“‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week,” Geoffrey A. Fowler reports for The Washington Post. “As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card — and went to the Apple Store in Atlanta and bought a computer, he said.”
MacDailyNews Take: Using Samsung Pay to buy a Mac in an Apple Store should have been enough of a red flag!
“The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN,” Fowler reports. “The default it uses instead is… 0000.”
“Closely guarding your telephone account is becoming increasingly important for security. All kinds of online and financial services use text messages and calls to a phone number to verify identity, or as a second factor in addition to passwords. Other Xfinity Mobile customers have also reported having their numbers hijacked. After I contacted Comcast, it said it was making a fix,” Fowler reports. “New measures that make it harder to steal phone numbers took effect shortly before I published this column. Comcast said it is also ‘working aggressively towards a PIN-based solution.'”
Read more in the full article here.
MacDailyNews Take: Comcast’s Xfinity Mobile phone service was using 0000 as the default PIN? Jeez Louise!
Does Apple accept Samsung pay in Apple stores? This seems off to me. Bestbuy I’d believe.
Samsung Pay works on most terminals. Even magnetic stipe readers.
Thats why I will never use anything but Apple Pay – you could not just set up a new phone cloned with apple pay active.
Wow. This is how people’s really well protected accounts are getting hacked. Call the cell company, say you are activating a new phone you bought used. Give excuses why you don’t have the pin and many customer service agents give in. Activate phone.
Once working, then proceed to change passwords on other accounts that use 2 factor authentication and receive the texts to confirm your identity. Not cool.
I am glad I didn’t hear this last week I had a message to my iPhone from an online betting site seeking account activation. Had 3 days of concern checking all my accounts and contacting said company who wanted all manner of information which I refused to give, thankfully to find it was as I thought most likely there was no hacked access to my phone account just an idiot keying in the wrong number. easy to get paranoid mind and If I had read this beforehand I would have double panicked, confirming the possibility I most feared, at least if my own mobile provider is as stupid as Comcast anyway.
Knowing Comcast they’ll fix this fast by change the code to 1234.