On a compromised client's computer, the attacker only has to wait for the user to start any transaction. The attack consists in replacing the transaction (generated client-side) into one that sends all funds to the attacker. User doesn't know this, she enters 2FA and encryption key believing everything's ok.
Right, then I'll create the transaction server-side so the user validates it before entering the 2FA and/or her encryption key!
No, because then the attacker will target the server and present a bogus transaction to the user, who will happily agree with it without knowing that it's fake and provide the key.
Fair points. Note that all wallets have this exact problem too :-)
But the p2sh wallet offers some real hope. The user can specify on the server spending limits or authorized accounts that he/she is willing to transact to. After the client coins the transaction, the server can validate that everything looks okay, before applying its signature.
Nothing is perfect, but you can't do this at all with a standard bitcoin address.
The payment protocol (with authenticated recipients) would help with users not noticing that funds are being siphoned to an attacker's address.
Mike