In the event that both the exchange and the user's computer is breached,
the user has not previously placed trades while under surveillance and
the user has set up SMS authentication, the attacker should not be
able to withdraw funds or place trades on the user's behalf.
For this attack it is not necessary to breach the user's computer. Owning the exchange is enough. And this is one of the scenarios that the paper purports to protect against. Yet it doesn't.