According to the Washington Post, Comcast extolled the advantages of setting the default PIN on Xfinity Mobile phone service accounts to 0000 as a convenience for its customers. “Comcast’s help site for switching carriers suggests this is to make things easier: ‘We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.'” Comcast’s policy combined with information garnered from past non-Comcast data breaches made life much easier for hackers and identity theft fraudsters.

Xfinity Mobile customer Larry Whitted detailed his experience of someone hijacking his phone number, porting it to a new account on another network, and committing identity fraud. The unscrupulous thief added Samsung Pay to the new account and Whitted’s credit card. Then he used it to buy a computer from an Apple Store. Other Xfinity Mobile customers have reported the same issues. Comcast says it is working on a PIN-based solution.



After I contacted Comcast, it said it was making a fix. “We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many,” a spokeswoman said in a statement. New measures that make it harder to steal phone numbers took effect shortly before I published this column. Comcast said it is also “working aggressively towards a PIN-based solution.” Comcast said a fraudster still needs several pieces of customer information to port a number, including the obscure Xfinity Mobile account number that it usually requires a password to access. “We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches,” the spokeswoman said.

Discussion

Source: [H]ardOCP – Comcast Sets Default Xfinity Mobile PIN to 0000 and Fraudsters Jump for Joy