Pedja, you keep confusing responsibilities. Limiting the number of people who can try to open the door with the key that doesn't fit is not the same that limiting the number of people with valid keys by letting in only those who come from New York.

Stupid users with valid login credentials are *your* problem, because as I've said earlier, once you have installed a trojan on your machine it can't be trusted anymore. They might very well capture your saved SSH password and use this for SCP, FTP is what they're using right now because it's simple and it works.

Why wouldn't you try passphrase-protected SSH keys for SCP? You can have many of these if you want. The only downside is that you can't limit different users to their folders, but other than that it works quite nicely and it's impossible to sniff. Even if you have a trojan installed, it would need to

1) capture your key
2) capture your passphrase from keyboard

and the latter is much more difficult, than just decoding the FTP password, because many SSH clients have protection against keystroke logging etc.

You didn't mention whether Kaspersky did the trick, by the way.