True, but there are ways to optimize this strategy once there are volumes. Again assuming the role of the malicious admin, if the system isn't proof against anything I can think of to game it, isn't secure enough to me, I would analyse my user base and their activities for profiling. heck I could do a survey in the name of "improving the service". From there, I should be able to score users into two groups: noobs and savvy. Naturally I would target the noob users for malicious code injection and to further reduce risk and maximize gains, I would only pick on those who store the most bitcoins.

Again, this is defeated by limiting the value stored, making it more profitable for the admin to remain honest than to risk stealing

Storing the frontend on a public service may be one way but I can foresee businesses who would want to customize their frontend, offer value added and such to gain customers. After all, they can't be doing this just out of goodwill. Even not for profit, servers, bandwidth & power need to be paid for. So they would probably end up using their own modifications instead of using an external front end, unless the community as a whole wants to fund such a service, which would require somebody to admin it and then we're back to the admin as a weakness issue again.



That's why I figured 2 factor authentication may be necessary. Trojan can steal the password but server won't act on a transaction that doesn't get fully authenticated.