Xfinity Mobile Numbers Hijacked: What to Do Now
UPDATED 3:30 pm EST March 1 with statement and information from Comcast.
If you use Comcast's Xfinity Mobile cellular service, you'd better implement two-factor authentication (2FA) on your Comcast account ASAP — and then bug Comcast support reps about putting a PIN on your mobile account.
Crooks are stealing Xfinity Mobile numbers by requesting that the numbers be "ported" to new phones. On many other carriers, the customer support rep asks for a mobile-account PIN along with the account number and owner's name before the request can be processed. But Comcast doesn't require PINs for Xfinity Mobile accounts, resulting in a PIN of "0000" (blank to a computer) for many or all Xfinity Mobile accounts.
Stolen phone numbers used to be an inconvenience. Today they're a threat, because calls and texts to your number are used to verify your identity in case you forget your password or use 2FA for other accounts.
A poster in the Xfinity Mobile forums related how a stolen number was used to take over his PayPal account. An Xfinity Mobile customer who contacted the Washington Post said someone stole his number, ported his Samsung Pay account to a new phone, then used Samsung Pay tied to his credit card to buy a computer at an Apple store.
We don't have an Xfinity Mobile account, so we can't verify if you would need to provide your Comcast account username and password along with your name and account number to request a number port from the wireless phone service provider. We do know that Comcast offers a 2FA option for Comcast accounts, and we urge that you use it.
It's also not clear whether Xfinity Mobile offers account PINs as an option at all, or simply forbids them. Comcast representatives told The Washington Post and Engadget that the company was "working aggressively toward a PIN-based solution."
Tom's Guide has reached out to Comcast about this issue, and we will update this story when we get a response.
UPDATE: A Comcast representative clarified to us that an Xfinity Mobile customer would need to provide his or her Comcast account username and password, as well as a few other pieces of information, in order to request a number port. The representative said that at the moment, there is no PIN requirement for making a port-out request.
The representative suggested that some Xfinity Mobile customers may have had their Comcast account usernames and passwords compromised if those customers had used those same credentials for other accounts that were subsequently exposed in data breaches.
In other words, if you were to sign up as "firstname.lastname@example.org" with password "wordpass123" for an online account with Acme Corporation, and then were to use the same username and password for your Comcast account, a data breach at Acme would compromise both your Acme and Comcast accounts. Someone who got a list of compromised Acme usernames and passwords could try "credential-stuffing" attacks against other websites to see where else those credentials could log them in.
The representative provided an official Comcast company statement:
"The fraudulent porting of mobile numbers is a well-known industry issue and not unique to Xfinity Mobile. We're aware of a very small number of customers impacted by this issue, but even having one customer impacted by this is one too many.
We believe this has only affected customers whose passwords might have been included in previous, non-Comcast related breaches. We recommend that customers use unique, strong passwords. In addition, customers can further protect their Xfinity account by signing up for multi-factor authentication.
We have also implemented a solution that provides additional safeguards around our porting process, and we're working aggressively towards a PIN-based solution. We are reaching out to impacted customers to apologize and work with them to address the issue. We take this very seriously, and our fraud detection and prevention methods, policies and procedures are continually being reviewed, tested and refined."