Would be useless if the thief does some researching on the net. He would not require to steal your phone as he can easily clone it to receive the SMS and run away with the loot.

Alternately, what can be done is have the secondary password split up, with the first half or the second half of password predecided by you, and the server only sends the remaining random other half. Thus, even if someone actually manages to steal or clone your phone, he still has only half the information!!!

Have you seen PalmTree Technology's cool security ?
You don't need a token - your device(phone/laptop/pc) is the second factor and you don't need to send an sms. This is the future of online security!!!

the message doesn't contain transaction details. How much and to who. Authenticating login helps nothing.

Bank of America has been doing this for over a year already. Any time you log in to online banking, you can have them txt msg a passcode to you that must be used in addition to your PIN to access the acct. You only have 2 mins before the passcode expires. Nothing is 100% secure but its an easy way to add security

This strategy is only safe if it is used by a minority of punters within an evironment of punters not using it and if participants cannot be identified.

If everyone uses it or thieves can tell who uses it they know they must take your card and your mobile phone to get your money. Which obliges those of such an entrepreneurial disposition to resort to means like armed robbery or hostage taking rather than simple pick pocketing to get the goods and the punter ends up running risks to provide the card provider with less risk.

Why would you want to do that?

In any case, people will just go for a card service that doesnt make you jump through hoops like a dickhead every time you want to buy something.

Real time biometrics is the only way, incorporating body integrity scans preferrably, its amazing what you can do with a stanley knife and a bath tub.

What!? Frikkin laser beams dont grow on trees you know!