“‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week,” Geoffrey A. Fowler reports for The Washington Post. “As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card — and went to the Apple Store in Atlanta and bought a computer, he said.”
MacDailyNews Take: Using Samsung Pay to buy a Mac in an Apple Store should have been enough of a red flag!
“The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN,” Fowler reports. “The default it uses instead is… 0000.”
“Closely guarding your telephone account is becoming increasingly important for security. All kinds of online and financial services use text messages and calls to a phone number to verify identity, or as a second factor in addition to passwords. Other Xfinity Mobile customers have also reported having their numbers hijacked. After I contacted Comcast, it said it was making a fix,” Fowler reports. “New measures that make it harder to steal phone numbers took effect shortly before I published this column. Comcast said it is also ‘working aggressively towards a PIN-based solution.'”
Read more in the full article here.
MacDailyNews Take: Comcast’s Xfinity Mobile phone service was using 0000 as the default PIN? Jeez Louise!