Do you divulge your PIN to VM customer care?

[MacFett]

No company (especially a CSR) should have access to my PIN or password, it should be encrypted and secure. There are plenty of other ways for them to verify I am the account holder.

 

[Petrah]

no its not. they have that info on their screen. you are not telling them something they dont already have access to. They just want to make sure they are speaking with the account holder

I respectfully disagree. No company would be so stupid that they would leave account passwords unencrypted on a database. That's just trouble waiting to happen. If they want to verify then they can ask for my zip code, the last 4 digits of my SS#, the last 4 digits of my credit card, or they can return my call at my home number. There are far too many ways to verify an account. They do not need my password.

In the 10+ years I ran a web hosting company, I never asked for the account password to verify an account. Ever.

 

[chris1966]

I respectfully disagree. No company would be so stupid that they would leave account passwords unencrypted on a database. That's just trouble waiting to happen. If they want to verify then they can ask for my zip code, the last 4 digits of my SS#, the last 4 digits of my credit card, or they can return my call at my home number. There are far too many ways to verify an account. They do not need my password.

In the 10+ years I ran a web hosting company, I never asked for the account password to verify an account. Ever.

Well having worked for numerous customer service call centers through the years. i can tell you that any info that they are asking they have to be able to confirm. which means that the info is on their screen. those reps probably take 70-80 calls daily. they arent going to ask you info they dont have access to.

 

[MacFett]

Well having worked for numerous customer service call centers through the years. i can tell you that any info that they are asking they have to be able to confirm. which means that the info is on their screen. those reps probably take 70-80 calls daily. they arent going to ask you info they dont have access to.

And NO CSR should have access to my password, NONE. A reputable company has disclaimers on the website and in emails that say, "A representative of this company will never as you for your password."

Had I not just purchased an Optimus Elite I would be buying another device and switching to T-Mobile. In fact I may be trying to return it to Best Buy if I can find a device for T-Mobile in the $150 range.

They don't ask you for your password to get customer service do they Petrah?

Google will never email you to ask for your password or other sensitive information.

Amazon.com will never e-mail you to pay for Marketplace transactions outside our shopping cart, or ask you to confirm personal information such as a credit card number or password via e-mail.

 

[mogelijk]

And NO CSR should have access to my password, NONE. A reputable company has disclaimers on the website and in emails that say, "A representative of this company will never as you for your password."

Had I not just purchased an Optimus Elite I would be buying another device and switching to T-Mobile. In fact I may be trying to return it to Best Buy if I can find a device for T-Mobile in the $150 range.

They don't ask you for your password to get customer service do they Petrah?

From what I recall, the answer is yes, and no. T-Mobile has an account PIN much like VM does, and their CSRs will ask you for that PIN. However, when you set up an account on the my.t-mobile website you have a password that is not the same as the PIN. So they do use a PIN to identify you and that you are authorized to access the account but it doesn't give the same access, if stolen, if your VM PIN is stolen.

I had an Evo V and got fed up with my data speeds on VM, and I even have 4G (WiMax) in my area. I do not regret returning my Evo and switching to T-Mobile, and I love the Galaxy Nexus that I bought (though it costs a bit more than $150).

 

[raynoldsk]

Give them the darned PIN then change it after they help you.

What are they going to do--add top up money to your account?

 

[Petrah]

if Virgin Mobile is required to have either your PIN or your password to trouble-shoot, I would only do so over the phone on a valid Virgin Mobile customer service number.

The reason is the e-mail is not secure unless it is encrypted

This.

 

[glock29guy]

They always ask for my PIN on the phone, but I would never email it to them.

I hate that VM doesn't have an option for a separate PIN. Most postpaid carriers have PINs or use the last 4 of SSN for accessing your account on the phone.

 

[tcomotcom]

I'm rather bothered they would even ask for my PIN much less to tell me they can't help me without it and I let them know as much.

They are doing this because it is the only way for them to verify that it is actually the account owner making the request.

If they answered questions about your account or made changes based on a phone number only, that would allow anyone to just send an email and get access to your account, get your private information (who you've called or texted, for example) and/or make changes to your account without your authorization.

VM doesn't want to inadvertently give your account information to a private investigator, to a journalist working for News Corp., to an ex who now hates you or to anyone else with bad intentions.

I can understand why anyone would be suspicious - and its good to be cautious - but in this case its a legitimate request. As others have said, keep basic security practices in mind, especially that they won't ever contact you out of the blue and ask for your PIN so don't give it up unless your initiate the contact.

 

[mogelijk]

They are doing this because it is the only way for them to verify that it is actually the account owner making the request.

