One thing I have asked for in the past and never gotten a response from MtGox on is a IRREVOCABLE DELAY TIMER.
Make it optional but it could add security and prevent thefts like this. Pretty simple concept.
User sets a irrevocable waiting period of sending coins.
User understands when setting it that it can't be removed without waiting the same amount of time (i.e. if you remove a 60 min waiting period it takes 60 minutes before it is removed).
So it works like this:
1) Attack attempts to send coins.
2) MtGox accepts the requests and delays it x minutes (preset by user).
3) MtGox sends email (and SMS it is 2012) to user with amount of coins, address, and a CANCEL THIS IS FRAUD link.
4) If user clicks cancel link it DOESN'T require a password (as attacker may have changed it), the tx is canceled and account frozen
5) If tx is legit delay timer expires and funds are sent.
It allows users to set the level of security they want. Users who want ability to instantly send coins can use default 0 min delay timer. Cautious users could use a delay timer of 30 min. Ultra paranoid could use a delay time of 240 min. Combined with email and SMS notifications it becomes very difficult for an attacker to transfer coins off site.
Now using the same process the user could WHITE LIST certain addresses which don't need to be delayed. Obviously adding an address to the whitelist requires the delay (as would changing email or SMS phone #). User gets emails (w/ fraud link) for adding a whitelisted addess, changing delay timer, removing delay period, changing email/phone, and sending coins.
Maybe I should trademark the term "warm wallet" (i.e. it isn't a "hot wallet" or "cold wallet" but a "warm wallet")?