A bad security decision by Comcast on the company’s mobile phone service made it easier for attackers to port victims’ cell phone numbers to different carriers.
Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers.
To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim’s Comcast account number could easily port the victim’s phone number to another carrier.
Comcast told Ars that “less than 30” customers were affected by the problem, that it has implemented a fix, and that the company will eventually roll out a real PIN-based system to further protect customers. But Comcast declined to describe the recent fix in any way, saying that information could help attackers. Comcast also did not say when its new PIN-based system will be ready.
Customer had number hijacked
The problem was detailed yesterday in a Washington Post column that addressed tech problems reported by readers. The Post’s Geoffrey Fowler reported:
“This is a security hole large enough to drive a truck through,” reader Larry Whitted in Lodi, Calif., wrote last week.
As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card—and went to the Apple Store in Atlanta and bought a computer, he said.
The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN. (Comcast’s help site for switching carriers suggests this is to make things easier: “We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.”) The default it uses instead is…. 0000.
That Comcast help page was edited this week to remove any references to the account PIN. The page says, “When you contact your new carrier to transfer your number, they will want your current address and Xfinity Mobile account number.”