If someone wants to steal your phone number -- say, to intercept the two-factor authentication SMSes needed to break into your bank account or other vital service -- they hijack your SIM by impersonating you to your phone company (or by bribing someone at the company to reassign your phone number to them), and this has made the security of phone numbers into a top concern for security experts and telcoms companies, as there are millions of dollars at stake.
Enter Comcast, all-time champion "most-hated company in America," whose Xfinity Mobile cellular service assigns the same unchangeable PIN to every customer: 0000.
But don't worry, Comcast says that this only puts you at risk if you recycle user-names and passwords, and nobody does that.
Because of that 0000 PIN, getting a victim's Xfinity Mobile account number was the main obstacle for attackers. A Comcast spokesperson told Ars that this account number is available only by logging into the Xfinity Mobile Web portal and is therefore protected by a Comcast's user's password. Comcast told Ars that it does not send out paper bills for Xfinity Mobile and does not include that account number in emails to customers, cutting off two potential ways that attackers could get the account number.
Comcast indicated that the number-porting attack affected only customers who reused passwords across multiple sites.
Comcast set mobile pins to “0000,” helping attackers steal phone numbers [Jon Brodkin/Ars Technica]
(Image: Specious, CC-BY-SA)
Iowa state court officials contracted with Coalfire to conduct "penetration tests" on its security; as part of those tests, two Coalfire employees broke-and-entered the Adel, Iowa courthouse, and were caught by law-enforcement, whose bosses in Dallas County were not notified of the test.
Eleanor Saitta's (previously) 2016 essay "Coercion-Resistant Design" (which is new to me) is an excellent introduction to the technical countermeasures that systems designers can employ to defeat non-technical, legal attacks: for example, the threat of prison if you don't back-door your product.
For decades, people (including me) have predicted that cyberinsurers might be a way to get companies to take security seriously. After all, insurers have to live in the real world (which is why terrorism insurance is cheap, because terrorism is not a meaningful risk in America), and in the real world, poor security practices destroy […]
Breaking into the big leagues as a project manager isn’t done overnight, but there are principles that anyone can learn, and they’re applicable to nearly any business. No matter what your field, if there are multiple teams working toward a common goal, you’re going to need a roadmap. The Project Management Professional Certification Training Suite […]
On the one hand, nostalgia is “a corruption of the historical impulse,” according to William Gibson. On the other hand, “Super Mario Bros.” will never not be cool. Luckily, there’s a way to satisfy that retro gaming while still keeping an eye on the future: The GameShell Kit. This thing is simultaneously the last handheld […]
The field of data analytics can get intimidating, even for business professionals who constantly rely on it. But at its heart, its purpose is to simplify. To take mounds of information and distill their insights into a single clear picture. Currently, the go-to software for painting that picture is Tableau. And if you want to […]