Comcast said a security hole that allowed an identity thief to steal a California Xfinity Mobile customer’s phone number is being addressed and has only impacted a “very small number” of subscribers.
“We have also implemented a solution that provides additional safeguards around our porting process, and we’re working aggressively towards a PIN-based solution,” Comcast said in a statement, which didn’t outline the safeguard procedures.
“We are reaching out to impacted customers to apologize and work with them to address the issue,” Comcast added. “We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined.”
The issue surfaced last week, when a Lodi, California Xfinity Mobile customer detailed what he called “a security breach large enough to drive a truck through” to the Washington Post.
Wireless carriers typically assign a four-digit personal identification code (PIN) to customers, who use it for authentication when they want to move their phone number from one carrier to another. For convenience, Comcast had each customer assigned to “0000” PIN code.
Armed with a the Lodi customer’s credit card data, an identity thief was able to also steal his phone number using this 0000 code. With that phone number and the credit card info, the thief reportedly created a Samsung Pay account and purchased a computer at an Apple Store in Atlanta.
Comcast reps noted that in order to steal the phone number, the thief had to also have the customer’s full Xfinity Mobile account number. And to get that number, the thief would have to access Comcast’s password-protected online customer portal.
Comcast blamed the issue on bad password management by the customer.
In the Lodi case, Comcast said the customer used the same password for multiple accounts involving numerous companies.
“We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords,” the Comcast statement added.
Comcast also attempted to paint the picture of a broader industry security problem.
“The fraudulent porting of mobile numbers is a well-known industry issue and not unique to Xfinity Mobile,” Comcast also said.
That may be true, but Comcast is once again in crises communications mode, playing defense on a bad-looking story proliferating across the viral internet. Indeed, with Xfinity Mobile now boasting 1.2 million customers, and many financial institutions now using mobile numbers as a lynchpin to two-factor authentication, stories about protecting numbers with default PIN codes don’t have the best optics.