MtGox really does run a subpar operation. There should be additional security checks when transferring money out of an account, and there should be the option to enable multifactor authentication. Back when they were originally hacked, this should have become top priority for them, along with making their service rock solid. If people are hacking and stealing from you, it's obvious you have something of value and need to take steps to protect what you have, especially when it's being held on behalf of a customer.
This was someone on a vulnerable OS, running without malware protection, with Java active in the browser, visiting an unknown link, and possibly giving an application permission to run. (Although maybe it didn't need permission to run?)
To get to that point the person needed to ignore several well established security principles.
Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator? It's not really that much hassle to enter a code each time you want to make a transaction, and these things wouldn't happen.
Sure, the user was being stupid here, but MtGox didn't do them any favors either.
When I signed up for an account, there was no obvious prompting to go and turn it on. It's all well and good having extra security, but if you don't actively try to get your users to make use of it, it's only going to be marginally useful.
Yes, but we have to assume the majority of people are not going to be particularly educated on stuff like this. Implementing simple checks before confirming a transfer out of an account should be a given.
I agree MtGox is subpar, but this isn't their fault. MtGox has two-factor auth, which the victim willfully didn't enable, and was infected with malware. There's not much else MtGox can do to protect against this sort of thing.
