Slashdot Mirror

← Back to Stories (view on slashdot.org)

Comcast Set Mobile Pins To '0000,' Helping Attackers Steal Phone Numbers (arstechnica.com)

Posted by BeauHD on from the number-porting-attacks dept.

An anonymous reader quotes a report from Ars Technica: A bad security decision by Comcast on the company's mobile phone service made it easier for attackers to port victims' cell phone numbers to different carriers. Comcast in 2017 launched Xfinity Mobile, a cellular service that uses the Verizon Wireless network and Comcast Wi-Fi hotspots. Comcast has signed up 1.2 million mobile subscribers but took a shortcut in the system that lets users switch from Comcast to other carriers. To port a phone line from Comcast to another wireless carrier, a customer needs to know his or her Comcast mobile account number. Carriers generally use PINs to verify that a customer seeking to port a number actually owns the number. But Comcast reportedly set the PIN to 0000 for all its customers, and there was apparently no way for customers to change it. That means that an attacker who acquired a victim's Comcast account number could easily port the victim's phone number to another carrier. Comcast told Ars that "less than 30" customers were affected by the problem, that it has implemented a fix, and that the company will eventually roll out a real PIN-based system to further protect customers. But Comcast declined to describe the recent fix in any way, saying that information could help attackers. Comcast also did not say when its new PIN-based system will be ready. Here's what Comcast had to say about the changes it's made and will make: "We have also implemented a solution that provides additional safeguards around our porting process, and we're working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined."

30 comments

  1. Less than 30 by tysonedwards · · Score: 2

    Why do companies insist on doing this "less than x" thing?

    --
    Thirty four characters live here.
    1. Re: Less than 30 by Anonymous Coward · · Score: 0

      Because its PR. People are dumb. If you say 29 then somehow that sounds like more than less than 30.

    2. Re:Less than 30 by Anonymous Coward · · Score: 1

      because if they said 29, people would round that up to 'about 50'. then when it gets passed around or spreads again, it'll get rounded to 100.. or 'hundreds', even..

      it could also be that they don't know exactly how many people got their numbers stolen... and also very possible they aren't done counting (and we eventually end up at 'hundreds' anyway).

    3. Re:Less than 30 by Anonymous Coward · · Score: 1

      Less than 30 companies do.

    4. Re:Less than 30 by Mattcelt · · Score: 1

      Because they're as bad at grammar as they are at security.

      It's fewer than 30.

      But it should be fewer than ONE.

  2. The new PIN is the last 4 digits of the account by Anonymous Coward · · Score: 1

    Now everyone has a nice random PIN and is safe.

    1. Re:The new PIN is the last 4 digits of the account by Calydor · · Score: 2

      I'm betting they reversed the bad pin, so instead of 0000 it's now 0000. Attackers would never guess THAT!

      --
      -=This sig has nothing to do with my comment. Move along now=-
    2. Re:The new PIN is the last 4 digits of the account by bob4u2c · · Score: 1

      I'm betting it is 1234. Nobody would ever guess THAT!

      It is what I use on my luggage after all.

    3. Re:The new PIN is the last 4 digits of the account by msauve · · Score: 2

      Not quite. They encrypted the PINs by applying high quality base10/ROT10 encryption.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    4. Re:The new PIN is the last 4 digits of the account by CaptainDork · · Score: 1

      They are going to palindromisize it.

      --
      It little behooves the best of us to comment on the rest of us.
    5. Re:The new PIN is the last 4 digits of the account by Anonymous Coward · · Score: 0

      Ah, so it's 0000 backwards too. Unhackable.

    6. Re:The new PIN is the last 4 digits of the account by Anonymous Coward · · Score: 0

      Me too!!

  3. likely didn't set it to 0000 by Anonymous Coward · · Score: 1

    That was probably an empty field in a database that was never set to anything.

  4. lol by Anonymous Coward · · Score: 0

    just like Tesla. They set their profit to $0.

  5. Re: The new PIN is the last 4 digits of the accoun by Anonymous Coward · · Score: 0

    It's ok they're "working aggressively" towards ... Wait aren't PINs like the easiest thing you could possibly implement?

    I hope they don't get a headache thinking about this. Better start with 1-digit PIN and work up to the really big 4-digit ones...

  6. Yay comcast!! by roc97007 · · Score: 1

    Watching out for their customers since, well, never.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  7. luggage combo by Anonymous Coward · · Score: 0

    They updated their pin generation to utilize SBA, Space Balls Algorithm, now everyones pin is 1234.

  8. It's... by Anonymous Coward · · Score: 0

    C0000mcastic!

  9. Comcast gets to use someone else's network... by Anonymous Coward · · Score: 0

    ...to provide cell service, but no one else is allowed to use Comcast's network to provide Internet access. No one seems to see the hypocrisy in it.

    1. Re: Comcast gets to use someone else's network... by Anonymous Coward · · Score: 0

      That's a load of horseshit, I know of several companies who resell Comcast service. What they don't let you do is use a residential account for business purposes.

  10. Thereâ(TM)s that lie again. by Anonymous Coward · · Score: 1

    âoeWe take this seriously..â - every time I hear yhis phrase, or something similar, I believe it less and less ... sigh.

  11. We take this very seriously by Anonymous Coward · · Score: 0

    Yeah. Right. They take it very seriously, but only when they get caught AND it goes public/viral.

  12. You are supposed to change the PIN. by Anonymous Coward · · Score: 0

    You are supposed to change the SIM PIN from the default.

  13. Ever try to use a Comcast WiFi hotspot? by Anonymous Coward · · Score: 0

    They're a fucking joke. You can see them, and sometimes 'connect' to them....but good fucking luck getting an actual internet connection through them, as they don't work for shit. They appear to be there just for looks...one cannot possibly believe that the Comcast WiFi hotspots were ever intended for actual use. They're essentially a beard meant to hide Comcast's monopoly.

    Comcast: "What?...no, look...we have all these WiFi hotspots deployed that our customers can use during cable modem service outages. Just look at them all!!!"

  14. So they chose to not use a pin by misnohmer · · Score: 1

    Setting a pin to 0000 is basically making a choice to not use the PIN - easier than changing software to not have a pin at all.

  15. Translation by JustAnotherOldGuy · · Score: 1

    "But Comcast declined to describe the recent fix in any way, saying that information could help attackers."

    Translation:

    "But Comcast declined to describe the recent fix in any way, saying that information could help attackers even more than Comcast did with a bonehead move like setting all PINs to '0000'."

    Alternate translation:

    "Ha ha ha, fuck you!" said Comcast executives as they snorted cocaine off an underage hookers ass.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  16. Suspicious by Gabest · · Score: 1

    Why would anyone want to lock his phone? Are you trying to hide something from the police?