What's up with that - who's gonna help 'em?
Certainly someone is going to have to explain to him how "cold storage" has to be "done differently" in Nxt (am also not sure if the "hash chain security" idea was still going to be added to AC as CfB and I realised that it could also be done via an AT).
For those wondering about a "hash chain security" AT let me give you a simplified example (using MD5 for readability):
md5( 'secret' ) = 5ebe2294ecd0e0f08eab7690d2a6ee69
md5( md5( 'secret' ) ) = 7022cd14c42ff272619d6beacdc9ffde
md5( md5( md5( 'secret' ) ) ) = 19ff59e135cce19e3493402cb3884628
You would create an AT that has the value '19ff59e135cce19e3493402cb3884628' hard-coded in it and load it up with "balance". You would then send an AM with an "output" account to the AT which would "lock in" that output account for the next x blocks (so that other AMs sent by would be thieves before that block is reached to try and change accounts would simply be ignored - you could also ignore such AMs unless they were sent by the AT "creator").
After "locking in the payout account" (and perhaps payout amount) you would then send an AM with '7022cd14c42ff272619d6beacdc9ffde' which the AT would hash and verify it equals the hard-coded value it currently has. It would then update that hard-coded value to '7022cd14c42ff272619d6beacdc9ffde' and release funds to the address that was previously locked in.
To repeat you would next use '5ebe2294ecd0e0f08eab7690d2a6ee69' and then finally 'secret' (you can make the chain as long as you like as it takes very little time to do thousands and even millions of hash rounds on modern hardware).
This gives you a 2FA built right into the blockchain (requiring the thief to not only know your private key but also your "hash chain key").