Evolution of Fraud

[StevenTing]

Scammers/Bad Actors are now more sophisticated when it comes to Fraud and Abound Points

I had an unpleasant conversation with MVC a few days ago about fraud that is occurring with Abound points. During MVC's ongoing investigation, they've narrowed down the common factor of the victims to VPE. This is very unfortunate. Back in October 2024, a Buyer reached out to me saying that MVC contacted them and that the "Seller" didn't authorize the transfer and that they were researching. Two months go by without any additional word from MVC so the Buyer thought all was good. In early January 2025, Buyer is notified by MVC that they have taken the points back due to fraud. This was for 4,000 points so this was a high value transaction.

The "Seller" was one of my Verified Sellers. I have a copy of their license. A copy of their MVC Profile. Everything matches up. The kicker, MVC tells me that the Seller/Owner is also a victim. Somehow their MVC account was compromised. What I cannot wrap my head around is that even though the MVC account might be compromised, I have a copy of the driver license as a secondary security step. I have a picture of the driver license. Not a digital copy or a scanned copy but a photo. It's gone through my mind that the driver license could be AI generated or photoshopped so now I've started requiring a selfie of the person holding their driver license as well.

MVC indicated that they have narrowed down the bad actor to an individual and this person is not an owner. They have call recordings of the bad actor. They implied that this bad actor has compromised multiple accounts and transferred points out of the accounts. Some of the affected owners didn't find out until 2-4 months after the fact that their points had been transferred out.

While on the phone with MVC, I looked at the login page more closely. MVC does not have MFA or any additional security on the page. When you use the online form to transfer points to another owner, you do not receive a confirmation or notification that points are being transferred.

All of this is different from the simple fraud of people transferring money and the bad actor ghosting them. In these cases, they're taking over accounts, transferring points, and repeating this over and over. I will do what I can to improve my verifications but as MVC put it, there are many layers to this fraud that even they can't seem to figure out how it's perpetrated.

Because many minds are better than just one, I would love any theories or ideas of how you think this fraud is occurring. I'm also open for suggestions that I can use for verification. I'm also happy to share any security ideas to MVC as well.

 

[HudsHut]

Thank you for the alert, Steven.

 

[dioxide45]

The only way I could think they are compromising accounts (without thinking inside knowledge) is that people are using simple passwords and or the same password for multiple online accounts.

I believe on Facebook you indicated that the person called in to do the transfer? What kind of security measures does MVC have to verify a caller?

Also, what is stoping an owner from transferring points and later claiming they were transferred fraudulently and getting them back?

 

[StevenTing]

The only way I could think they are compromising accounts (without thinking inside knowledge) is that people are using simple passwords and or the same password for multiple online accounts.

I believe on Facebook you indicated that the person called in to do the transfer? What kind of security measures does MVC have to verify a caller?

Also, what is stoping an owner from transferring points and later claiming they were transferred fraudulently and getting them back?

Simple passwords is one thing. They also have to know the username. However, one can easily find out the username because the form asks for First Name, Last Name, and Customer ID. Because of the way MVC does the transfers, getting the Customer ID is relatively easy. When you do a transfer for someone, they have to provide you their Customer ID. All of the info to find out their username. Then it's just a matter of figuring out the password.

I want to say when I called into MVC, they ask me my email address for verification. I want to say in the past they asked for zip code. Both are not difficult to find on the dark web. With the recent National Public Data breach last year, there's a lot more to work with for bad actors.

And to your last point, there are ways they can validate. I believe for online transactions, they check their log files and compare IP addresses to past/historical logins. But that's only if they use the form. If they call in, not sure how they trace that. I'm under the impression that they no longer allow you to call in for transfers, but maybe that's just something I made up. I wonder if you could call in and transfer without providing much more than the Customer ID's of your account and the buyers account.

 

[jmhpsu93]

The only way I could think they are compromising accounts (without thinking inside knowledge) is that people are using simple passwords and or the same password for multiple online accounts.

I believe on Facebook you indicated that the person called in to do the transfer? What kind of security measures does MVC have to verify a caller?

Also, what is stoping an owner from transferring points and later claiming they were transferred fraudulently and getting them back?

