Do you divulge your PIN to VM customer care?

[m-cman]

Who said they were in India?

I think most of the customer reps are in India. At least everyone I have talked to in the last two years had an Indian accent.

 

[redgjm]

I think most of the customer reps are in India. At least everyone I have talked to in the last two years had an Indian accent.

Some are from the Philippines.

 

[SuperAfnan]

I think most of the customer reps are in India. At least everyone I have talked to in the last two years had an Indian accent.

Some are from the Philippines.

I never got an Indian rep before on Virgin Mobile. Just Mexicans some Americans and Filipinos.

 

[Mikestony]

o.k..let's try to keep this on topic with the VM/password discussion.

 

[kct1975]

Virgin Mobile's garbage customer service is one of the reasons I left them. Look at all the trouble on this thread. I would never give out my pin in an email, only with a customer service call.

Exactly what I was saying! With e-mail, you are never completely sure who it is going to and who is going to see it.

Famous saying "Never put anything is writing, that can be communicated verbally!"

But this is what people have an issue with, there is no reason for Customer Service to have access to your password; not to mention that isn't the type of information you want to be giving over the phone or in an email (which are not secure).

Yup...anything in e-mail can be forwarded to the wrong person or can be seen by the wrong person.

Also any e-mail sent to a corporate e-mail address can not only be seen by the intended recipient, but also the customer reps supervisor, and the company IT Department.

Theoretically, all it would take is one disgruntled employee in the IT Department to view the e-mails and hack the account.

Also, e-mail accounts can be hacked by cyber attacks. Both personal accounts (Gmail, Hotmail, Yahoo, etc.) and corporate e-mail accounts.

 

[AnciusD]

So what's the consensus is there any way to avoid giving your PIN? Should I call or use their online Contact applet? It looks like the applet encrypts the PIN. If I give my PIN does that mean they have access to my registered CC#?

I've had auto pay via CC for years but this last billing period it deducted from my carryover balance which was fine with me but now I get these notices that payment is overdue, it seems that they don't recognize the deduction.

Update...
In response to my email inquiry:
As a kind reminder, always make sure to include your Virgin
Mobile phone number and PIN on all replies.
I also tried their online applet and so far only received a generic received-your-msg response, case#, etc.

 

[kct1975]

While I'm not with VM...I highly recommend that you only give your account PIN over the phone no matter what the VM e-mail message says.

E-mail is not a secure communication method. It can be hacked or miss directed.

 

[divinebovine]

You guys thought this thread was dead, eh? It's baaaack!

Professionally I am a network administrator. Outside of work I moderate a few forums. Password security is a HUGE issue for me. Every day I am disappointed in the failures of my peers to keep their databases secure and to use safe practices. Every day I am disappointed in my users when I find out how awful their passwords are (because, even though I insist that they never tell me, they tell me anyway -- I DON'T WANT TO KNOW! Or, like today, someone had to speak it to be able to type it.

).

Keeping that in mind, your TLDR of this post is that tcomotcom is 100% right, you folks are misplacing your concern. Go ahead and give VM your PIN. I'll even go as far as to say you might as well email it; it's already far less secure than plaintext SMTP email in your account whose password is "password" anyway.

Your VM account PIN is not the same as a password for other types of accounts.

Let's face it folks, we're not with VM because they're a class act...we're with VM because we're short-budgeted. I don't trust VM at all, and I wouldn't even if they had a decent security system instead of a single 6-digit numeric PIN that could be bruteforced in a scant few minutes.

There are other means to verify an account other than asking for the account password. A few are: the last 4 digits on your credit card (if you have one), the first and last name on the account, the alternate phone number, parts of the home address, birthday etc. etc. etc. Generally no major company will ever ever ever ask you for your password.

With a postpaid carrier that'd be true, but Virgin Mobile doesn't require any of that and I'm sure not putting all that info in their system. If I do, I sure don't want a CSR to be able to see it.

I respectfully disagree. No company would be so stupid that they would leave account passwords unencrypted on a database.

Please do not misplace trust like that. It happens all the time, and even when encrypted there are failures often enough. VM is a most likely candidate, BTW.

