Man in the middle phishing attacks

I posted before about phishing being the next big security problem, after viruses, worms and spyware. Protecting against viruses and worms has become a billion dollar a year industry, and now anti-spyware companies are being snapped up by Microsoft and other acquirers. I mentioned before that there is no easy solution to the phishing problem. This NYTimes article describes some anti-phishing measures being tested by banks, such as RSA's SecurID key fob. SecurID uses a cryptographic one-time password (OTP), which is synchronized between the chip on the fob and the algorithm running on the authentication server.

But, this method has an obvious vulnerability. The fake bank site that the phisher redirects the user to could easily proxy the real site:

User ------ phish proxy ------ real bank site

in which case, the OTP is simply passed through when the user types it in. Once the authentication is complete the phisher drops the connection to the user and continues with the banking session. The only drawback is that the phisher has to execute this attack in real time - he sits by his machine, which beeps when a new account is compromised. He has only one login session to do his dirty work, since he can only get the OTP by proxying.