A poor security decision by Comcast on the company's mobile phone service has made it easier for attackers to transfer victims' cell phone numbers to different carriers.
Comcast launched in 2017 Xfinity Mobile, a cellular service using the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has registered 1.2 million mobile subscribers, but used a system shortcut that allows users to switch from Comcast to other operators.
To carry a Comcast phone line to another mobile carrier, a customer must know his Comcast mobile account number. Operators typically use PINs to verify that a customer seeking to transfer a number is actually the owner. However, Comcast would have set the PIN to 0000 for all of its customers, and there was apparently no way for customers to change it. This means that an attacker who has obtained the victim's Comcast account number can easily transfer the victim's phone number to another operator.
Comcast told Ars that "less than 30" customers were affected by the problem, that it had put in place a temporary solution and that the company would eventually deploy a real system based on a PIN to better protect its customers . But Comcast refused to describe the temporary fix in any way, claiming that this information could help the attackers. Comcast has also not specified when its new PIN-based system will be ready.
The client has hijacked a number
The problem was detailed yesterday in a Washington Post column that dealt with technical problems reported by readers. the Posts Geoffrey Fowler reported:
"It's a security hole big enough to get a truck through," wrote reader Larry Whitted in Lodi, CA, last week.
As a customer of Comcast's Xfinity Mobile phone service, Whitted asserts that someone was able to hijack his phone number, transfer him to a new account on another network and commit an identity fraud. The fraudster charged Samsung Pay on the new phone with Whitted's credit card and went to the Apple Store in Atlanta to buy a computer, he said.
The heart of the matter: Comcast does not protect mobile accounts with a unique PIN. (Comcast's helpdesk help site suggests that this simplifies things: "We do not need to create an account PIN, so you do not need to provide this information to your new provider. provider. ") is …. 0000.
This Comcast help page has been changed this week to remove any reference to the account PIN. The page says: "When you contact your new provider to transfer your number, they want to know your current address and your Xfinity Mobile account number."
Account numbers are password protected
Because of this PIN code 0000, obtaining the Xfinity Mobile account number from the victim was the main obstacle for the attackers. A spokesman for Comcast told Ars that this account number is only available by logging into the Xfinity Mobile web portal, and is therefore protected by the password of a Comcast user. Comcast told Ars that it did not send paper invoices and did not include this account number in e-mails addressed to customers, thereby removing two possibilities for attackers to obtain the account number.
Comcast reported that the number porting attack only affected customers who reused passwords across multiple sites.
"We believe that this only applies to customers whose passwords may have been included in previous non-Comcast violations.We recommend that customers use strong, unique passwords." Customers can further protect their Xfinity account by subscribing to authentication, "said Comcast in a statement provided to Ars.
Comcast's statement also stated that "fraudulent transfer of mobile phone numbers is a well-known industry problem and is not unique to Xfinity Mobile". But Comcast could have minimized the risk of attack, even for people using weak account passwords, by requiring customers to choose a unique PIN when registering for the mobile service.
Here's what Comcast said about the changes made and coming:
We have also implemented a solution offering additional guarantees around our porting process and we are working hard to find a solution based on a PIN. We apologize to the customers concerned and work with them to solve the problem. We take this very seriously and our methods, policies and procedures for fraud detection and prevention are continually reviewed, tested and refined.
What are the "additional guarantees" already implemented in the Comcast porting process? A spokesman for Comcast declined to tell Ars, saying the company did not want to provide potentially useful information to criminals. Similarly, Comcast did not provide details on the timing and nature of its planned PIN-based system.
Another customer horror story
Comcast stated that it had already implemented its interim fix shortly before hearing the To post. The problem had already been described on February 24 by a customer posting on the Xfinity community forum under the user name jim5359.
"Someone carried my Xfinity Mobile number without my permission.They then used my phone number to change the passwords of my PayPal account and other accounts," writes jim5359 on the customer's forum. . "I spent 2 hours on the phone with a nice agent from Xfinity Mobile who really wanted to help me, she told me that I had to file a police report so they could get my number, which would the number would be returned within 72 hours, but 72 hours later and the number was not transferred, I call again.I am now told that there is no way to recover the number. number because the person has transferred the number to Simple Mobile and put a PIN code on the number, so there is no way to transfer the Simple Mobile number without this PIN, even with a police report. "
"It happened to me exactly the same," wrote another client on the forum.
Jim5359 asked the Comcast representative why there was no PIN to prevent unauthorized number porting.
"It was said that Xfinity Mobile did not allow the addition of a PIN code to your number and that this code was 0000 for all numbers," wrote jim5359. "So, anyone with your personal information can transfer your phone number out of Xfinity Mobile without your permission and without having to provide a PIN." "I was told that I could get a new phone number with Xfinity Mobile. but why should I do it if someone obviously has my personal information and is obviously aware of this security vulnerability with Xfinity Mobile numbers? "
Jim5359 did not know how the attacker got the password from the account. "I've since changed my password and added two-factor authentication, but all other mobile phone companies have the added security of a PIN to prevent unauthorized transfers." ", writes jim5359.