# Fradulent access to Wyndham account



## Sandi Bo (Jul 7, 2012)

Has anyone else had any issues?

Someone called and accessed my account.  They knew the account number (which I do not provide to renters) and the name and address on the account (that is the information that the vacation specialist validated).  I do not provide the account address to renters, either, although that could easily be googled.

They cancelled a reservation for a 4 bedroom presidential unit, less than 15 days from checkin,  forfeiting all points.  More critically, I have a renter without a 4 BR presidential unit.  The resort is working with me, but it's July and sold out. 

I can only guess that the fraudster picked up the reservation in their own account, why else do this?

I will be taking a screen shot of my account daily. Had I not noticed the reservation was missing, I would have had a renter show up and not have a room, at least now they are aware and we are working together to make things right. 

I am getting a new account number and have updated as much of the personal information as possible.  I also have a password on my account (in the notes, the VC's are supposed to ask for it when I call now).

My worst nightmare, for sure!


----------



## rrlongwell (Jul 7, 2012)

Sandi Bo said:


> Has anyone else had any issues?
> 
> Someone called and accessed my account.  They knew the account number (which I do not provide to renters) and the name and address on the account (that is the information that the vacation specialist validated).  I do not provide the account address to renters, either, although that could easily be googled.
> 
> ...



For what ever it is worth, probably not a lot, you might want to file a police report with the appropriate law enforcement agency.  Wyndham, in their call in messages, indictes they have the right to record information, that would need to be on the police report so they know to contact Wyndham to see if it exists.  Also, Wyndham uses caller ID, I do not know if they have a way to back track the phone number the call was placed from.  

If Wyndham cannot find a suitable replacement, at a minium, Wyndham should replace the points on the grounds that it was their system that permitted the fraud.

If you are right, their is also a chance Wyndham can back track this by talking with the guest/account owner that ends up with the unit.


----------



## jjmanthei05 (Jul 7, 2012)

The easiest explanation is that your member number is listed on a guest confirmation and your address is probably shown on a paypal invoice. Thank you for the information because I will be removing my address from my paypal invoices to avoid this issue from happening to me.

Did they at least refund you your points?

Jason


----------



## Sandi Bo (Jul 7, 2012)

RR - I will look into filing a police report (why didn't I think of that)? 

Jason - I am really perplexed/concerned over how this happened. I do not forward any of the Wyndham documents that they mail to us (because I feel there is too much personal info in it).  For a guest confirmation -- I go online, view the confirmation, copy and paste that into a word doc, remove the address (so it only has our member name), remove the number of points, and create a pdf.    The address on the account is my Dad's, the address on the paypal invoice is mine.  The fraudster had my Dad's address.   

When I first started renting I did provide the Wyndham docs / info. Over time I evolved to this method which I felt much safer about.  

So, you could say, someone had the information from an old reservation (est. at least 9 mos ago).  However, the fraudster knew the reservation date.

I am still working with Wyndham and the resort on the situation. I'll let you know how it turns out.


----------



## jjmanthei05 (Jul 7, 2012)

Can't they just bump whoever picked up your reservation? They couldn't have had it that long since you said it was canceled within 15 days. I wonder if they could tell what number called in to cancel the reservation and if that is associated with the account that picked up the reservation.  If it was, then I don't see how they don't just give you your reservation back.

Are you allowed to put a password on an account even if there was no fraud? Because I started doing rentals over the last couple months I would much rather be proactive than not. 

Jason


----------



## am1 (Jul 7, 2012)

The caller could have just asked what reservations were showing in the account and choose to cancel it.  They would not have had to know prior to calling in.  

The resort/Wyndham will not bump the person who picked up the reservation.  Even in a situation where a VC cancels the wrong reservation.  

Good luck.


----------



## jjmanthei05 (Jul 7, 2012)

am1 said:


> The caller could have just asked what reservations were showing in the account and choose to cancel it.  They would not have had to know prior to calling in.
> 
> The resort/Wyndham will not bump the person who picked up the reservation.  Even in a situation where a VC cancels the wrong reservation.
> 
> Good luck.



I think they should especially if they can link who called and who picked up the reservation. 

Jason


----------



## rrlongwell (Jul 7, 2012)

jjmanthei05 said:


> Can't they just bump whoever picked up your reservation? They couldn't have had it that long since you said it was canceled within 15 days. I wonder if they could tell what number called in to cancel the reservation and if that is associated with the account that picked up the reservation.  If it was, then I don't see how they don't just give you your reservation back ...



