In 2017, Comcast launched Xfinity Mobile: a wireless service that runs on Verizon wireless and Comcast’s own Wi-Fi hotspots.
To make it easy for customers to port their existing phone numbers over from other carriers, the company used a shortcut: no PINs needed. Oh, except for one, default PIN of “0000,” that is, which made it super simple easy for crooks to hijack people’s phone numbers.
The glaring security gaffe came to light after multiple customers reported that their numbers had been ported without authorization, that the hijackers had switched the numbers to their own accounts, and that the crooks then carried out identity theft.
One of the ripped-off customers wrote to a Washington Post columnist who addresses readers’ tech problems. From the column, which appeared on Thursday:
‘This is a security hole large enough to drive a truck through,’ reader Larry Whitted in Lodi, Calif., wrote last week.
As a customer of Comcast’s Xfinity Mobile phone service, Whitted says someone was able to hijack his phone number, port it to a new account on another network and commit identity fraud. The fraudster loaded Samsung Pay onto the new phone with Whitted’s credit card – and went to the Apple Store in Atlanta and bought a computer, he said.
The core of the problem: Comcast doesn’t protect its mobile accounts with a unique PIN. (Comcast’s help site for switching carriers suggests this is to make things easier: ‘We don’t require you to create an account PIN, so you don’t need to provide that information to your new carrier.’) The default it uses instead is…. 0000.
To port your phone number, you need two things: your Comcast mobile account number, and a PIN that should, in theory, verify that it’s really you, the legitimate account holder, looking to port your own number. Comcast apparently sought to make it easier for customers by appearing to make the process PIN-less. But it didn’t make the PIN go away: reportedly, it just set a default PIN of 0000 for all customers … a PIN that customers couldn’t change.
All an attacker had to do was get hold of a victim’s account number, plus what Xfinity calls several other pieces of “obscure information”, then plug in those four zeroes, and presto! Stolen account, ported to another carrier.
Last week, Comcast edited its help page to get rid of references to the account PIN.
What it says now:
When you contact your new carrier to transfer your number, they will want your current address and Xfinity Mobile account number
Password reuse again rears its ugly ugly head head
Comcast told Ars Technica that fewer than 30 customers were affected by the security snafu, which only affected customers who reused passwords across multiple sites.
From its statement:
We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication.
Comcast referred to the fraudulent porting of mobile numbers as being “a well-known industry issue and not unique to Xfinity Mobile.” At Naked Security, we’ve covered the issue of phone hijacking, but more along the lines of fraudulent SIM (subscriber identity module) swaps rather than default 0000 PINs. In SIM swaps, crooks talk a mobile phone shop into re-issuing someone else’s SIM, perhaps by using fake ID, by guessing at security questions, or by colluding with a corrupt employee.
In SIM swaps, the fraudsters drain victims’ bank accounts by taking over their mobile phones, then intercepting calls or text messages sent by their banks.
The end result is the same for the Comcast security snafu as it is for SIM swaps: crooks get new laptops or other loot, while victims are left in the lurch, trying to convince somebody that they’re the real account holder.
Comcast says it’s fixed the problem, though it didn’t give details about how, saying that such information could help attackers. The company said it also plans to offer a real PIN-based system, but it didn’t say when we’ll be seeing it.
More from Comcast’s statement:
We have also implemented a solution that provides additional safeguards around our porting process, and we’re working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined.
We’re glad to hear that Comcast is going to require customers to choose a unique PIN when signing up for service. Of course, it could have/should have done that two years ago when it kicked off Xfinity Mobile… but then it wouldn’t have given news outlets another chance to make fun of Kanye West showing off his password of 000000 in the Oval Office.
How to stop the hijackers
Comcast told the Post that a fraudster still needs several pieces of customer information to port a number, including the obscure Xfinity Mobile account number. To get at that account number, users have to log into the Xfinity Mobile web portal, using their Comcast user password. The company doesn’t send out paper bills for Xfinity Mobile accounts, the company told Ars; nor does it include the account number in emails to customers.
Given that Comcast blamed password reuse for enabling these attacks, it makes sense to use a unique, strong password for your Comcast account, just as for any other account.
