The multi-sig is not on the part of the user, it is between Bitstamp and BitGo. While they haven't revealed any details on their precise operation, it is most likely something like this:
Bitstamp has 2 keys to addresses associated with their hot wallet and deposit addresses, BitGo has one and all addresses are 2-of-3 multisig. Bitstamp keeps 1 key for each address offline and 1 on its hot wallet machine. When a transaction is required, Bitstamp generates the tx, signs it with their online key and sends it to BitGo (through some API that they offer). BitGo applies some rate limit or other type of sanity check and if all works out, signs the tx and broadcasts it.
If an attacker obtains Bitstamps online key, they can't do anything unless they have the required info to submit tx-requests to BitGo masquerading as Bitstamp (how hard/easy that is depends on the details of the implementation). BitGo may or may not have some sort of algorithm in place that tries to detect fraudulent activity before signing off on a tx.
It's not a perfect solution, but it solves the most basic attack vector of "steal wallet.dat -> get coins".
I don't think that's that either. There is a page
http://bitgoinc.com/guides/add-bitcoin-from-bitstamp-guide/ that explains how to make your wallet multisig with bitgo.
i don't think you understand well how an exchange works. the replies are more or less on the spot
when you open an account with bitstamp, they will assign you a bitstamp&bitgo multi sig wallet. you transfer bitcoin to your bitstamp account, they will transfer the bitcoin to another main bitstamp&bitgo multi sig wallet that stores a lot of client's bitcoins together for easier management. in return they update on their sql table (or whatever db they are using) so that you can see your balance when you log into bitstamp then you can 'sell' your coins in bitstamp. so if I buy the coins that you sold and withdraw the coins, bitstamp will transfer bitcoins from their main bitstamp&bitgo multi sig wallet to my address.