I am not an attorney nor a police officer and the answer to this could vary by state, but it is my understanding that stollen items can be returned to the owner.  It is not necessary to prove knowledge that the person or enity in possession of the stollen item know it was stollen.  That issue would be an issue to whether they were charged with a crime or not.


----------



## jjmanthei05 (Jul 8, 2012)

rrlongwell said:


> I am not an attorney nor a police officer and the answer to this could vary by state, but it is my understanding that stollen items can be returned to the owner.  It is not necessary to prove knowledge that the person or enity in possession of the stollen item know it was stollen.  That issue would be an issue to whether they were charged with a crime or not.



I would agree especially since they know exactly where the "stolen item" is. I don't see how this is that hard to fix. 

Jason


----------



## Sandi Bo (Jul 8, 2012)

I spent a good part of my day convincing Wyndham that there was fraud. At first they weren't going to listen to the recording until Monday, at the earliest, hopefully get back to me by Thursday.

The resort is who stepped up to help, as much as they can (given they don't have a room).  I get the feeling they are looking into things further than they can disclose.

As far as a password on your account, I would think anyone could do it. You might have to be insistent (at first this wasn't offered to me).  It's just a notation on the account that a password is required - the password is right there in the notes, too.  And it's not fail proof (although I tested it out (called later today) and the VC did ask for it. 

All Wyndham notates when you call in is male or female property owner, and that isn't consistent.  

am1, you are correct, the VC will walk you through all your reservations. But the fraudster did know the date of the reservation (it was a split, he knew the checkin date of the 2nd half (didn't appear to even know how many days it was for - he asked), but the VC offered to go through the rest - and in that process asked if he also wanted to cancel the first part of the split), which he did)).  

Wasn't that kind of him not cancel the deluxe reservations?

As far as recovering the room - their take on it is that a 4 BR presidential for July would last seconds out on the online system, anyone could pick it up.


----------



## rrlongwell (Jul 8, 2012)

Sandi Bo said:


> I spent a good part of my day convincing Wyndham that there was fraud. At first they weren't going to listen to the recording until Monday, at the earliest, hopefully get back to me by Thursday.
> 
> The resort is who stepped up to help, as much as they can (given they don't have a room).  I get the feeling they are looking into things further than they can disclose.
> 
> ...



What I was trying to indicate in the earlier post is that it may not matter who picked it up.  If it is a stollen item, it may not matter.  If you file a police report quick enough, maybe the Police Officer can help with this issue since it is in a known location.  If Wyndham has controll of the stollen item at this point and refuses a Police Request to return it, then the repurcusions, if any, would be on them.  It would sound like aiding and abeiting to me.


----------



## learnalot (Jul 8, 2012)

Sandi,

This is terrible - so sorry this happened to you.  I agree that there is FAR too much info on the confirmation docs from Wyndham, especially for guest confirmations.  It sounds like you have been careful about that with guest confirmations.  Do you do the same with your own confirmations?

Did you read the recent threads regarding the FTC taking legal action against Wyndham regarding their woefully inadequate network security and unencrypted storing of customers' personal data on local computers, along with a vulnerability that allowed dishonest employees from one location to access the stored information at another?  

I won't use their wifi for anything that requires a password. The data breeches documented in the complaint go back a couple of years but since we never received notification from Wyndham of the problem, I have no reason to feel confident that they have corrected it.  Also, as I type this, I recall at least once where they made a copy of my confirmation at check-in.  I know others have complained about our full account numbers and addresses appearing on the guest confirmations.  I don't think they should appear on ANY of the confirmations!  It should only be the last digits of acct number just like a credit card would have.

Good luck.  Hold their feet to the fire and keep us posted!


----------



## jjmanthei05 (Jul 8, 2012)

learnalot said:


> Sandi,
> 
> This is terrible - so sorry this happened to you.  I agree that there is FAR too much info on the confirmation docs from Wyndham, especially for guest confirmations.  It sounds like you have been careful about that with guest confirmations.  Do you do the same with your own confirmations?
> 
> ...



I don't know if it's changed but if you send the guest confirmation that they put in your guests name, your address doesn't appear anywhere. I think I am going to create a word doc form today that resembles wyndham's guest confirmation but with key pieces either removed or only the last few digits showing. I will post what I create to help others who would like to use it. 

