PIN codes and passwords these days are considered to be the least reliable method of securing accounts but they are still better than nothing at all. That said, an easily guessed code is just as bad as having nothing. Perhaps mistaking the list of worst passwords for the list of best passwords, Comcast’s Xfinity Mobile network has decided to implement a default PIN of “0000” for all customers, which has, unsurprisingly, led to quite a number of hijacked numbers and even identity theft.
You might wonder what an ISP account PIN has to do with identity theft which Larry Whitted from California recounted the horror story to the Washington Post. The culprit used that extremely difficult to guess “0000” PIN to get access to Whitted’s phone number, transfer it to another network with credit card still attached to that number. By linking it to Samsung Pay on a new phone, the criminal used the newfound resource to buy a new Mac in Atlanta.
Whitted is hardly the only case but even a Comcast spokesperson admitted that one customer is one too many. Other Xfinity mobile customers shared their own experiences which have ultimately been blamed on that default PIN number.
Why would Comcast make such a huge security blunder? All for the sake of convenience, of course. Comcast’s documentation states that it doesn’t require an account PIN so that customers won’t have to hand over that key when transferring to a new carrier. And by “no PIN”, they really mean using just “0000” as the default. Admittedly, that’s just as good, or as bad, as having no PIN.
Comcast is said to now be working on a PIN-based solution to remedy the situation, which probably won’t do any good for those whose accounts and identities were already compromised. While Xfinity is just a two-year-old MVNO riding on Verizon’s network, it isn’t an excuse not to exercise best security practices right from the start.