That's just trouble waiting to happen. If they want to verify then they can ask for my zip code, the last 4 digits of my SS#, the last 4 digits of my credit card, or they can return my call at my home number. There are far too many ways to verify an account. They do not need my password.

No way, no how, will VM get my SSN. Yikes.

TL/DR: It's OK to give out your PIN as long as you do it under the right circumstances. Adding a second password doesn't change that and wouldn't significantly deter someone with bad intentions from getting into your account. In practice, having two passwords makes their job easier.

{really long, accurate, informative post}

Anyone who didn't read this post, please click the link to go back and read it.

I have never had to give my pin/password to any other company. Google CS has never asked for my password, Blizzard CS has never asked for my password, Comcast CS has never asked for my password, Sprint CS has never asked for my password, ebay CS has never asked for my password, Amazon CS has never asked for my password, Vonage CS has never asked for my password, VMUSA always asks for my password.

Off the top of my head, I can think of two: Before I had VM I had Sprint and they had a PIN that they needed to verify before they would talk to me (it was different from my web account access password but that's a null issue as tcomotcom explained), and Cox cable too.

Everyones being paranoid. They're not going to steal your identity!

...nor should there be enough data in your VM account to do any damage to you other than what can be done to your VM account.

That said, it shouldn't be downplayed too much. Someone with access to your account can hijack your phone number. Your caller ID is used as security at plenty of other accounts who don't ask for a PIN, so then they can gain access to those accounts, as well as use all manner of social engineering tactics to gain access to other parts of your personal life by posing as you.

Exactly what I was saying! With e-mail, you are never completely sure who it is going to and who is going to see it.

Famous saying "Never put anything is writing, that can be communicated verbally!"







Yup...anything in e-mail can be forwarded to the wrong person or can be seen by the wrong person.

Also any e-mail sent to a corporate e-mail address can not only be seen by the intended recipient, but also the customer reps supervisor, and the company IT Department.

Theoretically, all it would take is one disgruntled employee in the IT Department to view the e-mails and hack the account.

Also, e-mail accounts can be hacked by cyber attacks. Both personal accounts (Gmail, Hotmail, Yahoo, etc.) and corporate e-mail accounts.

If a disgruntled network administrator wants to compromise your VM account he doesn't need you to send your PIN in email to do it. Any way that you access your VM account from work, he can compromise. If you are doing this stuff from work then you are trusting your IT staff. Information Technology department might as well be Information Gods department, given sufficient motivation and skills they can do anything. (They can also be blamed for anything, which really stinks, and which is why I avoid knowing others' passwords.) Go home to do your personal stuff; your ISP has less ability to abuse your trust than your IT department and is prevented from doing so by law, while your IT department is legally allowed and you probably signed for it too (the company owns the equipment and services and has the right to control them however they see fit).

Edit: To clarify - IT folks have the right to monitor/record, but certainly not the right to abuse the information. Besides legal ramifications for misuse of such data, they also have a career to worry about. Still it's best to do personal stuff from home, and avoid pissing off an IT guy whose morals you question.

 

[kct1975]

Spoiler

You guys thought this thread was dead, eh? It's baaaack!

Professionally I am a network administrator. Outside of work I moderate a few forums. Password security is a HUGE issue for me. Every day I am disappointed in the failures of my peers to keep their databases secure and to use safe practices. Every day I am disappointed in my users when I find out how awful their passwords are (because, even though I insist that they never tell me, they tell me anyway -- I DON'T WANT TO KNOW! Or, like today, someone had to speak it to be able to type it.

).

Keeping that in mind, your TLDR of this post is that tcomotcom is 100% right, you folks are misplacing your concern. Go ahead and give VM your PIN. I'll even go as far as to say you might as well email it; it's already far less secure than plaintext SMTP email in your account whose password is "password" anyway.

Your VM account PIN is not the same as a password for other types of accounts.

Let's face it folks, we're not with VM because they're a class act...we're with VM because we're short-budgeted. I don't trust VM at all, and I wouldn't even if they had a decent security system instead of a single 6-digit numeric PIN that could be bruteforced in a scant few minutes.


With a postpaid carrier that'd be true, but Virgin Mobile doesn't require any of that and I'm sure not putting all that info in their system. If I do, I sure don't want a CSR to be able to see it.