Jason


----------



## vacationhopeful (Jul 8, 2012)

Sandi,
I don't know where you advertise, but some of those sites will provide more info than you think when you email back a person. Or they can inquire about 1 rental and figure out what else you have available (like Redweek).

Did you have a "NFW would you rent at that price" inquiry in the last several weeks from a crackpot? Or someone who wanted YOU to prove you had the RIGHT to rent something to them?

Also, is your last name (dad's name) common or very unique? NE is not a hot bed of timeshare owners (my brother lives there). Could they have Google'd his street address? Is your house phone number used or do you use a cell? And they might have call Wyndham 20 times before hitting/getting all the info for your account to mess with it.

I know when I am emailing or talking to a possible guest, some are TOTALLY insane - I then make up where I live.


----------



## Sandi Bo (Jul 8, 2012)

Thanks everyone for the comments / suggestions. 

Trying to answer a few questions:



am1 said:


> The resort/Wyndham will not bump the person who picked up the reservation.  Even in a situation where a VC cancels the wrong reservation.


You are correct (of course). That is painfully obvious in my situation. I feel I have to understand and appreciate that. The resort is working with me, I think as best as they are able. They can’t make a 4BR Pres appear out of nowhere (although my fraudster can).



learnalot said:


> It sounds like you have been careful about that with guest confirmations.  Do you do the same with your own confirmations?


Family has not rented at that particular resort since last August. For other resorts, we sometimes print the Wyndham stuff, but not lately. It’s just so easily to go online and grab the confirmation there, I rarely open the Wyndham emails, unless I need track something down.



learnalot said:


> Did you read the recent threads regarding the FTC taking legal action against Wyndham regarding their woefully inadequate network security…


Yes, thank you (and thank you TUG). I referenced the lawsuit in my conversation yesterday with Wyndham Owner Care (the person was not aware). 



rrlongwell said:


> What I was trying to indicate in the earlier post is that it may not matter who picked it up.  If it is a stollen item, it may not matter.  If you file a police report quick enough, maybe the Police Officer can help with this issue since it is in a known location…


I understand, and I agree, but there just isn’t enough time to make things right. And as Wyndham said, a 4 BR Presidential in July would be gone in seconds – anyone on the online system could pick it up. I have to trust the resort is following up, I believe there are things being looked at that can’t be disclosed to me. I will ask if they want me to file a police report. I am trying to work with them, as they are working with me.



jjmanthei05 said:


> I think I am going to create a word doc form today that resembles wyndham's guest confirmation but with key pieces either removed or only the last few digits showing. I will post what I create to help others who would like to use.


I go online, under Memberships -> View Confirmations -> and select the reservation.  I copy and paste that information into a word doc (starting where it says: Please present this confirmation to the front desk upon check in).  Then I remove the address under member name, leaving only the member name, I also remove the number of points.  Some resorts have a link to for door-to-door directions, which I remove because it doesn't work.  But otherwise this gives resort specific info (directions and policies) to the guest.  I select the whole thing, and left align it, and adjust margins if I need to so it fits on 2 pages (okay, that's where I get a little anal to make it pretty), and create a pdf.  The pdf is sent to the guest.

Linda, all good points, but don’t think they apply.  Dad’s last name is different than mine and he lives in a different state.  Although maybe they kept trying, the last name is fairly unique and I suppose by googling you could get the address right after a few tries.  Another interesting thing was the fraudster pronounced the name correctly. It is french and NO ONE pronounces the name correctly. I'm not sure what that means, but I find it interesting.

I will continue to work with the resort and Wyndham regarding this. Wyndham has returned my points. That’s good, but of much greater concern is a renter without the expected room and the fraudster having enough info to gain access to my account. I did lose rental income (maybe I’ll appreciate that come tax season)? (That was a joke). And concern that I’m still not sure I fully understand the motivation nor how the person got the information they did. Any more thoughts on the motivation becomes too speculative.

And today when I called Wyndham, the VC did not ask for my password.   Heavy sigh.


----------



## Cheryl20772 (Jul 8, 2012)

Sandi Bo said:


> I understand, and I agree, but there just isn’t enough time to make things right. And as Wyndham said, a 4 BR Presidential in July would be gone in seconds – anyone on the online system could pick it up.



This line puts to the lie that VIP's can safely cancel and rebook to get discounted rooms.  You are saying that Wyndham can't even safely do this?

Sorry, this isn't on topic for your personal situation, but there's been more and more people duped by the sales line about an imaginary "safehouse".

I hope you can find some kind of solution soon.


