Wyndham Call-in Security Concern

Bigrob · Aug 6, 2014

Without saying too much about the circumstances, I discovered today that one of the resellers I've purchased a contract from gained access to my account and had access to all my private data, all of my reservations, etc. This again raises the concern that the call-in center is not at all secure (several times I've called, the only information required was my name and member number - not even a zip code or phone number). Obviously, resellers have access to your member number, zip and phone number. I don't know of any way to protect it from further sheninigans other than to get a new member number. (They added a challenge password to the account but it's not a requirement that the VC ask).

Has anyone else had to get a new member number? Concerned about potential other impacts that I want to avoid, but very concerned about the security breach.

markb53 · Aug 6, 2014

Bigrob said:
Obviously, resellers have access to your member number, zip and phone number. I don't know of any way to protect it from further sheninigans other than to get a new member number. (They added a challenge password to the account but it's not a requirement that the VC ask).

Has anyone else had to get a new member number? Concerned about potential other impacts that I want to avoid, but very concerned about the security breach.

Why would a reseller need to have your member number. When I bought a resale contract, I don't believe I ever gave the reseller my member number.

Sent from my iPad using Tapatalk HD

SmithOp · Aug 6, 2014

In these days of HIPPA and other ISeC controls I'm surprised they are not even using a PIN number sent out by mail for two factor authentication. There must be a security auditor somewhere in their organization that needs to be alerted to this exposure.

comicbookman · Aug 6, 2014

markb53 said:
Why would a reseller need to have your member number. When I bought a resale contract, I don't believe I ever gave the reseller my member number.

Sent from my iPad using Tapatalk HD

So that the contract gets added to your account as soon as Wyndham is done with the transfer.

Sandi Bo · Aug 6, 2014

I had someone access my account a while back. They called in and cancelled reservations (presidential units

). Surely they picked up my cancelled reservations for themselves. I got a new account number. Complained quite a bit - to no avail -- for one thing I suggested they ask the security questions in our profile. Apparently when they did that, there were too many complaints from owners who couldn't remember the answer to their security questions thus they stopped asking.

Bottom line -- your concern is very real and Wyndham doesn't want to do anything about it.

vacationhopeful · Aug 6, 2014

Sandi - did they record the phone call from the fake Sandi? Did they "see" who immediately booked those cancelled units?

Personally, the software is OUT THERE to match YOUR phone number with the account is CALLING FROM PHONE and to have multiple Phone number on your account. Yes, it is a second line after I type in a 4 number code ... but it ends other security questions, no operator intervention and I can always change the 4 digit security code.

Sandi Bo · Aug 6, 2014

The person calling impersonated my father. After several calls and several hours I convinced Wyndham to review the tapes. Surprisingly once they agreed it was fraudulent they let me listen. It wasn't anyone I knew, of that I am sure.

It is really a shame there isn't more interest in securing our accounts. But there is not. The best I could do was get a new account (something they don't like doing). And we all know how easy it would be for someone to once again gain access if they want to.

I had them put a special note on my account to ask for a secret code. But the only way to do it was to put it in the 2nd line of the address. And it didn't work (the VC's didn't ask when I called anyways).

It's history now. That was probably 2 years ago and I've not had any additional issues nor have I heard of anyone else (FWIW).

Bigrob · Aug 6, 2014

Sandi Bo said:
The person calling impersonated my father. After several calls and several hours I convinced Wyndham to review the tapes. Surprisingly once they agreed it was fraudulent they let me listen. It wasn't anyone I knew, of that I am sure.

It is really a shame there isn't more interest in securing our accounts. But there is not. The best I could do was get a new account (something they don't like doing). And we all know how easy it would be for someone to once again gain access if they want to.

I had them put a special note on my account to ask for a secret code. But the only way to do it was to put it in the 2nd line of the address. And it didn't work (the VC's didn't ask when I called anyways).

It's history now. That was probably 2 years ago and I've not had any additional issues nor have I heard of anyone else (FWIW).

Did getting a new account cause you any other problems? Did it trigger an audit of your account, etc?

