I don't understand where you think the attack surface is, and thus can't address the problem you think exists. So unfortunately the best I can do is describe the thing again, using different words. Sorry.
The posited malware can't initiate an automatic transaction, since an OTP from the bank dongle is needed. The dongle needs to be seeded with a specific part of the receiver's account number, so just any OTP generated by the dongle won't do. The account number has been passed out of band (generally on a paper invoice), so taking control of my browser doesn't give the attacker a way of fooling me into generating an OTP suitable for use with their account either.
The posited malware can't initiate an automatic transaction, since an OTP from the bank dongle is needed.
This attack hinges on intercepting a human entering in authentication information by hand into what they think is a secure, valid site. The human will be doing manual stuff, but the code is automated.
The account number has been passed out of band
If it was not passed out of band, or a phishing or mitm attack changes the account number and the user doesn't notice, this attack will work. It's a difficult but rewarding targeted attack similar to those used by the chinese, eastern europeans, etc.
