It is an interesting interview, but the words I would like to stress are:
RM: Do you think that two-factor authentication, or using methods in addition to passwords, could still be defeated by Trojan horses and phishing attacks?
BS: Of course; there isn’t even any debate. The debate is whether two-factor authentication will turn out to be useless in defending against identity theft because criminals will turn to Trojan horses and man-in-the-middle attacks.
It solves the security problems we had ten years ago, not the security problems we have today.
Despite all my involvement and effort in the past month studying and understanding 2FA, I have simply little or no faith in it. To me, it doesn't matter if it is 3FA or even 10FA. Once something get in between (MITM), that is the end. It is just a matter of more phishing attack to make the user enter or give up their inputs.
My primary concern is that people still does not see that the weakest link in a 2FA solution lies in the channel. And by channels, I do not mean the incoming channels (web + token, or web + handphone), this has to be applied to the outgoing channel as well. What type of security will we be talking about if you key in the multiple inputs all into the browser eventually and all we need is a poisoned proxy or a trojan BHO riding on the browser?
Does this mean I do not use internet banking? Probably not. However, it does help to minimize the risk of doing internet banking by taking more security measures.