----------



## vacationhopeful (Jul 8, 2012)

As I have experienced before during the Winter season in South FLorida ... there is a re-capture routine in the reservation software where a certain size unit at a resort or all units for certain dates, NEVER make it back onto the online system for anyone. PERIOD. 

I fully would expect Sales, the Discover Program (a sales program) and Extra Holidays to have access to snagging those "cancelled"/"stolen" reservations, IMHO.


----------



## ampaholic (Jul 8, 2012)

vacationhopeful said:


> As I have experienced before during the Winter season in South FLorida ... there is a re-capture routine in the reservation software where a certain size unit at a resort or all units for certain dates, NEVER make it back onto the online system for anyone. PERIOD.
> 
> I fully would expect *Sales, the Discover Program (a sales program) and Extra Holidays* to have access to snagging those "cancelled"/"stolen" reservations, IMHO.



I find myself even wondering if the person who cancelled the reservation maybe doesn't work for *Sales, the Discover Program (a sales program) and Extra Holidays* .... just thinkin' out loud.


----------



## Carol C (Jul 8, 2012)

How do you know somebody called and cancelled your confirmation? What makes you think Wyndham wouldn't stoop to do that in order to rent a 4 br Presidential out? I once was victim to II cancelling a ressie I had in Paris, and they kept insisting that I cancelled or somebody else with my account number cancelled. How can we ever know for sure who cancels our really desirable vacation confirmations without our knowledge or consent?


----------



## rickandcindy23 (Jul 8, 2012)

ampaholic said:


> I find myself even wondering if the person who cancelled the reservation maybe doesn't work for *Sales, the Discover Program (a sales program) and Extra Holidays* .... just thinkin' out loud.



I agree with this.  Who else can access your account?  No one else.  They can cancel whatever they want to make a buck.  I don't trust Wyndham.


----------



## Sandy VDH (Jul 8, 2012)

I do find that a bit disturbing, expecially when it is rented out and it is a 4 BR not any easy unit to come by. 

If you cancel online there should be an email that is generated.  If over the phone I don't think anything is generated. 

I should have a record if done via the phone who the VC was the cancelled the unit.  I would ask for that information as well, it should be on record who was the "user" that performed the function.  If not they have NO accountability for anything, and I sure don't think that they would put in a system that did not keep an audit on transactions.

All the more reason never to call, if they get a booking and cancel via a call, is was definately NOT from me.


----------



## jjmanthei05 (Jul 8, 2012)

Carol C said:


> How do you know somebody called and cancelled your confirmation? What makes you think Wyndham wouldn't stoop to do that in order to rent a 4 br Presidential out? I once was victim to II cancelling a ressie I had in Paris, and they kept insisting that I cancelled or somebody else with my account number cancelled. How can we ever know for sure who cancels our really desirable vacation confirmations without our knowledge or consent?



She said they pronounced her name right so I'm guessing she has listened to the recorded conversation that the fraudster made with the VC.

Jason


----------



## jjmanthei05 (Jul 8, 2012)

Sandy Lovell said:


> Can they at least tell you when and how they think it was cancelled.  Date/Time and method (phone or online).
> 
> I do find that a bit disturbing, expecially when it is rented out and it is a 4 BR not any easy unit to come by.
> 
> ...



There are no emails generated from Wyndham ever when you cancel a unit, either online or over the phone. 

Jason


----------



## amycurl (Jul 8, 2012)

Maybe there should be? Before finalizing the cancellation, an e-mail is sent to the e-mail on file. The owner has to click a link to finalize the cancellation. Very easy to set up, relatively low cost, and it would have completely prevented this situation from happening.


----------



## Sandy VDH (Jul 8, 2012)

jjmanthei05 said:


> There are no emails generated from Wyndham ever when you cancel a unit, either online or over the phone.
> 
> Jason



I will have to go cancel something, because I thought I received a cancelled via email before.  Perhaps I am confusing it with one of my many other systems.

If they don't have a system generated one then they should have, because then OP would have know as soon as OP saw the cancelled email.


----------



## jjmanthei05 (Jul 9, 2012)

Sandy Lovell said:


> I will have to go cancel something, because I thought I received a cancelled via email before.  Perhaps I am confusing it with one of my many other systems.
> 
> If they don't have a system generated one then they should have, because then OP would have know as soon as OP saw the cancelled email.



