Assurance

["Joe St Sauver" <>]

"Caskey, Paul" 
<>
 commented:

#That said, I'm sure someone is already working on a new crafty spam mail
#"Please mail me your 2nd factor token and PIN and I will then wire you $10
#million from this Nigerian prince...".   :) 

There are still-"better" "solutions" that the bad guys are using when 
confronting two factor users, e.g., what some have taken to calling
"man-in-the-browser" attacks. See for example:

-- "Hackers outwit online banking identity security systems"
   http://www.bbc.co.uk/news/technology-16812064

-- "Sykipot variant hijacks DOD and Windows smart cards"
   
http://labs.alienvault.com/labs/index.php/2012/when-the-apt-owns-your-smart-cards-and-certs/

And of course, malware has long sought to harvest things like client
certificates stored in software browser stores (e.g., see Figure 7 of
http://www.secureworks.com/research/threats/zeus/ ), just as malware
has long sought to steal passwords saved in browsers, etc.

Bottom line, if you have an insecure host O/S, I'm not sure anything's 
going to be a silver bullet, but two factor or two channel at least 
raises the bar and makes the bad guys work at least a *little* harder :-)

Regards,

Joe