I wanted to elaborate a bit on the PIN side. Six digits would buy you approximately a million possible PINS. And the time factor of 30 seconds per PIN means one would have to run through a million (10^6) PINS in 30 seconds to use the card. You’d need to try 33,333 PINS per second. That’s not impossible but extremely difficult and beyond the reach of most people.
And it doesn’t guarantee you’ll break the PIN. It’d be better if you knew the algorithm that generated the PIN. That’s what happened to RSA recently – someone got a hold on the algorithm. But that was fixed by the changing the something you know portion from 4 characters to 8 characters. Order of magnitude more difficult to hack, or so they think.
But with all of that in mind – I’ll revise my suggestion. To make a transaction you must know be in physical possession of the card, your regular 4 to 8 character PIN, plus the six characters from the Authentication app. And it would programmaticly trivial to make it so the PIN you know could be prepended, appended or maybe in the middle of the six generated digits. It would have the effect of expanding the ‘PIN’ composite to 14 positions if we choose an 8 digit PIN. That means 100,000,000,000,000 or a hundred trillion possible PINS give or take a few hundred thousand since the known PIN will always be the same, only it’s position would change. Keep the same 30 second limit on the authentication PIN and it means they have to scan 3,333,333,333,333 or 3.3 Trillion per second. Now we’re talking.