Sure, but in this case, like in many "phishing" schemes, there is no interception of the SMS, this same approach applies to all other authentication tokens, as it is the victim that enters the OTP on the (fake) site or communicates it to the phisher who calls impersonating a bank employee.
> this same approach applies to all other authentication tokens
Not true. FIDO and prevents this. The key is bound to the site you authorized it on, so inputting the key while connected to a phishing site will do nothing.
Yes, I meant those (I believe much more common) various hardware token generators and those "in-app" ones (issued by the bank), that end up as a 6 or 8 digits that you have to type on the site.
