Website from desktop + SMS code is used as a second factor for login and for confirmation of operations. So the attacker would need to hack a desktop to read information and both devices to actually steal money. Or they would need a phone and a card number to login without password.

I am surprised why so many people use banking apps on phones. The apps often use SMS or even push notification (because it's cheaper) for confirmation and once you got access to the phone you can do whatever you want. Also banking apps tend to spam users with distracting notifications, and they often require extended rights, for example to scan other apps, to access contact list etc. For example, one of Russian banking apps includes an antivirus.

> What about in-person banking?

Rarely. Last time I went in-person, I found that the bank switched to a model (don't remember how it's called) where the office looks like a cafe with tables and employees come between them with laptops and there was really long waiting time so I got an impression that they don't want people to come in-person. Although I had some fun overhearing an angry customer complaining that his card was blocked for receiving transfers and immediately withdrawing large sums of money. He wasn't able to explain the source of the money or provide any documents but got a promise that his card would be unblocked.

Luckily there are still banks with traditional offices.