It's actually not that hard. It's why several countries use more sophisticated authentication these days for internet banking. What happened was that in these countries 2FA did indeed become universal for internet banking, so hackers did start going the extra mile for man-in-the-middle attacks. Which is why, for example, in Germany, Austria, and (to my understanding) South Africa these days it is all but mandatory to authorize each individual transaction via a one time code that is specific to that transaction.
It's not a problem in MMOs, because comparatively few players use authenticators; as a result, there's plenty of poorly protected accounts (low hanging fruit) that can be hacked without investing the extra effort.