Comcast's Xfinity Mobile simplifies phone number theft with default '0000' PIN

Posted:
in iPhone
In what appears to be a heinous oversight, Comcast set the default PIN code for all Xfinity Mobile customer accounts to "0000," opening the door to phone number hijacking and, in some cases, identity theft.

Xfinity Mobile


An Xfinity Mobile customer from California detailed the snafu in a letter to The Washington Post columnist Geoffrey A. Fowler.

According to Larry Whitted, an unknown third party used the unimaginative PIN to steal his phone number, port it to another carrier and commit identity fraud, the report said. Along with ownership of the Xfinity Mobile phone number, the nefarious actor gained access to Whitted's credit card by provisioning Samsung Pay on a new phone, then used the information to buy a Mac at an Atlanta Apple Store.

The problem stems from Comcast's account management policies, seemingly created to streamline the setup and porting process. A help page covering number transfers from Xfinity Mobile to another carrier reads, "We don't require you to create an account PIN, so you don't need to provide that information to your new carrier." As noted above, Comcast selected its own default PIN.

Armed with a phone number, criminals can ferret out more sensitive data from unwitting customer representatives or automated services. Whitted's plight is echoed on Xfinity Mobile's forums, which lists similar incidents from a number of other customers.

"We're aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many," a Comcast representative told The Washington Post, adding that the company is "working aggressively towards a PIN-based solution."

Comcast implemented countermeasures to thwart further abuse of the "0000" PIN code blunder, the report said.

Launched in 2017, Xfinity Mobile is a mobile virtual network operator that relies on Verizon's backbone for base cellular service. The MVNO extends its footprint by tapping into Wi-Fi hotspots, to which users can connect for potentially cheaper fees.

Comments

  • Reply 1 of 12
    genovellegenovelle Posts: 887member
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one. Telecom is heavily regulated and pins are required, which is why they were forced to create on. I’m surprised Verizon did not explain this to them. 
    gilly33
  • Reply 2 of 12
    linkmanlinkman Posts: 893member
    IIRC it's not nearly that easy to setup Apple Pay on a new iPhone -- at least with the two bank/credit card accounts that I use. Samsung seems to care much less about security and more about selling phones that can't be upgraded after about one year.
    chasmracerhomie3
  • Reply 3 of 12
    dysamoriadysamoria Posts: 1,981member
    genovelle said:
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one. Telecom is heavily regulated and pins are required, which is why they were forced to create on. I’m surprised Verizon did not explain this to them. 
    Heavily regulated? How do you define that?
    GeorgeBMac
  • Reply 4 of 12
    rivertriprivertrip Posts: 112member
    How did the thief get the credit card number, the CVC code, and the Samsung Pay Pin?
  • Reply 5 of 12
    chasmchasm Posts: 1,266member
    genovelle said:
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one.
    This corrupt FCC we have now? They’ll do nothing and say nothing about this.
    GeorgeBMac
  • Reply 6 of 12
    racerhomie3racerhomie3 Posts: 1,014member
    chasm said:
    genovelle said:
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one.
    This corrupt FCC we have now? They’ll do nothing and say nothing about this.
    This administration is not when corruption in the FCC began. It was corrupt before too.
    cornchip
  • Reply 7 of 12
    GeorgeBMacGeorgeBMac Posts: 4,134member
    chasm said:
    genovelle said:
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one.
    This corrupt FCC we have now? They’ll do nothing and say nothing about this.
    This administration is not when corruption in the FCC began. It was corrupt before too.
    Uhh, well, no....
    The current administration is well known for putting industry sycophants intent on gutting regulations in agencies designed to regulate.
    muthuk_vanalingamMplsPbaconstang
  • Reply 8 of 12
    MacProMacPro Posts: 18,142member
    Sounds like something Comcast technicians would be able to cope with.
    MplsP
  • Reply 9 of 12
    hexclockhexclock Posts: 546member
    So they forged a Samsung Pay account to buy a Mac. That’s pretty funny. 
    gilly33
  • Reply 10 of 12
    That's Comcastic!
  • Reply 11 of 12
    chasm said:
    genovelle said:
    This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one.
    This corrupt FCC we have now? They’ll do nothing and say nothing about this.
    This administration is not when corruption in the FCC began. It was corrupt before too.

    That's not an excuse nor is it even remotely footed in reality.  The FCC under Pai is so capricious in its rulings favoring big telco and cable that it doesn't even bother with trying to disguise what it is doing.


    GeorgeBMacbaconstang
Sign In or Register to comment.