Brian Krebs of the Washington Post has a great blog today titled "Scams Target Latest Upgrades in E-Banking Security". He notes that phishing attacks are rapdily adapting to multi-factor authentication protection by the banks.
Bottom line...multi-factor authentication is a good step forward BUT it won't prevent identity theft. The user has to be educated to not click on links in emails, no matter how legitimate they look or even if they come from a friend or business colleague. Caveat emptor!