Wyndham doesn't send the cancellations because I do the cancel / rebook multiple times a week and haven't gotten one but then again over the last few days I haven't been getting my guest confirmations emailed to me either. I get the initial one that is sent instantly but the printable one the next day hasn't come for 3 different guest certificates I have set up. 

Jason


----------



## Sandi Bo (Jul 9, 2012)

Sorry, I am behind on comments to my own post.

Yes, it was a phone call. Yes, I was able to listen to the recording.  I was told (numerous times) calls are recorded for quality and training purposes only. I’m guessing either they called either because that is less traceable or they didn’t have my online credentials (or both).  And yes, Wyndham could tell the exact time the cancellation was made and trace it to the call (and the VC who cancelled the reservations).  Sadly, after cancelling the 1st reservation the fraudster called in about (and cancelling a 4BR Presidential and forfeiting the points), the VC asked the fraudster if there were any other reservations he’d like to cancel, walked him through all my reservations (with the fraudster always asking ‘is that a Presidential’?), and eventually he also cancelled the other half of the split reservation for the 4BR Presidential (and, again, forfeiting the points).  As far as the reservation he originally asked about, I do not believe he knew how long the reservation was for, only the date and that it was a presidential. He asked how many days it was for.

I agree with Jason, there are no notifications or emails or even record in your online account (confirmations) whatsoever of cancelled reservations.  They are just gone.  That is definitely something I will bring up to Wyndham as I continue to discuss this with them.  An email would have been helpful in my situation.  I probably still would have lost the reservation (how long would a 4BR Pres sit out there) but it’s just wrong that I received no notification whatsoever.

Earlier I said they added a password to my account.  I thought it was in a note area on my record prompting the VC to ask for a password.  Not true.  Here’s my experience.  
-- Was told a password was added to the notes
-- 1st time I called in, I was asked for it
-- 2nd time I called in, I was not asked for it
-- 3rd time I called in, VC says ‘what’s this password stuff in your email address’, after I explained he stated (correctly) you aren’t going to get emails anymore with this extra text in the email address field.  So now the password is set up as the 2nd line of my address – haven’t called in yet to see if that’s going to work; I hadn’t gotten any emails since Saturday (I started getting some late this afternoon).

The password work-around is manual and is not fool proof. Most frustrating for me is the total lack of concern on Wyndham’s part.  I saw the post about the FCC filing suit.  This is not the same type of security breach (IMO), but definitely smells of someone obtaining my account information from Wyndham somehow (they sure didn’t get it from me).

And to add to Cheryl’s comment about no guarantees when you cancel and rebook. That is one statement I will always object to in a sales presentation (most I let go, but that one I just can’t let slide). If you question a sales rep, about guaranteed rebooking, they’ll say ‘just don’t do it at 8am’ or don’t do it exactly on day 60, etc. Eventually they have to admit it’s not foolproof, but they sure try not to.  I feel it is one of the most misrepresented VIP benefits they tout.

And the saga continues (no updates as far as any follow up from Wyndham).


----------



## ampaholic (Jul 10, 2012)

I have heard of renters wanting to cancel and being concerned about getting a refund - if the unit was cancelled they would expect a full refund. 

I wonder, did the voice sound like your renter?


----------



## rrlongwell (Jul 10, 2012)

Sandi Bo said:


> Sorry, I am behind on comments to my own post.
> 
> Yes, it was a phone call. Yes, I was able to listen to the recording.  I was told (numerous times) calls are recorded for quality and training purposes only. I’m guessing either they called either because that is less traceable or they didn’t have my online credentials (or both).  And yes, Wyndham could tell the exact time the cancellation was made and trace it to the call (and the VC who cancelled the reservations).  Sadly, after cancelling the 1st reservation the fraudster called in about (and cancelling a 4BR Presidential and forfeiting the points), the VC asked the fraudster if there were any other reservations he’d like to cancel, walked him through all my reservations (with the fraudster always asking ‘is that a Presidential’?), and eventually he also cancelled the other half of the split reservation for the 4BR Presidential (and, again, forfeiting the points).  As far as the reservation he originally asked about, I do not believe he knew how long the reservation was for, only the date and that it was a presidential. He asked how many days it was for.
> 
> ...



How did it turn out with the person you had rented to, well I hope.


