Re: I'm confused
There are some online banking systems which use the phone as the Second Factor in 2FA. In Germany they have replaced Transaction Authorisation Numbers (TAN) with a pushTAN from an app on your phone. So a determined criminal who has managed to phish your online banking details "just" needs to get you to download some malware onto your phone too.
I'm not sure why more banks don't give customers hardware gizmos Like Nationwide BS or Barclays in the UK do. Can't cost more than a fiver and must pay for themselves with fraud prevention?