In 2017, Comcast launched Xfinity Mobile: a wireless service that runs on Verizon wireless and Comcast’s own Wi-Fi hotspots.
To make it easy for customers to port their existing phone numbers over from other carriers, the company used a shortcut: no PINs needed. Oh, except for one, default PIN of “0000,” that is, which made it super simple easy for crooks to hijack people’s phone numbers.
The glaring security gaffe came to light after multiple customers reported that their numbers had been ported without authorization, that the hijackers had switched the numbers to their own accounts, and that the crooks then carried out identity theft.
One of the ripped-off customers wrote to a Washington Post columnist who addresses readers’ tech problems. From the column, which appeared on Thursday:
‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week.
As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card – and went to the Apple Store in Atlanta and bought a computer, he said.
The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN. (Comcast’s help site for switching carriers suggests this is to make things easier: ‘We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.’) The default it uses instead is…. 0000.
To port your phone number, you need two things: your Comcast mobile account number, and a PIN that should, in theory, verify that it’s really you, the legitimate account holder, looking to port your own number. Comcast apparently sought to make it easier for customers by appearing to make the process PIN-less. But it didn’t make the PIN go away: reportedly, it just set a default PIN of 0000 for all customers … a PIN that customers couldn’t change.
All an attacker had to do was get hold of a victim’s account number, plus what Xfinity calls several other pieces of “obscure information”, then plug in those four zeroes, and presto! Stolen account, ported to another carrier.
Last week, Comcast edited its help page to get rid of references to the account PIN.
What it says now:
When you contact your new carrier to transfer your number, they will want your current address and Xfinity Mobile account number
Password reuse again rears its ugly ugly head head
Comcast told Ars Technica that fewer than 30 customers were affected by the security snafu, which only affected customers who reused passwords across multiple sites.
From its statement:
We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication.
Comcast referred to the fraudulent porting of mobile numbers as being “a well-known industry issue and not unique to Xfinity Mobile.” At Naked Security, we’ve covered the issue of phone hijacking, but more along the lines of fraudulent SIM (subscriber identity module) swaps rather than default 0000 PINs. In SIM swaps, crooks talk a mobile phone shop into re-issuing someone else’s SIM, perhaps by using fake ID, by guessing at security questions, or by colluding with a corrupt employee.
In SIM swaps, the fraudsters drain victims’ bank accounts by taking over their mobile phones, then intercepting calls or text messages sent by their banks.
The end result is the same for the Comcast security snafu as it is for SIM swaps: crooks get new laptops or other loot, while victims are left in the lurch, trying to convince somebody that they’re the real account holder.
Comcast says it’s fixed the problem, though it didn’t give details about how, saying that such information could help attackers. The company said it also plans to offer a real PIN-based system, but it didn’t say when we’ll be seeing it.
More from Comcast’s statement:
We have also implemented a solution that provides additional safeguards around our porting process, and we’re working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined.
We’re glad to hear that Comcast is going to require customers to choose a unique PIN when signing up for service. Of course, it could have/should have done that two years ago when it kicked off Xfinity Mobile… but then it wouldn’t have given news outlets another chance to make fun of Kanye West showing off his password of 000000 in the Oval Office.
How to stop the hijackers
Comcast told the Post that a fraudster still needs several pieces of customer information to port a number, including the obscure Xfinity Mobile account number. To get at that account number, users have to log into the Xfinity Mobile web portal, using their Comcast user password. The company doesn’t send out paper bills for Xfinity Mobile accounts, the company told Ars; nor does it include the account number in emails to customers.
Given that Comcast blamed password reuse for enabling these attacks, it makes sense to use a unique, strong password for your Comcast account, just as for any other account.
Password managers make creating, storing and using a slew of strong passwords much easier. True, there have been issues reported recently about password managers not scrubbing passwords from memory once they’re no longer being used, but we still believe that the advantages outweigh the issues, which will likely be tidied up through updates anyway.
Make sure you also use two-factor authentication (2FA) whenever it’s available. That way, even if someone has your password, they still can’t log in as you.