----------



## Sandi Bo (Jul 10, 2012)

I have talked extensively to the renter and I do not believe they were a part of this. The voice is definitely not the renter. It would be a great scam, but I do not believe that is the case here.  They are staying, for no charge, in a 2 bedroom deluxe. I am the one that first brought up a refund. The renter does not have any information about the account, other than the member name.  They do not have the account number or address that would be needed to pull this off. It's my Dad's account, so the last name and mine are different. The address on the invoice is mine (different state than Dad's). I have always tried to protect my father's identify as I've managed his account and do not reveal any more information about him than I have to (only his name, nothing else).


----------



## jjmanthei05 (Jul 10, 2012)

I'm not sure if this is a coincidence or not but since you posted your comment on Saturday, I have not received the 2nd guest confirmation email on any of my reservations that I have added since then. I get the first one instantly but the PDF type one hasn't come for 3 different reservations I have added guests to since then. 

Jason


----------



## Sandi Bo (Jul 10, 2012)

Did you have them add a password to your account?  You might want to check your profile to see if your email address is still valid.  I have had issues with not receiving emails, in the past, when I have changed the email address online.  It takes a day or two to run through their batch process and things don't flow properly, some emails just don't get sent, if they can't email they (sometimes) default to snail mail. Definitely a broken process.


----------



## Sandy VDH (Jul 10, 2012)

At my HGVC when you call in for booking they have 5 security questions that they have on file and they randomly ask 1 of them.

Wyndham has to do something to add some security.  Asking your member number and address is something that is on every reservation, everywhere.  Nothing secure about it at all.  At least it is not our SSN, which is what they used to use a long time ago.

What got me thinking was .... What was the motivation from the caller to cancel just Presidential bookings? Now that is what strikes me as very specific and very deliberate.  But to what end.  The only 2 choices I can think of, is 1) to try to get Presidential bookings for themselves or for someone who is in on it, or 2) Vendictive (either personally or just randomly).  Why else would someone go to such lengths?  

They would have to get your account number, your name and address, your checkin date and the resort you were booked at.  Now some of those items are readily available via online searches.  But the account number could lead to a past guest but you say you do not provide Wyndham reservations that show that information.  So that might rule out past renters.  However the caller also had check in date and resort.

Logically working through all that information it only leads me to the conclusion that it was an inside job. What other possiblities could there be.

I find it hard to believe that a random caller would know your account number, name, address, resort check in date, and unit type.  

Only my opinion, but how else could someone randomly collect all that information?


----------



## rrlongwell (Jul 10, 2012)

Sandi Bo said:


> I have talked extensively to the renter and I do not believe they were a part of this. The voice is definitely not the renter. It would be a great scam, but I do not believe that is the case here.  They are staying, for no charge, in a 2 bedroom deluxe. I am the one that first brought up a refund. The renter does not have any information about the account, other than the member name.  They do not have the account number or address that would be needed to pull this off. It's my Dad's account, so the last name and mine are different. The address on the invoice is mine (different state than Dad's). I have always tried to protect my father's identify as I've managed his account and do not reveal any more information about him than I have to (only his name, nothing else).



I am pleased to her it worked out for the renter.  You should also try and get the points you are out back from Wyndham for the 2 bedroom.  They will probably do this.  If not, asked to speak to the escalation department.

The following is how a different Timeshare company handled a similar situation.

http://tugbbs.com/forums/showthread.php?t=174094


----------



## ampaholic (Jul 10, 2012)

Sandy Lovell said:


> At my HGVC when you call in for booking they have 5 security questions that they have on file and they randomly ask 1 of them.
> 
> Wyndham has to do something to add some security.  Asking your member number and address is something that is on every reservation, everywhere.  Nothing secure about it at all.  At least it is not our SSN, which is what they used to use a long time ago.
> 
> ...



+1 This was certainly not a random "is you refrigerator running" type drive by phone prank - this took inside knowledge.

That surmise should lead to a small list of suspects - not just "anybody with a phone".

Hope you can eventually ferret out the right suspect.


----------



## jjmanthei05 (Jul 10, 2012)

Sandi Bo said:


> Did you have them add a password to your account?  You might want to check your profile to see if your email address is still valid.  I have had issues with not receiving emails, in the past, when I have changed the email address online.  It takes a day or two to run through their batch process and things don't flow properly, some emails just don't get sent, if they can't email they (sometimes) default to snail mail. Definitely a broken process.



No my email is correct. I get the initial confirmation its just the one with the link to print out the guest confirmation that i don't get. Random question, would they give you the phone number that called in? you should try and get it to see if you could track down who actually canceled your reservation. 

