As pointed out by others up-thread real financial institutions like banks have multi-layered security procedures. I haven't used Mt Gox yet so I'm not going to trash-talk their log-in security; but if it is anything like any of the banks I've used a weak password would not be an open-sesame to a hacker.
First the hacker bot would have to guess a user-name. "A" Not recognized. "B" not recognized. "C" not recognized. At what point should the log-in system cut off the bot and direct it to call customer service? Suppose it gets lucky at "AA" So now it has to provide a password. Perhaps it has a list of common passwords to try first. "Password" not it. "password" nope. "PASSWORD" -- Message from system: "Too many log-in attempts. Please call customer service." If Mt Gox allowed password cracking bots to run wild on their system (and I doubt that they did) they need to be shut down now.
Modern banking systems work fine with ordinary everyday people, if Bitcoins require computer security geeks to use them safely, while "idiots" lose their life savings, Bitcoins are going back to zero.
This system would be completely ineffective against someone that seriously wanted to get in. All they would need to do is keep changing proxies, not store cookies, etc. It is nice that some software enforces password strength, but in reality, password strength is up to the user. Software can enforce password strength all they want, but if a user is constantly using the same "strong" password, it eventually becomes weak in the grand scheme of things. Look at the users complaining about their mybitcoin accounts being drained. What was the issue? Yep, they reused the same password. The only liability on the software (and software provider) is to secure their software. This entire mtgox explosion never would have happened if it werent for poor security practices -- same with every other exploit we have seen during the past couple of months.
There is the fundamental economical factor in security: the more security the higher the cost for the attacker/criminal.
The fundamental question is: Is all the time and effort really worth it?
By keep adding layers of security we are elevating the costs of obtaining their reward, and once the costs are higher than the reward, the interest dissipates.
As soon as it is perceived that "it isn't worth it", the attention of the attackers will drift towards less secured sites with similar rewards (other exchanges, maybe) with lower costs (Vulnerable sites)
The potential rewards from a bitcoin exchange makes it really worth the attempt of hacking it.
But a dedicated attacker will always find a way to penetrate it if the costs are disregarded (ie. if the challenge itself is their reward/have a personal vendetta against the site/etc...)
This happens with all kind of security: both real world (locks, safes, buildings) and digital (websites, servers, networks).
As financial institution/organizations where the moolas are flowing security should be the number one priority.
You wouldn't expect a bank transporting money on bicycles, right? Or a bank depositing money in baskets instead of a safe.
It is evident that the investment on security measures are of the utmost importance in a financial institution.
That's why it is unforgivable the gross negligence of MtGox. They were focused on doing business, amassing millions of dollars and their security was a joke. They were too focused on the functionality of the site: Websockets? Great, we all appreciate it. Dwolla? Great, that is awesome. API?, bravo, excellent job. But they ignored the most vital thing
What "Bitter Ender" suggests is actually pretty much standard in everywhere.
Although bruteforcing through HTTP is not really common these days, it is a very basic feature that has to be taken care of, because if you don't do it, some asshole will certainly try it. And a percentage of those assholes might succeed at it.
Using captcha to filter out simple automation is a must these days, even if there are sophisticated OCR bots out there.
Temporally suspending accounts/notifying repeated incorrect login trials, are also a very basic standard protocol in most financial sites.
Requesting a PIN number (even if you are logged in) to confirm transactions are also a standard procedure.
These measures are not really that hard to implement.
MtGox can't say that this attack wasn't preventable, it was fully preventable.
I don't bitch about their negligence, shit happens and rapid growth is hard to manage. I get that.
But to keep lying to us, making STUPID and PATHETIC excuses (Force Majeure? SRSLY?) IS UNACCEPTABLE
A new spokesperson won't fix it, as someone suggested before.
With this move we can see their moral integrity: they are willing to keep lying to save face instead of being upfront and honest.
How can they ever expect us to trust them?