It depends on the two-factor implementation they've used. Some have a time-limited code, usually 30-60 seconds, that is generated by an app. In theory you could also key-log that app and gather the codes, but you'd only have a very short timeframe to use it. The best MFA is something like Duo, where the user gets a push alert when someone has successfully used their username/password (with timestamp and geo-located IP address) and they have to manually approve the access before authentication is completed. If it's a hacker, the user should know that they haven't tried to log on and reject accordingly.
A doubtful vector. PKI security is a big thing in any organisation and banks especially have very stringent procedures for generating them. No way can a rogue employee just create themselves a sub-domain tied to a new webserver and sign it with the bank's private key without going through loads of process that would pick up nefarious behaviour.
The current vector that banks are worried about is the SWIFT network for inter-bank transfers, it's been penetrated in a few banks leading to events like the $1billion dollar Bangladesh Central Bank heist. Why bother attacking individual customers when you can penetrate the bank itself?
