Man In The Middle

Check out Tricerion as well: http://www.tricerion.com

You can also protect against man-in-the-middle attacks by using the Transaction Data Signing facility with Remote Chip Authentication (RCA) approaches such as MasterCard's CAP and Visa's DPA.  You insert your chip card in the handheld reader and enter the account number of the beneficiary, and the payment amount, as well as your PIN, then press the "Sign" button or its equivalent on the reader.  The chip on the card then uses all this information to generate a one-time-password which you enter into the PC, effectively signing the transaction.  Any attempt by a fraudster to change the transaction is immediately apparent.  This is the approach used by, for example, ABN AMRO and the many other banks which now routinely use RCA for secure remote banking.

In my view, using a second channel such as a phone line is expensive, inconvenient and unfamiliar compared with this "Chip & PIN at Home" approach.

I agree that a dual channel approach will give you better protection against some threats, but not in this case. The article discussed "man in the browser attacks". This is typically a Trojan horse (hostile program) that has taken control over the user's PC. If an attacker has control he does not need to open the door himself. He can calmly wait until the user has opened it for him and then put up a screen that tells him that the bank is temporally unavailable…Thus, on this type of threats you can use any number of authentication methods and nothing will help. One dual channel countermeasure that helps against Trojan horses is to use the mobile as signing device. The user has to accept the transactions by using his mobile signing key/ certificate to before the bank let the transaction go through.  

The second channel can be opened back to the user, from the "bank" when an action is taking place.  That would mean that the MITB would be able to see the action taking place, but authentication is carried to the bank through a second channel, opened by them, which is not visible to the MITB.

We have a demonstration version running now, but nothing production ready.

When we do, I'll tell you about it.