Exactly. The optimum amount of fraud is really zero. But in order to achieve last 0.00001% you may end up screwing up experience for about 99% of your customers by asking them to 10-factor auth and what not.