Mikey Campbell
In what appears to be a heinous oversight, Comcast set the default PIN code for all Xfinity Mobile customer accounts to "0000," opening the door to phone number hijacking and, in some cases, identity theft.
An Xfinity Mobile customer from California detailed the snafu in a letter to The Washington Post columnist Geoffrey A. Fowler.
According to Larry Whitted, an unknown third party used the unimaginative PIN to steal his phone number, port it to another carrier and commit identity fraud, the report said. Along with ownership of the Xfinity Mobile phone number, the nefarious actor gained access to Whitted's credit card by provisioning Samsung Pay on a new phone, then used the information to buy a Mac at an Atlanta Apple Store.
The problem stems from Comcast's account management policies, seemingly created to streamline the setup and porting process. A help page covering number transfers from Xfinity Mobile to another carrier reads, "We don't require you to create an account PIN, so you don't need to provide that information to your new carrier." As noted above, Comcast selected its own default PIN.
Armed with a phone number, criminals can ferret out more sensitive data from unwitting customer representatives or automated services. Whitted's plight is echoed on Xfinity Mobile's forums, which lists similar incidents from a number of other customers.
"We're aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many," a Comcast representative told The Washington Post, adding that the company is "working aggressively towards a PIN-based solution."
Comcast implemented countermeasures to thwart further abuse of the "0000" PIN code blunder, the report said.
Launched in 2017, Xfinity Mobile is a mobile virtual network operator that relies on Verizon's backbone for base cellular service. The MVNO extends its footprint by tapping into Wi-Fi hotspots, to which users can connect for potentially cheaper fees.
Christine McKee
Malcolm Owen
Sponsored Content
Amber Neely
12 Comments
This sounds like they were trying way to hard to make it easy. The FCC will have a field day with this one. Telecom is heavily regulated and pins are required, which is why they were forced to create on. I’m surprised Verizon did not explain this to them.
IIRC it's not nearly that easy to setup Apple Pay on a new iPhone -- at least with the two bank/credit card accounts that I use. Samsung seems to care much less about security and more about selling phones that can't be upgraded after about one year.
How did the thief get the credit card number, the CVC code, and the Samsung Pay Pin?