Bigrob · Aug 6, 2014

markb53 said:
Why would a reseller need to have your member number. When I bought a resale contract, I don't believe I ever gave the reseller my member number.

Sent from my iPad using Tapatalk HD

That's how a contract is added into your existing member account. Otherwise, the contract gets assigned a new member account and you may not even be aware it's been transferred... that's happened to me twice where I called checking on the status of some transfers and was told the contract had already transferred.

Then you have to ask Wyndham Title to do a "combine". It's a bit of a pain and takes longer, but I guess it's a small price to pay versus having this security exposure.

The person I spoke to in Owner Care did seem genuinely concerned and actually asked me to provide as much detail as possible regarding the person and reseller who had accessed my account without authorization.

markb53 · Aug 7, 2014

comicbookman said:
So that the contract gets added to your account as soon as Wyndham is done with the transfer.

They had my name address and zip code. When I called Wyndham to confirm. They knew exactly whose account it went to. I didn't need to give my member number to anyone.

Sent from my iPad using Tapatalk HD

comicbookman · Aug 7, 2014

markb53 said:
They had my name address and zip code. When I called Wyndham to confirm. They knew exactly whose account it went to. I didn't need to give my member number to anyone.

Sent from my iPad using Tapatalk HD

When I did not provide an account number, Wyndham tried to put my new points into a new account.

Sandi Bo · Aug 7, 2014

Bigrob said:
Did getting a new account cause you any other problems? Did it trigger an audit of your account, etc?

Getting a new account was not as painful as I thought it would be. My biggest complaint is that I wanted to know when it was going to happen and they did not communicate that to me like they should have. Thus one morning I had a weird error when trying to login, took me a bit to realize it was my account - I first thought the system was down. Wyndham was supposed to contact me when they made the switch but didn't. So I waited for the phone lines to open and called. Humorously, I was able to call, and obtain over the phone my new account number and gain access again.

I don't know that getting a new account did much for me, other than it was Wyndham's suggestion and I felt I should follow their advice in order to be taken seriously for the situation overall. I didn't feel I could complain and then not follow their recommendations.

Are you aware, if you don't know you account number, you can be "validated" by using you phone number instead. Although I recommend protecting your account number, I think we all need to be aware that anyone that really wants to access our accounts would be able to figure out how to.

FWIW, I do not provide my account number or address on my guest confirmations (only the owner name). But I am sure the resort can look up the account number (based on conversations I have had in the past with a resort regarding a reservation).

And no, I do not think any type of audit was triggered. I really don't think there is any auditing in place at Wyndham.

Good luck.

Ron2 · Aug 7, 2014

I too am very concerned about the lack of lack of security and relative ease of access to our accounts. If you do any renting and send the confirmation letter to your renter, you have basically given them the key to your account. Every question that is typically asked to gain access to an account is printed on a confirmation letter. That is why I always black out the member number on the confirmation letter before sending it out. Wyndham needs to require a secret security question or code which must be correctly answered before anyone can gain access to the account. Its too bad that it would be an inconvenience to some people to have an additional code to remember. However, it would be an even greater inconvenience if you lose a reservation because someone has unauthorized access to your account.

Bigrob · Aug 7, 2014

Ron2 said:
I too am very concerned about the lack of lack of security and relative ease of access to our accounts. If you do any renting and send the confirmation letter to your renter, you have basically given them the key to your account. Every question that is typically asked to gain access to an account is printed on a confirmation letter. That is why I always black out the member number on the confirmation letter before sending it out. Wyndham needs to require a secret security question or code which must be correctly answered before anyone can gain access to the account. Its too bad that it would be an inconvenience to some people to have an additional code to remember. However, it would be an even greater inconvenience if you lose a reservation because someone has unauthorized access to your account.

Ron, I used to do that, but now there are resort pre-arrival letters that are sent to me that only have the information I want the renter to have. Specifically, the number of points used and the member account number are not on this PDF, so I no longer have to black those out.

Now I am even more concerned. There is really no way to secure it at all. Of course the reseller has my phone number as it was used during the transfer process. And as a reseller that knows Wyndham well, they would know that all they need to get access to the new account number is the phone number.

The security for call-in transactions and data requests should be equivalent to the security for online.

