Saul Hansell of the Washington Post has posted an article about real time attacks on one-time password tokens like SecurID and SafeWord.
The strategy is to steal a user's one-time password after it is typed in and redirect it to a hacker to exploit immediately. The attack relies on Trojan software that has installed itself in the victim's computer.
One time passwords were not designed to protect against this type of thing. Once you have that sort of trojan, there's no way
to use your computer reliably. Attackers can intercept what you're doing, change it to benefit them, and you won't know what happened until you look at your bank statement.
The only way to protect against such things is to ensure that your computer has not been hacked. This is hard, since there are lots of ways to attack a computer and not nearly as many ways to protect it.