New Bitcoin Security Threat. Beware!

Coinbase account holders lose up to $5 million annually to theft by hacking, according to a person close to the company. Here’s how the hacks happen, and why the culprits are so hard to catch.

The Stakeout

A scammer scouts a target by searching for people who work in the blockchain industry—or by combing social media for mentions of Bitcoin and Coinbase. The attacker finds the target’s email address and phone number through online postings or previous
data leaks.

The Switcheroo

The scammer contacts the victim’s mobile provider and “ports” the phone number to a device under the scammer’s control.

The Disguise

Because Gmail ­accounts often link phone numbers as a backup access method, the scammer can now log in and reset the target’s email password, then do the same at Coinbase.

“I’m In!”

Coinbase requires two-factor authentication (“2FA”) in addition to a password. That 2FA now gets texted to the thief, who logs in.

The Getaway

The scammer moves the money into digital “wallets” under his control. Law enforcement can easily track the movements of the stolen currency recorded on the blockchain, but they can’t block transactions, and figuring out who controls the wallets is difficult.

The Laundering

To try to cover his trail, the scammer can move the currency to foreign “cryptoexchanges,” or convert it to other kinds of digital currency that are harder to track. Eventually, he can convert it to cash or other assets.

Building a Better Vault

For better security:

Put a “do not port” order on your phone number.
Don’t use text-message 2FA; instead, use an app like Google Authenticator.
Use a unique password, one you don’t use for other accounts or social media.

Source: http://fortune.com/2017/08/22/bitcoin-coinbase-hack/