I don't think 2fa is enough to protect you from a mitm attack as they can accept your otp and replay it through to the real site.
Further more they could prompt you again pretending a timeout and use the second otp entry to execute a withdrawal.
only real protection is 2fa with a cpu to sign the actual activity with a private key.
cheers
With a mtgox yubikey, you press and hold the key for 1 second to login and press and hold the key for 3-4 seconds to issue a different OTP for withdrawals. Im not sure exactly how this works, but the withdrawal OTP looks completely different than the login OTP. That is why I prefer yubikey over other 2fa such as Google Authenticator. Although anything can happen, this should reduce the risk of a MITM.