Man-in-the-Middle attacks have started to emerge as the attack-class of choice by sophisticated hackers, as many institutions have started implementing preventative measures against Phishing attacks and Pharming attacks by adopting one-time password generators.
DNS Cache Poisoning attacks are not so common yet, and reported cases of it hitting banks are even more rare. Santander Bank's Brazilian branch just got hit by such an attack. The hackers managed to hijack the DNS servers that resolve the santander.com.br website and replace it with a visually perfect copy so as to harvest customer credentials and passwords. The only giveaway to users would have been if they glanced at the URL address bar in the browser and noticed that it was HTTP instead of HTTPS, a fact that the majority of users would have overlooked.
So it might be too early to pronounce the death of one-time passwords for most user authentication purposes, but it definitely is passe and old hat for banking security. Banks will have to adopt challenge-response and transaction data signing as hackers continue to innovate on all fronts and develop more man-in-the-middle attack class ranging from man-in-the-phone, man-in-the-browser, browser poisoning and the aforementioned DNS Cache Poisoning.