If they answered questions about your account or made changes based on a phone number only, that would allow anyone to just send an email and get access to your account, get your private information (who you've called or texted, for example) and/or make changes to your account without your authorization.

VM doesn't want to inadvertently give your account information to a private investigator, to a journalist working for News Corp., to an ex who now hates you or to anyone else with bad intentions.

I can understand why anyone would be suspicious - and its good to be cautious - but in this case its a legitimate request. As others have said, keep basic security practices in mind, especially that they won't ever contact you out of the blue and ask for your PIN so don't give it up unless your initiate the contact.

But the complaint is that there are much better ways to do this from a security standpoint. As has been mentioned, other cell phone companies have a PIN so that you can prove who you are, but they have a separate password that you use to access your account.

 

[tcomotcom]

But the complaint is that there are much better ways to do this from a security standpoint. As has been mentioned, other cell phone companies have a PIN so that you can prove who you are, but they have a separate password that you use to access your account.

TL/DR: It's OK to give out your PIN as long as you do it under the right circumstances. Adding a second password doesn't change that and wouldn't significantly deter someone with bad intentions from getting into your account. In practice, having two passwords makes their job easier.

I understand you think having both a PIN and a separate password is a better system, but it isn't.

Having a separate password seems great because it specifically prevents someone from using your PIN to access your online account. (I'm pretty sure that's what you're arguing.) However, if someone has your password, all they have to do is call up customer service and say "I can't remember my online PIN.", then provide the password and have the PIN reset. If someone can hack into your communications network or hardware to get a PIN, they can certainly do the same to get a password. It doesn't matter how many different passwords/PIN's you have when having just one allows you to have any/all of the others reset.

In a situation where you as a customer have have both a PIN and a password, you're making it easier, not harder, for someone to get into your account because it increases their chances. If a bad guy can trick you into giving up one secret code, they can then call Customer Service and have CS reset the other.

If it's the online password you're worried about, you should be more concerned that it is limited to six numbers. That's an extremely easy to break password scheme. Even if VM allowed alpha and special characters (which they don't) six characters is still not great.

It's my opinion that this thread is worrying about the wrong things. It's like we're all afraid of dying, so we are discussing "How do I avoid getting hit by lightning?" when we should be discussing "How do I avoid getting heart disease?" (Because death by lightning is really rare but heart disease is the top cause of death.)

Bad guys aren't afraid of secure networks, strong passwords or multiple passwords because it is much easier to simply trick someone into flat out telling them their secrets. "Social engineering" works well and its relatively easy to implement. (Even after workgroups have been given security awareness training, many of them will still fall for social engineering tricks that they just learned about earlier that same day.) If you want to be afraid of something, be afraid of that. Social engineering is by far your biggest enemy.

As I said before, if you have initiated the communication (using a phone number or e-mail address that is openly published on brochures, official websites, etc.) then give up your PIN. However, if you receive a phone call or e-mail out of the blue, do not give out your PIN. You don't even have to respond to the message. Instead of calling the number left in the voice mail, just call the official, main CS number. Instead of hitting "reply" to the e-mail, just compose a new email saying "I received a message to contact you about (insert whatever here). Is this correct?" and wait to see what they say. Step one in falling for a social engineering trick is responding to a call or e-mail that you received out of the blue, so don't do that.

-----

FWIW-

Maybe there's confusion about what happens on the VM side? If an authorized VM employee (or their agent, for example the employee of a customer service outsourcing firm in Costa Rica) wants to access your account, they don't need your PIN to do it. If they have just your phone number, they are good to go - all your info is right there for them to see, including your PIN. If they have your phone number, they already know your PIN before you give it to them. You provide it, they check it against what they already have and if there's a match, they proceed with helping you.

 

[MacFett]

TLDR

I have never had to give my pin/password to any other company. Google CS has never asked for my password, Blizzard CS has never asked for my password, Comcast CS has never asked for my password, Sprint CS has never asked for my password, ebay CS has never asked for my password, Amazon CS has never asked for my password, Vonage CS has never asked for my password, VMUSA always asks for my password.

Maybe there is some confusion here, they should NEVER need to ask me for my pin/password. They should NEVER be able to see my pin/password. It should be encrypted, they should NEVER emailing it to me in plain text, they should NEVER be texting it to me. And it should be more than a 4 digit pin. That is not secure, it is so easily hacked.

As I stated previously, because of this I will be switching to T-Mobile as soon as I have saved for a Galaxy Nexus.

