in FFXI, before the RSA tokens were available, I was hacked by an exploit in Adobe Flash Player. This happened just after Adobe acquired Flash from Macromedia. The site "Somepage.com" had an infected ad that targeted users of FFXI and i had an outdated version of Flash. It need not be the traditional "keylogger" to take your account info.

In short, the Security Token is invaluable. The mobile phone security application is a good start, but it can be hacked as well, your physical token can not be remotely hacked (with the very rare exception of a breach of the original keys, which should not be exposed in the first place.)

If you use your mobile phone and the security application on it... DO NOT EVER log into any SE account page on your phone, EVER! if you do not allow an attacker to know what account your key is good for, then even knowing your key does not allow them access.