Jason


----------



## rrlongwell (Jul 10, 2012)

jjmanthei05 said:


> No my email is correct. I get the initial confirmation its just the one with the link to print out the guest confirmation that i don't get. Random question, would they give you the phone number that called in? you should try and get it to see if you could track down who actually canceled your reservation.
> 
> Jason



No, this could just expand the problem as it relates to the orginial poster.  She should just leave it to the police and if she wanted to let the FTC know.  Easy to do, just go to their Web site and use the contact us link.  It does not appear that Wyndham has made her "whole" at this point.  So, I would think there is a basis for a complaint.  I do not know if it would have any practical good other than for a "good of the order" complaint.  Add a voice to those who are being harmed.


----------



## geekette (Jul 10, 2012)

amycurl said:


> Maybe there should be? Before finalizing the cancellation, an e-mail is sent to the e-mail on file. The owner has to click a link to finalize the cancellation. Very easy to set up, relatively low cost, and it would have completely prevented this situation from happening.



but if I'm up to no good, why wouldn't I change the email addy to come to me also?  No sure prevention.


----------



## jjmanthei05 (Jul 10, 2012)

geekette said:


> but if I'm up to no good, why wouldn't I change the email addy to come to me also?  No sure prevention.



Even thought this would have hopefully prevented this situation how many elderly owners are out there that don't use the internet? are you going to explain to them they are going to have to go to their email and click a link? It seems to be an overreach for a very isolated incident. I know it sucks for Sandi but I haven't ever heard of this from anyone before, so we should be careful of overreach here. 

Jason


----------



## Sandi Bo (Jul 10, 2012)

I had a good conversation today with Wyndham. They do appear to realize the seriousness of the situation.  They are working to make me “whole”. They have credited the points related to this incident, and the guest confirmations, and we are discussing other things.  My renter is happy with the room she received.  My number one concern was that she be taken care of, and she has been.  Also of top concern was that there be no further infractions on my account, and I think things are taken care of, as well as they can be at this time.  A couple follow-up comments:

* Don’t waste your time trying to put a special password on your account.  The system isn’t equipped for that, and whatever work-around you come up with, it is not fail-safe.

* I did suggest two things that, in my opinion, would help and should be doable with the current system:
 - There is a ‘Secret Question’ in our profiles – I suggested they start using it
 - Add functionality to send emails for cancellations

* As geekette has pointed out, someone could change things and so the above things can’t be depended on, either. Wyndham needs to put better security around certain data (require additional authentication before allowing changes to critical data, for example recognize when you are on a new computer (again requiring additional authentication)). Think about how your banks work – or other places that really do implement secure access (for online access to my credit card – if I am on a new computer – it calls the number on my account with a passcode – I chose whether I want a phone call, text, or email to previously established numbers or emails – that can’t be changed at that time).  Wyndham’s security is very, very weak. I can’t imagine it passing any type of audit whatsoever.

* Amy, good ideas, but to Jason’s point, probably too much added process, and for some people, not practical.  People cancel reservations all the time, and it needs to be a smooth process. For example, if it was exactly 15 days from check-in, and you couldn’t get something to cancel, you might end up forfeiting points. If they’d fix the security issues, they wouldn’t have to add overhead to the cancellation process.

I hope, if nothing else, I have raised awareness of the issue. I wish I understood the motivation of the fraudster, I (we) can only speculate. This has been escalated at Wyndham and I do believe they are researching further. The resort is researching further. I don’t know if they will disclose their findings to me or not. But I do think both Wyndham and the resort are concerned. This certainly can’t occur on a regular basis, at this point, I have to believe (and hope and pray) it’s a one-off occurrence.

Jason, I still haven’t gotten any of the emails that are generated out of their overnight batch (the ‘Your Reservation is Confirmed…’ or ‘ Your Wyndham Vacation is Almost here’ ones). The last ones of those I got were on July 6th.   I am receiving the emails you get at the time of booking (from ‘do not reply@wyndham...) since fixing my email address (taking the password text out).  I have noticed batch issues before (haven’t we all) and I’ve always complained that none of the mailings are consistent.  And darn it, I forgot to ask Wyndham if they have the phone number of the caller.  I don’t expect them to give it to me, but I do want to ask. I put it on my list for my next conversation with them.


----------



## ledaga (Jul 10, 2012)

Internal....