 

[OverByter]

It's actually 6 digits, not that it really matters. Since I haven't seen anyone on this forum, which I've been a member to for over a year, running around screaming about how their accounts have been hacked because they sent VMUSA their pin in plaintext me thinks that I'll start worrying about some other pedantic issue to get worked up over. ;-)

 

[tcomotcom]

I have never had to give my pin/password to any other company. Google CS has never asked for my password, Blizzard CS has never asked for my password, Comcast CS has never asked for my password, Sprint CS has never asked for my password, ebay CS has never asked for my password, Amazon CS has never asked for my password, Vonage CS has never asked for my password, VMUSA always asks for my password.

Maybe there is some confusion here, they should NEVER need to ask me for my pin/password. They should NEVER be able to see my pin/password. It should be encrypted, they should NEVER emailing it to me in plain text, they should NEVER be texting it to me. And it should be more than a 4 digit pin. That is not secure, it is so easily hacked.

You've missed the point. Keep working through the issue and eventually you'll see that your accounts at all the companies above are equally insecure, VM included.

I realize that you think that the security practices you mention above are some kind of magic bullet, but they're not. Going back to the "worrying about the wrong things" concept, I feel like you're telling me how important it is to buy a really good deadbolt for your screen door.

 

[kct1975]

I don't know about everyone else, but...

All I was trying to say is that I would NEVER enter any PIN or Password into an e-mail. As much as I love and use Gmail and Hotmail, I know that it is not secure.

Even the corporate e-mail I use at work, while encrypted, can be easily access by the IT Department staff, so I would never even put an account PIN in e-mail there either.

I do agree with some of the posters here that VM should have another method of Account Verification other than asking for a customer's PIN. However, if the Customer Service needs the PIN as the only way to verify an account, then I personally, would ONLY give it to customer service over the phone. That way you at least are sure that it is only a VM Customer Service Rep that is getting your PIN.

With e-mail, it can be hacked, accessed by multiple individuals if it is a shared customer service account, or can accidently be sent to the wrong person or group.

With a phone call, typically the conservation is one-on-one.

That is my thinking behind my advice.

 

[Petrah]

I have never had to give my pin/password to any other company. Google CS has never asked for my password, Blizzard CS has never asked for my password, Comcast CS has never asked for my password, Sprint CS has never asked for my password, ebay CS has never asked for my password, Amazon CS has never asked for my password, Vonage CS has never asked for my password, VMUSA always asks for my password.

Maybe there is some confusion here, they should NEVER need to ask me for my pin/password. They should NEVER be able to see my pin/password. It should be encrypted, they should NEVER emailing it to me in plain text, they should NEVER be texting it to me. And it should be more than a 4 digit pin. That is not secure, it is so easily hacked.

This.

As I stated previously, because of this I will be switching to T-Mobile as soon as I have saved for a Galaxy Nexus.

T-Mobile will ask for your PIN over the phone. However, I'm not sure they can access the account without it. Give them a call and check.

 

[smankins]

Some accounts require you to give them your PIN (personal identification number) so that they know that it is indeed the account holder (or at least someone who knows the PIN). I have found this to be fairly common with customer service for many businesses. I used to have OnStar and I would need to give my PIN if I wanted them to unlock my car. ATT needed a pin created for porting of a phone number. But I would go with the suggestion to only do it over the phone - don't put it in an email.

 

[jamoosh]

Sorry to bump an outdated thread--I was searching for something else, and came across this. I too cringe whenever they request my PIN. My last few electronic communications with the company, their email was closed as such:
"As a kind reminder, always make sure to include your Virgin
Mobile phone number and PIN on all replies."
To me, it's not as bad as US Cellular though, who asks for the last four of your social security number before they will even talk to you. Six random digits are a lot easier for me to disclose than my social security.

 

[SuperAfnan]

Virgin Mobile's garbage customer service is one of the reasons I left them. Look at all the trouble on this thread. I would never give out my pin in an email, only with a customer service call.

 

[meta6]

They already know it asking for confirmation's sake.
seems silly to think your "secret" password isn't known to customer service
rep from your wireless carrier.

 

[mogelijk]

They already know it asking for confirmation's sake.
seems silly to think your "secret" password isn't known to customer service
rep from your wireless carrier.

But this is what people have an issue with, there is no reason for Customer Service to have access to your password; not to mention that isn't the type of information you want to be giving over the phone or in an email (which are not secure).

 

[redgjm]

Everyones being paranoid. They're not going to steal your identity!

 

[SuperAfnan]

Everyones being paranoid. They're not going to steal your identity!

If they know your pin, they can buy a cheap OV, swap phones, and cause havoc.

 

[OverByter]

If they know your pin, they can buy a cheap OV, swap phones, and cause havoc.

UMMMMM, I'm pretty sure that VM USA won't work in India.
OB

 

[SuperAfnan]

UMMMMM, I'm pretty sure that VM USA won't work in India.
OB

Who said they were in India?