[zwily]

"Oh come on, how hard is it for MtGox to implement TOTP and tell users to download Google Authenticator?"

Not hard, and they did it a long time ago. The user didn't opt in.

[axefrog]

When I signed up for an account, there was no obvious prompting to go and turn it on. It's all well and good having extra security, but if you don't actively try to get your users to make use of it, it's only going to be marginally useful.

[DanBC]

That user was aware of extra MtGox security and chose not to use it.

On top of that the user

1) Chose to turn off (or not use) malware software

2) Enabled Java in the browser

3) Chose to visit a short url link presented in a chat window

4) Clicked through a big scary warning

All while still logged into their MtGox account.

It sucks that they're a victim of crime, but their actions were dumb.

[StavrosK]

Hum, really? I didn't notice it in the settings, and I'm sure I would have. I'll look again, thank you.