[axefrog]

MtGox really does run a subpar operation. There should be additional security checks when transferring money out of an account, and there should be the option to enable multifactor authentication. Back when they were originally hacked, this should have become top priority for them, along with making their service rock solid. If people are hacking and stealing from you, it's obvious you have something of value and need to take steps to protect what you have, especially when it's being held on behalf of a customer.

[DanBC]

This wasn't someone hacking MtGox.

This was someone on a vulnerable OS, running without malware protection, with Java active in the browser, visiting an unknown link, and possibly giving an application permission to run. (Although maybe it didn't need permission to run?)

To get to that point the person needed to ignore several well established security principles.

[StavrosK]

Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator? It's not really that much hassle to enter a code each time you want to make a transaction, and these things wouldn't happen.

Sure, the user was being stupid here, but MtGox didn't do them any favors either.

[zwily]

"Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator?"

Not hard, and they did it a long time ago. The user didn't opt in.

[axefrog]

When I signed up for an account, there was no obvious prompting to go and turn it on. It's all well and good having extra security, but if you don't actively try to get your users to make use of it, it's only going to be marginally useful.

[DanBC]

That user was aware of extra MtGox security and chose not to use it.

On top of that the user

1) Chose to turn off (or not use) malware software

2) Enabled Java in the browser

3) Chose to visit a short url link presented in a chat window

4) Clicked through a big scary warning

All while still logged into their MtGox account.

It sucks that they're a victim of crime, but their actions were dumb.

[StavrosK]

Hum, really? I didn't notice it in the settings, and I'm sure I would have. I'll look again, thank you.

[drivebyacct2]

Not only is there TOTP, they also sent free Yubikeys to anyone who requested one last year.

[axefrog]

Yes, but we have to assume the majority of people are not going to be particularly educated on stuff like this. Implementing simple checks before confirming a transfer out of an account should be a given.

[theycallmemorty]

I agree that the user is largely at fault here, but would you consider this acceptable if the same thing happened on your bank website?

I'm not familiar with Mt Gox but it's unacceptable if they don't have two factor authentication.

EDIT: Scrolling down, it appears they DO offer two-factor authentication. nvm.

[amalag]

How did the executable instruct the bitcoin transfer to take place?

[Cakez0r]

They do have two-factor authentication, which the user admittedly didn't opt in to.

See https://support.mtgox.com/entries/21743327-Security

[axefrog]

Ah, my bad.

[tlrobinson]

I agree MtGox is subpar, but this isn't their fault. MtGox has two-factor auth, which the victim willfully didn't enable, and was infected with malware. There's not much else MtGox can do to protect against this sort of thing.