There are easy-to-guess PINs and then there are easy-to-guess PINs. Comcast set the default PIN code for all Xfinity Mobile customer accounts to “0000.” That’s making it easy for thieves to hijack customers’ phone numbers and, in at least one case, enabling the fraudulent purchase of a Mac.
An Xfinity Mobile customer from California detailed the snafu in a letter to The Washington Post columnist Geoffrey A. Fowler.
According to Larry Whitted, an unknown third party used the unimaginative PIN to steal his phone number, port it to another carrier and commit identity fraud, the report said. Along with ownership of the Xfinity Mobile phone number, the nefarious actor gained access to Whitted’s credit card by provisioning Samsung Pay on a new phone, then used the information to buy a Mac at an Atlanta Apple Store.
Comcast’s account management policies, which were apparently created to make the setup and number porting process as easy as possible, seem to be the problem. It allows criminals to pry information out of unwitting Comcast customer representatives or automated services. Xfinity Mobile’s forums lists similar incidents from numerous customers.
“We’re aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many,” a Comcast representative told The Washington Post, the company rep says Comcast is “working aggressively towards a PIN-based solution.”
Comcast has reportedly implemented countermeasures to stop any further issues with the “0000” PIN code.