I think Citigroup and others are using an SEP field here… Krebs, Schneier, and others keep blaming 2-factor authentication, which is incorrect.

First, their arguments, which I will soundly trounce.
Alright, I call “FOUL” on this one.

Bruce Schneier and other pundits have cried wolf over this sort of attack for some time now. Bruce has said more than once that 2-factor auth is not the answer; he’s right, in and of itself 2-factor user authentication is NOT the answer to all these problems. But it is the answer to a few of them. Some of these people dismiss 2-factor authentication out of hand because of it is not the end-all be-all answer, which is a mistake.

My full dissertation/oration/bitch-fest on the subject.