Xfinity Mobile is an MVNO carrier that runs on both Verizon’s LTE networks and seamlessly connects to Xfinity Wi-Fi hotspots around the US when in range. The network has some customers left stranded with their phone numbers stolen by attackers who then used the numbers to commit identity fraud.
The issue stemmed from Xfinity Mobile irresponsibly setting account PIN numbers to a default “0000”. In the US, this PIN is given to a new phone company along with basic account information in order to permanently transfer the number to a new provider.
We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many” – Comcast spokesperson
With a PIN this simple, a hacker was able to load Samsung Pay onto a new account on a new network using the victim’s phone number, then use the victim’s credit card to buy a computer at an Apple Store in Atlanta. This was part of a letter written to The Washington Post telling a “tech horror story”.
The Washington Post reached out to Xfinity Mobile who said that the carrier was already “working aggressively towards a PIN-based solution” and would be reaching out to these customers on a case-by-case basis.
The hacker was able to get more information from other non-Comcast related password breaches to orchestrate the attack. With all the right pieces, including a leaked password, a hacker can do a lot of damage. This is why it is important to change passwords regularly or use two-step verification.
Of course, two-step verification won’t stop someone from porting a number out if the attacker has the correct information. One user on an Xfinity forum said the network told him to file a police report but Xfinity couldn’t help him get his number back since the provider has no control over the number once its properly ported out.
If you have Xfinity Mobile, check with the provider to make sure your account and phone numbers are secure.