A few people and I just finished writing up a short paper on how 3-factor authentication can be used to secure exchanges such that an attacker can't place trades on a user's behalf without compromising the user's computer and the exchange (if the user is using physical verification).
http://www.redpointsoftware.com.au/papers/3FactorAuthenticationForExchanges.pdfFeedback is appreciated (especially anything related to flaws in the proposed system)!