Stop believing the myth that TFA is uncrackable.
It does improve security, sure, but it is no way the holy grail.
There
have been precedents where malware could steal funds despite TFA.
http://www.wired.com/insights/2013/04/five-myths-of-two-factor-authentication-and-the-reality/this is crazy, but why dont gox have like you have to enter your birth date or something to cash out as well. that would make this bs avoidable. they could also have a setting so you receive e-mail if someone with ip outside your country logs in.
Measures like the above would greatly help secure user accounts (in addition to TFA) while being rather easy to implement, so Gox really has no excuses for neglecting such details.