----------



## jjmanthei05 (Jul 10, 2012)

Sandi Bo said:


> I had a good conversation today with Wyndham. They do appear to realize the seriousness of the situation.  They are working to make me “whole”. They have credited the points related to this incident, and the guest confirmations, and we are discussing other things.  My renter is happy with the room she received.  My number one concern was that she be taken care of, and she has been.  Also of top concern was that there be no further infractions on my account, and I think things are taken care of, as well as they can be at this time.  A couple follow-up comments:
> 
> * Don’t waste your time trying to put a special password on your account.  The system isn’t equipped for that, and whatever work-around you come up with, it is not fail-safe.
> 
> ...



I think it would be a good thing just to have a "you canceled this reservation email". You wouldn't have to click on any link to confirm the cancellation but at least you have a record that it was in fact canceled. I think the thing you could do is adjust something in your address, specifically your zipcode to make it more difficult for someone to get into your account. 

Jason


----------



## Sandi Bo (Jul 11, 2012)

jjmanthei05 said:


> I think it would be a good thing just to have a "you canceled this reservation email". You wouldn't have to click on any link to confirm the cancellation but at least you have a record that it was in fact canceled. I think the thing you could do is adjust something in your address, specifically your zipcode to make it more difficult for someone to get into your account.
> 
> Jason



I agree, it doesn't make sense that they don't confirm a cancellation.

Is there mail you want to receive that you won't get if you alter your address?  A nice side-effect of putting something (unique) in your address, is it helps traceability when something happens.  One time my husband's name was spelled wrong, and we got lots of junk mail with that name.  I knew who sold the info, based on the spelling of the name.

Bottom line is Wyndham has got to step up their security. We are all vulnerable with the current system as it stands.


----------



## jjmanthei05 (Jul 12, 2012)

Sandi Bo said:


> I agree, it doesn't make sense that they don't confirm a cancellation.
> 
> Is there mail you want to receive that you won't get if you alter your address?  A nice side-effect of putting something (unique) in your address, is it helps traceability when something happens.  One time my husband's name was spelled wrong, and we got lots of junk mail with that name.  I knew who sold the info, based on the spelling of the name.
> 
> Bottom line is Wyndham has got to step up their security. We are all vulnerable with the current system as it stands.



I think instead of asking for a zipcode if they did just like my bank and asked for a "passcode" that doesn't show up anywhere online. I think it would solve almost all the problems.  

Jason Manthei


----------



## learnalot (Jul 12, 2012)

jjmanthei05 said:


> I think instead of asking for a zipcode if they did just like my bank and asked for a "passcode" that doesn't show up anywhere online. I think it would solve almost all the problems.
> 
> Jason Manthei



Agreed.  In fact, I find it extremely irritating having to recite my address to them knowing that it is a ridiculously porous piece of information, especially considering that they put far too much owner info on every confirmation in plain view of anyone who lays eyes on it.


----------



## regatta333 (Jul 17, 2012)

I noticed the problem with all of the personal account information on the guest certificate.  What I do is to foward my guests the initial email I get from Wyndham when I first add the guest to the reservation.  

It says "Guest Confirmation" on the email, has the guest name, check-in
date, and length of stay.  It also has a link to the resort, for additional information.  None of my guests has ever had an issue using this to check in,
and it does not include my account information.

Since I require my renters to sign a rental agreement, which includes my
address and phone number, withholding those is not an option.


----------



## learnalot (Jul 17, 2012)

regatta333 said:


> I noticed the problem with all of the personal account information on the guest certificate.  What I do is to foward my guests the initial email I get from Wyndham when I first add the guest to the reservation.
> 
> It says "Guest Confirmation" on the email, has the guest name, check-in
> date, and length of stay.  It also has a link to the resort, for additional information.  None of my guests has ever had an issue using this to check in,
> ...



Regatta,

I agree.  I wouldn't forward something with all that information to someone else, but I did usually print the confirmation documents for our OWN travels (not anymore!).  My point is that the amount of personal information available on the confirmation documents leaves too much room for internal misappropriation, to say nothing of third party fraud.  Couple that with their abyssmal network security and the situation is completely unacceptable.  Our full account numbers should NOT appear on confirmation documents.  Period.


----------



## kaio (Jul 17, 2012)

Sandi, I am so sorry to hear about your troubling tribulation.  I hope everything get's reconciled to the greatest extent possible.  Good to hear at least you did not get blocked out of your own account which would have made accessing information and reconciling even more difficult /or time consuming.  (don't want to exactly say how you can get locked out of your own account on a public forum... but good to hear it did not spur to that)


----------

