RSA does not help either
Been there seen it. Here is how the login goes.
User name, Password - enter
New screen
your personal pin number and the token number.
Within 10 seconds the keystrokes are sent out to a site. Hackers then use the username, password and pin+token number. They use it before the 60 seconds are up and they are free to do wire transfers.
Antivirus - useless. Custom crafted hack that is not in the dat file. The users got it via email in a chain letter - and yes they were all administrators on the boxes. The damm applications required it.
The site only allowed one user with the same user id to have access at a time. As soon as the bad guys used the login, the user was kicked out. If the bank had required a single login and the pin+token again to do the transfer (allowed on after 60 seconds), they would have been blocked. I see from the article that they are encrypting the output. That makes it a bit harder to track but not impossable. The bank found out when the users called tech support and were reassured that it was working fine and their $150k wire transfer to Russia went through just fine.
Here is one for you guys to play with, When you have a slow connection to a banking site, and you jump to another site while the browser is still building the page, the new site gets the session ID as the browser tries to finish the request for the image that had not displayed from the banking site. Try it, you will see it in the web logs. Have fun, I know it is too tempting to not test.....