In what appears to be a heinous oversight, Comcast set the default PIN code for all Xfinity Mobile customer accounts to “0000,” opening the door to phone number hijacking and, in some cases, identity theft.
An Xfinity Mobile customer from California detailed the snafu in a letter to The Washington Post columnist Geoffrey A. Fowler.
According to Larry Whitted, an unknown third party used the unimaginative PIN to steal his phone number, port it to another carrier and commit identity fraud, the report said. Along with ownership of the Xfinity Mobile phone number, the nefarious actor gained access to Whitted’s credit card by provisioning Samsung Pay on a new phone, then used the information to buy a Mac at an Atlanta Apple Store.
The problem stems from Comcast’s account management policies, seemingly created to streamline the setup and porting process. A help page covering number transfers from Xfinity Mobile to another carrier reads, “We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.” As noted above, Comcast selected its own default PIN.
Armed with a phone number, criminals can ferret out more sensitive data from unwitting customer representatives or automated services. Whitted’s plight is echoed on Xfinity Mobile’s forums, which lists similar incidents from a number of other customers.
“We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many,” a Comcast representative told The Washington Post, adding that the company is “working aggressively towards a PIN-based solution.”
Comcast implemented countermeasures to thwart further abuse of the “0000” PIN code blunder, the report said.
Launched in 2017, Xfinity Mobile is a mobile virtual network operator that relies on Verizon’s backbone for base cellular service. The MVNO extends its footprint by tapping into Wi-Fi hotspots, to which users can connect for potentially cheaper fees.