Agree. When a transaction is not authorised by the account holder, this transaction is legally invalid. Any bank would give the money back in this kind of situation.
I can't imagine my parents (or 99% of the adult population) being liable for this theft when "proper security precautions" means knowing when to detect and avoid a "0 day java exploit with a cross site injection attack".
If they felt they were in the wrong, and if they provided the appropriate security measures. Does Mt. Gox even have two-factor authentication or transaction signing or anything like that?
Not really. Most banks I've asked would not refund if the victim did not take proper security measures, and the OP in this case most certainly did not.
Banks are required to make users whole, even if the user's password is compromised. At least for individual accounts. (For businesses the situation is different.)
