Phishing [and mitm] attacks are not mitigated by two-factor.<p><a href="http://www.digitaltrends.com/social-media/thanks-twitter-but-heres-everything-thats-wrong-with-your-two-factor-authentication-set-up/" rel="nofollow">http://www.digitaltrends.com/social-media/thanks-twitter-but...</a><p><i>"So how can anyone hack Twitter with two-factor authentication in play? The account info you’ve just entered will automatically be entered into the real Twitter.com by the hacker. And seeing as how you’ve had your account info entered into Twitter.com for you, Twitter’s two-factor authentication will ping the victim with the SMS and temporary password as expected, Toopher (a two-factor security service) CEO Josh Alexander explains.<p>At that point, since you’ve received an SMS from Twitter, you’re probably under the assumption that the account recovery process seems legit and would continue to enter in that temp password into the fake Twitter site. Of course once that’s done you’ve lost complete control of your account."</i><p><a href="http://www.theregister.co.uk/2007/04/19/phishing_evades_two-factor_authentication/" rel="nofollow">http://www.theregister.co.uk/2007/04/19/phishing_evades_two-...</a><p><i>"Hackers sent the customers emails falsely claiming to be from ABN Amro. If recipients opened an attachment, software was installed on their machines without their knowledge. When customers visited their banking site, the software redirected them to a hacker-controlled mock site that requested their security details.<p>As soon as the hackers received these details they were able to log into a customer's account at the real ABN Amro site, before the expiry of the fob-generated number. They could then transfer the customer's money."</i> (they didn't need to redirect the customer to intercept the credentials but it makes it harder to detect)