"... a Man-in-the-Browser attack can be elevated to intercept One-Time Passwords sent to the mobile phone ..."
I'd have thought that the One-Time Password sent to the mobile phone could not be intercepted by a man in the browser, but that the password could be monitored when it is typed into the browser to gain 'authorisation' from the website that you're trying to connect to for full services.
As such, if you, the user, then gain authorisation to access services from that browser session, surely nobody else could use the one-time pasword for another browser session on a different computer from a different IP address? Isn't that the point of a one-time password?
As was mentioned, if you do have a 'bad guy' sitting in your browser with capability to monitor and inject data, then it's game over no matter what security you have in place for browser session authentication.