The recent hacks were database-oriented, so I assume the attackers have an extensive knowledge of MySQL and similar...
But I am here to warn you, Bitstamp, to repair this horrible security faux pass -- you use for API access the same name and password as for the main login on the site. This is unacceptable, because if anyone gains an API login, he/she can then raid the account. The point of API access is to allow automated and/or remote trading, not doing account transfers! Look at btc-e for a better implementation.
Simply, API access needs to be a separate access name/password than that of the main account.
You could also allow the users to make separate API entry accounts and assign funds to these sub-accounts from your main account, so that you could, for example have 1000 USD in the main account and diverge 400$ into API_1 and 400$ into API_2. This way, each of the separate accesses can be managed individually. But even if you don't apply this improvement, changing the API access conditions and maybe including and external RSA key hardware for trade confirmations, and for main account access would be of great help! (For confirmation of bank and bitcoin transfers out of an account a simple "Trezor" external key dongle could be used, this is to cost 1BTC only, and an alternative is in development by another 'lab'.
Anyway, even if you used printed gridcards, like many banks do (postage is cheap these days, still), you would enhance account security by 1000x, because a physical piece of plastic with numbers on it, is way more secure than any data you transfer over the internet via third parties.
Don't bother. CSS is way more important than any of the serious issues, like scamming trading engine.
