A bad security decision by Comcast on the company's mobile phone service made it easier for attackers to port victims' cell phone numbers to different carriers.
Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers.
To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim's Comcast account number could easily port the victim's phone number to another carrier.
Comcast told Ars that "less than 30" customers were affected by the problem, that it has implemented a fix, and that the company will eventually roll out a real PIN-based system to further protect customers. But Comcast declined to describe the recent fix in any way, saying that information could help attackers. Comcast also did not say when its new PIN-based system will be ready.
Customer had number hijacked
The problem was detailed yesterday in a Washington Post column that addressed tech problems reported by readers. The Post's Geoffrey Fowler reported:
"This is a security hole large enough to drive a truck through," reader Larry Whitted in Lodi, Calif., wrote last week.
As a customer of Comcast's Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted's credit card—and went to the Apple Store in Atlanta and bought a computer, he said.
The core of the problem: Comcast doesn't protect its mobile accounts with a unique PIN. (Comcast's help site for switching carriers suggests this is to make things easier: "We don't require you to create an account PIN, so you don't need to provide that information to your new carrier.") The default it uses instead is.... 0000.
That Comcast help page was edited this week to remove any references to the account PIN. The page says, "When you contact your new carrier to transfer your number, they will want your current address and Xfinity Mobile account number."
Account numbers are protected by password
Because of that 0000 PIN, getting a victim's Xfinity Mobile account number was the main obstacle for attackers. A Comcast spokesperson told Ars that this account number is available only by logging into the Xfinity Mobile Web portal and is therefore protected by a Comcast's user's password. Comcast told Ars that it does not send out paper bills for Xfinity Mobile and does not include that account number in emails to customers, cutting off two potential ways that attackers could get the account number.
Comcast indicated that the number-porting attack affected only customers who reused passwords across multiple sites.
"We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication," Comcast said in a statement provided to Ars.
Comcast's statement also said that "the fraudulent porting of mobile numbers is a well-known industry issue and not unique to Xfinity Mobile." But Comcast could have minimized the risk of attack, even for people using weak account passwords, by requiring customers to choose a unique PIN when signing up for mobile service.
Here's what Comcast said about changes it's made and will make:
We have also implemented a solution that provides additional safeguards around our porting process, and we’re working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined.
What are the "additional safeguards" already implemented in Comcast's porting process? A Comcast spokesperson declined to tell Ars, saying the company doesn't want to provide potentially helpful information to criminals. Similarly, Comcast provided no details on the timing and nature of its planned PIN-based system.
Another customer horror story
Comcast did say that it had already implemented its "additional safeguards" shortly before hearing from the Post. The problem was previously described on February 24 by a customer posting on the Xfinity community forum under the username jim5359.
"Someone ported my Xfinity Mobile number without my authorization. They then used my mobile number to change passwords on my PayPal and other accounts," jim5359 wrote on the customer forum. "I spent 2 hours on the phone with a nice Xfinity Mobile agent who really wanted to help me. She told me I needed to file a police report in order for them to get my number ported back, which I did. I was told the number would be ported back within 72 hours. 72 hours passed and the number was not ported, so I called again. Now I'm told there is no way to get the number ported back because the person transferred the number to Simple Mobile and put a PIN on the number. So there is no way to port the number out of Simple Mobile without that PIN, even with a police report."
"The exact same thing happened to me," another customer wrote in the forum.
Jim5359 had asked the Comcast customer rep why there wasn't a PIN to prevent the unauthorized number port.
"I was told that Xfinity Mobile does not allow adding a PIN to your number and the PIN is 0000 for all numbers," jim5359 wrote. "So essentially, anyone who has your personal information can transfer your phone number out of Xfinity Mobile without your permission and without having to provide a PIN. I was told I could get a new phone number with Xfinity Mobile, but why would I do that if someone obviously has my personal information and obviously knows about this security flaw with Xfinity Mobile numbers?"
Jim5359 didn't know how the attacker got the account password. "I've since changed my password and added 2-factor authentication. But every other mobile company has the added security of a PIN to prevent unauthorized porting," jim5359 wrote.