The first ever case of using a man-in-the-middle attack against an online bank was reported by Brian Krebs of Security Fix on Tuesday.
The security industry has long predicted this type of man-in-the-middle attack; it was only a matter of time. The attack targeted Citibank's Citibusiness service and was designed to spoof the token key hardware device used by the bank's customers. The phishing site checked the logon credentials with the real site before rendering the results to the phishing victim. Enter an invalid password, and you got an invalid logon page. A man-in-the-middle attack checks everything done at the phishing site against the original, so everything should look and feel more genuine.
Exactly the same kind of attacks can be used to target other types of two-factor authentication, including one-time password sheets.