Snippet: Comcast Used ‘0000’ as Default PIN for Xfinity Mobile Customers, Leading to Number Hijacking ☍

Shared on March 1, 2019

Geoffrey A. Fowler for The Washington Post:

“This is a security hole large enough to drive a truck through,” reader Larry Whitted in Lodi, Calif., wrote last week.

As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card — and went to the Apple Store in Atlanta and bought a computer, he said.

The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN. (Comcast’s help site for switching carriers suggests this is to make things easier: “We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.”) The default it uses instead is…0000.

Closely guarding your telephone account is becoming increasingly important for security. All kinds of online and financial services use text messages and calls to a phone number to verify identity, or as a second factor in addition to passwords. Other Xfinity Mobile customers have also reported having their numbers hijacked.

Yikes.

Snippets are posts that share a linked item with a bit of commentary.