Actually, this is where the Barclay's system works and the HSBC system doesn't
With the HSBC system, the device gives you a completely random number that you type in to yet another box during login - at EVERY login.
But the Barclay's system means that the device generates a number based on a sequence you also repeat on the website (account number, etc.). So, unlike the HSBC method, the MitB attack would need to somehow trick you in to entering an account number and amount that you otherwise wouldn't. Plus, this is only for new recipients, so users should notice if this happens at an unusual moment.
The weakest link in this approach is obviously still the user understanding what the device they have is for, but the HSBC system is definitely far from secure (and bloody annoying).
Lloyds/HBOS provide a unique code (again, only on new recipients or large transfer amounts) on screen that you must then enter in to your phone when the automated system calls you. I can see how a MitB attack could trick someone to do that, but the user would have to ignore the voice reading out the account number and transfer amount.