I'm assuming this is how you're addressing the Account page not being fully secure (no padlock in address bar) by disabling the in-page form and launching a Pop-Up window (which does have a padlock), but before I enter anything into that pop-up form I want to confirm this is how things are supposed to work now, right?
Hey there, Offworld! This image looks like the image of a store representative's system. But we no longer have physical stores. We do not recommend to use that link. You can dial *PAY (*729) or *AD (*23) on your device to add money.
Well that just raises even more questions. How and why would I be seeing a store representatives payment window? That would mean something is wrong with your authentication system. Are you absolutely certain your web team didn't change the way this works? Is this really just me seeing this, or are other people seeing the fake form and pop-up window too?
I already had reservations about Virgin Mobile's lack of commitment to account security, so if I'm seeing something (a store rep payment window) I shouldn't be authenticated to see there's something bigger that's gone wrong. I posted previously about the Account page for Top-Up not being fully secure, now that Credit/Debit form is grayed-out and fake, replaced by a button that launches the apparently secure Sprint pop-up payment window. Which, if this is how your web team is addressing the Account page being insecure is an odd way to "fix" it. I'd just have removed the server calls in the template that are pulling the insecure images into the Account page.
Then there's the even older issue where Virgin Mobile truncated our PIN from 8 digits to 6, needlessly making them LESS secure. There are only 1 million possible unique combinations of 6 digits, and Virgin Mobile's "fix" for that was to simply limit the number of login attempts to 20 from a single IP address. IP addresses can be spoofed, that won't stop a brute-force attacker at all. We should be using long alpha-numeric passwords with special characters to log into our accounts. And not having two-factor authentication these days is ridiculous, especially for a cellular account where by definition we should have the device (and if it's been lost or stolen some other means of rescue).
I've had a Virgin Mobile phone and account practically since it began, but this company needs to get serious about account security or I'm going to have to consider another carrier that does.
Thanks for bringing this to our attention. We definitely value your feedback. Rest assured – we’re working to make improvements in this area!
I managed to Top-Up using the automated phone system so at least I have service again. But I hope you sort out that online form soon, it's so much easier to enter the information. Before someone suggests I set up automatic top-ups, Virgin Mobile's lax security practices are the reason I won't allow my card info to be stored. I hope you really ARE working to make improvements in the area of account security.