because their efforts are mostly focused on trying to get that authorization. But whether you know about it or not, no authorization means you can't access the money. Requiring explicit authorization is key to security, and I'm extremely wary of payment systems that don't require it, like credit cards.
I suppose someone should tell the criminals.
> there's a limit (which I can change) to how much can be transferred per day.
I expect many banks/cards have this ability as well. People just don't use it.
Hell, I have a virtual card I frequently use on websites that has a $50 limit per day. I'm sure most other companies have something similar available.