Please do not misplace trust like that. It happens all the time, and even when encrypted there are failures often enough. VM is a most likely candidate, BTW.



No way, no how, will VM get my SSN. Yikes.


Anyone who didn't read this post, please click the link to go back and read it.



Off the top of my head, I can think of two: Before I had VM I had Sprint and they had a PIN that they needed to verify before they would talk to me (it was different from my web account access password but that's a null issue as tcomotcom explained), and Cox cable too.


...nor should there be enough data in your VM account to do any damage to you other than what can be done to your VM account.

That said, it shouldn't be downplayed too much. Someone with access to your account can hijack your phone number. Your caller ID is used as security at plenty of other accounts who don't ask for a PIN, so then they can gain access to those accounts, as well as use all manner of social engineering tactics to gain access to other parts of your personal life by posing as you.



If a disgruntled network administrator wants to compromise your VM account he doesn't need you to send your PIN in email to do it. Any way that you access your VM account from work, he can compromise. If you are doing this stuff from work then you are trusting your IT staff. Information Technology department might as well be Information Gods department, given sufficient motivation and skills they can do anything. (They can also be blamed for anything, which really stinks, and which is why I avoid knowing others' passwords.) Go home to do your personal stuff; your ISP has less ability to abuse your trust than your IT department and is prevented from doing so by law, while your IT department is legally allowed and you probably signed for it too (the company owns the equipment and services and has the right to control them however they see fit).

Edit: To clarify - IT folks have the right to monitor/record, but certainly not the right to abuse the information. Besides legal ramifications for misuse of such data, they also have a career to worry about. Still it's best to do personal stuff from home, and avoid pissing off an IT guy whose morals you question.

Wow! Honestly, I could not have said that better myself! :thumbup:

The only thing I have to add is that even personal (web based e-mail...Hotmail, G-mail, Yahoo Mail, AOL E-mail, etc) can be hacked. That is one of the reasons I mentioned that if a PIN or Password has to be given, it should be communicated by phone, and not e-mail.

 

[Petrah]

you folks are misplacing your concern. Go ahead and give VM your PIN. I'll even go as far as to say you might as well email it; it's already far less secure than plaintext SMTP email in your account whose password is "password" anyway.

Apologies.. the rest was TLDR.

Will I give out a password and/or pin to a company in email? No.
Will I give out a password and/or pin to a company via Twitter? No.
Will I give out a password and/or pin to a company via Facebook? No
Will I give out a password and/or pin via telephone if a company has called me? No.

I spent way too many years as a server administrator to web hosting clients, and too many years doing side work for neighbors to fix up their computers/laptops (cleaning nasties and securing them) to know better than to do any of the above. Being a server admin and seeing the things that I've seen and experienced first hand, there's no way I would give out any personal information via the above mediums. Especially email.

Will I give out a password and/or pin via telephone when I have called the company myself? Absolutely.

Not everyone is going to agree with me, and that's OK. Some may say I'm over doing it or being too anal, and that's OK. The above methods work for me and that is really all I am concerned with. My personal security methods are what they are. My methods, and not everyone has to follow those.

 

[kct1975]

Apologies.. the rest was TLDR.

Will I give out a password and/or pin to a company in email? No.
Will I give out a password and/or pin to a company via Twitter? No.
Will I give out a password and/or pin to a company via Facebook? No
Will I give out a password and/or pin via telephone if a company has called me? No.

I spent way too many years as a server administrator to web hosting clients, and too many years doing side work for neighbors to fix up their computers/laptops (cleaning nasties and securing them) to know better than to do any of the above. Being a server admin and seeing the things that I've seen and experienced first hand, there's no way I would give out any personal information via the above mediums. Especially email.

Will I give out a password and/or pin via telephone when I have called the company myself? Absolutely.

Not everyone is going to agree with me, and that's OK. Some may say I'm over doing it or being too anal, and that's OK. The above methods work for me and that is really all I am concerned with. My personal security methods are what they are. My methods, and not everyone has to follow those.

Thank you Petrah for clearly stating what I myself have suggested!

You did a much better job explaining it than I ever did!