This is assuming an owned machine. Not the easiest attack but still possible. Obviously things like Google Authenticator (while good) are even more susceptible to MITM phishing.