Password managers make creating, storing and using a slew of strong passwords much easier. True, there have been issues reported recently about password managers not scrubbing passwords from memory once they’re no longer being used, but we still believe that the advantages outweigh the issues, which will likely be tidied up through updates anyway.
Make sure you also use two-factor authentication (2FA) whenever it’s available. That way, even if someone has your password, they still can’t log in as you.
Chuck B
The unique password requirement for Comcast is 8-16 characters. I for one would like to be able to use longer passwords.
Wilderness
I couldn’t agree more. There’s little to no reason to have a character limit that short.
Will
While not an excuse for a password character limit, perhaps MFA is a way of further securing the account for now…
Spencer D
Anytime a password field has an upper limit, it is highly concerning. If they are storing secure, one-way, irreversible hashes, then they should not need to limit the character count because the output of nearly all crytographically secure hashing algorithms has a fixed width regardless of the input size. This is achieved by effectively performing lossy transformation techniques for inputs that exceed the hashing algorithms internal size. On the other hand, two-way, reversible encryption would have a legitimate reason to place a maximum limit on the number of acceptable characters, given that you cannot perform lossy transformation to condense the content if you need to be able to reverse/decrypt the content later.
That is all to say, anytime a system sets an upper-limit on their password field, I immediately question whether or not they are following best practices for storing the passwords.
Wilderness
Spencer, perfectly said!
Bryan
I agree, Spencer. We can only speculate on the rationale. Even when companies are caught with their secure pants around their insecure ankles we can’t posthumously assume they *wanted* bad password storage–they simply made a bad decision or three.
Paul Ducklin has pointed out that length limits can (theoretically) preclude DoS attacks, as allowing million-character passwords carries the potential.
Duck’s opined that imposing limits under 20 appears to stem from the notion that fewer passwords will end up too difficult to remember–with less customer support devoted to resetting passwords.
I agree with him: this is a weak justification for arbitrary limits under (say) 128 or 256 characters. I also can’t think of another potential reason for forcing passwd brevity. Even a bad one like excessive resets.
Bryan
Hahah, I should learn to read *ALL* the comments before contributing. One of Duck’s comments that I refer is a mere three inches down the page.
Ian
Allowing Comcast to control your mobile number just seems like a terrible idea. They have proven over and over again that they do not care about the consumer at all.
bart black
16 character length limit is more than sufficient for security purposes. In fact even a 12 character password is virtually unbreakable IF it contains enough randomness and complexity.
You want to integrate things like punctuation, spaces, and/or other special characters into your alphanumeric password.
A password that is an actual word or a phrase which takes the form of l33t speak or another similar encoding scheme, is really difficult to crack. For instance, instead of using an already strong ‘mydogsnameisscooter’ (which would take about 5 centuries to break with an average home PC), you can change it up like so: ‘Myd0g’snamei$sc00ter’, and this one would take 700+ centuries to brute force!
Paul Ducklin
I can see why you might want to prevent absurdly long passwords, such as 1,000,000 characters or even 1000 characters, as a basic precaution against time-wasting DDoS attack. But i don’t get the 16-character limit.
Ironically, the “strong” example password you give is 19 characters long, and the “changed-up” version is 20 characters. And why shouldn’t you choose passwords like that if you want?
Bryan
> about 5 centuries to break with an average home PC
Hey Bart… you *are* aware that professional thieves don’t crack password databases on a clunker from Best Buy, right?
phs
I use 40 character unique randomized passwords generated by LastPass. There are numerous similar services. I do not have to remember my passwords, and I prefer to keep them reasonably long. Sites that limit to less than 40 characters or do not allow special characters demonstrate a level of ignorance that makes me question whether to use their services. Other replies already outlined why this should be considered ignorance. Limiting any aspect of a password, including length, unnecessarily reduces the brute force search space. And the assumption that you have to “remember” passwords has been false for a long time. Furthermore, it is easy to make a memorable password using a salt and an easily remembered phrase. For example: [xLk!5]NoComcast4me. Note that sites that limit special characters make a secure salt impossible, and demonstrate that their IT departments are stuck in the last century when mainframe, U*X and pre-NT Windows accounts had such limitations.