Bigrob · Aug 7, 2014

comicbookman said:
When I did not provide an account number, Wyndham tried to put my new points into a new account.

Me too. That is why I have 8 different variations of our names in the account. The system does not even seem to recognize that FULL CAPS and lowercase spelling of the name - even when spelled exactly the same way - are the same. It has happened at least twice. I say at least because I may have additional contracts transferred in to my name I still don't know about yet because they didn't land in my main account!

Bigrob · Aug 7, 2014

Bigrob said:
Ron, I used to do that, but now there are resort pre-arrival letters that are sent to me that only have the information I want the renter to have. Specifically, the number of points used and the member account number are not on this PDF, so I no longer have to black those out.

Now I am even more concerned. There is really no way to secure it at all. Of course the reseller has my phone number as it was used during the transfer process. And as a reseller that knows Wyndham well, they would know that all they need to get access to the new account number is the phone number.

The security for call-in transactions and data requests should be equivalent to the security for online.

Is it a sign of dementia when you start quoting yourself? Anyway, after posting this, today I received guest confirmations/resort pre-arrival notification letters, that DID have the points used and member number on them. I wonder if it is based on the resort?

It's really annoying. If there is a guest confirmation, why would they think we as owners would want the member number and points used on the letter?

UPDATED: Spoke too soon. Wyndham sent yet ANOTHER guest confirmation with the resort pre-arrival letter, this time tailored without the member number and points used. Of course I'd already sent the first one not knowing they would send another.

Ron - check to see if you get an email from Wyndham Vacation Resorts - rather than "do_not_reply" - that has the guest info in it. That one should be the one you can send that does not have the member number on it.

antjmar · Aug 7, 2014

So is adding a guests (renters) email to the guest certificate a bad idea since the email from Wyndham will have our name and contract number?

lilpooh108 · Aug 7, 2014

Which reseller gained access to your account?

am1 · Aug 7, 2014

Bigrob said:
Me too. That is why I have 8 different variations of our names in the account. The system does not even seem to recognize that FULL CAPS and lowercase spelling of the name - even when spelled exactly the same way - are the same. It has happened at least twice. I say at least because I may have additional contracts transferred in to my name I still don't know about yet because they didn't land in my main account!

If they are the same person just spelled differently or have a title added the computer will still consider them overlapping and cancel. This was according to a supervisor. If it happens but there are two similar named but different people on the account send in id for both and you will get their sympathy. You cannot make this stuff up.

Bigrob · Aug 7, 2014

antjmar said:
So is adding a guests (renters) email to the guest certificate a bad idea since the email from Wyndham will have our name and contract number?

I don't know that they email the letter to the email address entered there. The purpose is supposed to be so the resort can contact you if required. But I have been told it is used more for marketing... so it may be best not to enter it. I used to enter it all the time but now I generally don't.

Bigrob · Aug 7, 2014

lilpooh108 said:
Which reseller gained access to your account?

I am not going to disclose that because there are extenuating circumstances. What happened should not have happened but I understand the reseller's reasons for what they did. And I am not entirely sure of the method by which they gained the access; there may be some form of legitimate access or information request if certain aspects of a transfer are in dispute. Owner Care seemed to think it was through impersonation, but I do think certain volume resellers that handle many transactions have the ability to work with Wyndham in ways that ordinary players can't.

Bigrob · Aug 7, 2014

am1 said:
If they are the same person just spelled differently or have a title added the computer will still consider them overlapping and cancel. This was according to a supervisor. If it happens but there are two similar named but different people on the account send in id for both and you will get their sympathy. You cannot make this stuff up.

As in Eric and Eric Jr., with a picture from 30 years ago? :hysterical:

Wyndham Call-in Security Concern

Bigrob

markb53

SmithOp

TUG Review Crew

comicbookman

Sandi Bo

vacationhopeful

TUG Review Crew: Rookie

Sandi Bo

Bigrob

Bigrob

markb53

comicbookman

Sandi Bo

Ron2

Bigrob

Bigrob

Bigrob

antjmar

lilpooh108

am1

Bigrob

Bigrob

Bigrob