I don't think 2fa is enough to protect you from a mitm attack as they can accept your otp and replay it through to the real site.

Further more they could prompt you again pretending a timeout and use the second otp entry to execute a withdrawal.
only real protection is 2fa with a cpu to sign the actual activity with a private key.


cheers