Yes, when the whitepaper was done and PassWindow was initially featured on Slashdot it was a static challenge with several digits in the static challenge, these were interceptable in say 30 interception so a month or 2 worth of normal use. However since then weve had some major breakthroughs beyond just switching to the purely animated cyclical method, weve been able to easily achieve interception rates of 10K plus with very little usability obfuscation. A side benefit of this new method is the analysis doesnt actually give the attacker a clear probablistic determination at say 80% of the necessary number of interceptions, actually its only until the last few interceptions that it all falls into place for the attacker so a guess at 80% isnt knowing 80% of the key pattern.
Of course since the whole key process has been pre analyzed its managed and a new card can be issued before it gets anywhere near this number of authentications which might compromise the key pattern.
Once you start talking thousands of interceptions required by a normal user even if they authenticate every single day of the year and the attacker is prepared to analyze over a number of years he still wont get anywhere near the numbers required and the average membership card usually only has a few years of life in it anyway. But beyond that the EMV chip doesnt help online based authentication as was shown in the article, its not even helping much of the atm fraud it was desgined for where most ATM's in the world dont even check the EMV chip. The associated CAP readers which use the digital key off an EMV chip for their online authentication use the exact same method of authentication as provided in the article and we can see that has failed.
re telephoto lens attack etc, you are incorrect, it is not trivial to copy as we simply tint the key pattern, in normal lighting conditions it appears black but screens are quite bright and still allow the user to see quite clearly. This is without even going into transflective laminates etc, really the only way would be with a rubber hose or physical interception and there EMV will fail too. A piece of transparent plastic card costs less than a few cents and so if a bank was really paranoid about their user's waving their credit cards around in public they could easily issue a separate card. A digital version could also be constructed however the costs outweigh the benefits.