Is your ISP sending your client zone detail as plain text or is it actually encrypted ?
Which leaves the question what are these ISPs doing:
Openweb: Pass ? - HTTPS
Afrihost: Pass - HTTPS, Username is case insensitive.
Mweb: Pass - HTTPS, Username is case insensitive.
Telkom: Pass - HTTPS
CyberSmart: Fail? - HTTP, I would strongly advise against and ISP who plays reactionary. ***
Axxess: Fail?, though not sure about second GET - HTTP, Username is case insensitive. ***I am not sure why someone would want to top up someone else’s account,” Fialkov joked, but added that even this is covered by their gig-back guarantee, so if a customer disputes the top-up and it really was not done from their location, a refund will be issued.
Despite being unconvinced of the purpose in securing their ADSL usage and top up pages, Fialkov said that they will do it if their users demand it.
WebAfrica: Username is case insensitive.
Now one might ask why is this a bad thing?
Well for one if I casually intercepted your unencrypted detail, it would be very easy to log in and lie dormant. There is no need to abuse, just watch and collect info.
What if I made an err in the OP?
Obviously if I have made an err, then I'll correct it
*** Apparently Axxess and Cybersmart is also insecure according to Webarica:
Seems that the username case insensitivity is due to A) being email or in case of WA/Axxess it's unknown speculation. Should your usename be case sensitive too ?