Comcast set mobile pins to “0000,” helping attackers steal phone numbers

A smartphone connected to the Xfinity Mobile service.

Enlarge / A smartphone connected to the Xfinity Mobile service. (credit: Comcast)

A bad security decision by Comcast on the company’s mobile phone service made it easier for attackers to port victims’ cell phone numbers to different carriers.

Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers.

To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim’s Comcast account number could easily port the victim’s phone number to another carrier.

Read 15 remaining paragraphs | Comments

Biz & IT – Ars Technica