I remembered hearing a really great presentation where the person, I forgot his name but he was very knowledgeable about IT security said that 2fa is useless if you have an infected PC - Man in the Middle attack will login with your 2fa and initiate a withdrawal in the same execution timeframe with the same 2fa key - I think that laymans explanation of what he had stated. It was basically that, if you're using a malware device on either end, the MITM attack would exploit your key like an elaborate phishing attempt of sorts.
Your QT was emptied because of of the new password request. which was obviously a spoof - it could have been tied to the other mitm attack that caused the mt gox withdrawals - if someone else has the correct or a better explanation, I am all ears.
2FA is useless if your computer is compromised, that is if all the 2FA does is provide an ephemeral auth token to 'authorise' an action. Since there's no way to know what it is that you are in fact authenticating - it could be the withdrawal that you're seeing on the screen, or it could be that the attacker is manipulating web page content and doing something else with the token you provide.
For 2FA to be secure (assuming the 2FA device is secure), it needs to sign some data that'll only authorize the very specific withdrawal that you wish to make, so:
- destination address
for convenience this could be just the first 10 characters for example, just enough so that it is inpractical to brute force it in a reasonable time frame using vanitygen
- number of coins
in case the attacker is able to both infect your machine AND socially engineer a scenario in which you willingly send money to an address he controls, except he'll adjust the number of coins once the victim authorises the tx and destination address.