I've only been asked to verify my name and email address, and occasionally my home address. Now often I call from a number that is attached to the account, but even then I get asked.

 

[jmhpsu93]

While on the phone with MVC, I looked at the login page more closely. MVC does not have MFA or any additional security on the page. When you use the online form to transfer points to another owner, you do not receive a confirmation or notification that points are being transferred.

Thanks for documenting this situation @StevenTing. As to the bolded above, this is starting to become table stakes in the world of account security and I'd have no issue with them implementing this. I'm sure it would go swimmingly.

 

[VacationForever]

It's been a while since I sold and transferred points out, and advertsised using VPE. The question is how did the scammer get hold of the sellers' MVC owner ID? I think that is a required field when putting in a transfer request.

 

[jabberwocky]

It's been a while since I sold and transferred points out, and advertsised using VPE. The question is how did the scammer get hold of the sellers' MVC owner ID? I think that is a required field when putting in a transfer request.

That is pretty easy to obtain. Our MVC number could pretty much be obtained from educated guessing if they can get their hands on deeded documents.

 

[VacationForever]

That is pretty easy to obtain. Our MVC number could pretty much be obtained from educated guessing if they can get their hands on deeded documents.

Are deeded documents public information?

 

[StevenTing]

Once you’re in an owners account, the Owner Customer ID is prepopulated on the form.

 

[dioxide45]

That is pretty easy to obtain. Our MVC number could pretty much be obtained from educated guessing if they can get their hands on deeded documents.

I think that only applies to Vistana owners. The Marriott owner I’d seems to be more random.

 

[daviator]

Are deeded documents public information?

Yes, in pretty much every jurisdiction.

 

[VacationForever]

Yes, in pretty much every jurisdiction.

But I am reading that MVC owner id is not on the MVC deeds.

 

[VacationForever]

Once you’re in an owners account, the Owner Customer ID is prepopulated on the form.

Is entering a weak pw account the likeliest way as to how the scammer got access to the owner information and made the transfer request?

 

[daviator]

Is entering a weak pw account the likeliest way as to how the scammer got access to the owner information and made the transfer request?

I don’t know the answer, but even a strong password becomes weak if it’s used on multiple sites. There have been so many data breaches that the bad guys have all of your “regular” passwords. There was a time when you could use a good strong password on multiple sites and be okay, but that time passed more than a decade ago.

This should be yet another wake up call for people who do not use strong and unique passwords on every single site. If you use the same password on multiple sites you are going to get hacked across all those sites.

The other thing worth remembering is that your email password is the most valuable password you own. If the bad guys can get into your email, they can reset all your other passwords and rob you blind. So your email account password(s) should be the longest and most complicated possible. Using a good password manager is pretty much a must these days.

 

[davidvel]

I'm having trouble with the ID part as well. Fake IDs are a dime a dozen and almost every kid in college has one. They are very very good, and can only be detected if you physically have them in your hand with the right tools. That being said, the fraudster would also have to have all the information to put on the ID, as well as other information associated with the Marriott account.

It's all smells like somebody with Insider information, either a family member or at MVC itself. How does Marriott know that it wasn't the owner themselves? Simply their word? How was the money paid/transferred?

 

[travelhacker]

Implementing MFA is pretty trivial. I've created a number of systems that implemented MFA in a few different forms (SMS, Email, Push Notifications) and it never takes me more than a few hours.

It's trickier to implement on an existing system. However, this is something that MVW should prioritize. MFA can also make it more difficult for automated jobs to make reservations. It seems like it would be a win all around.

Nothing is really coming to mind to add extra security to VPE, but if I come up with any ideas, I'll let you know.

I appreciate all you do for running the VPE site, I've rented a few times and plan on renting out points in the future.

 

[davidvel]

Implementing MFA is pretty trivial. I've created a number of systems that implemented MFA in a few different forms (SMS, Email, Push Notifications) and it never takes me more than a few hours.

It's trickier to implement on an existing system. However, this is something that MVW should prioritize. MFA can also make it more difficult for automated jobs to make reservations. It seems like it would be a win all around.

Nothing is really coming to mind to add extra security to VPE, but if I come up with any ideas, I'll let you know.

I appreciate all you do for running the VPE site, I've rented a few times and plan on renting out points in the future.

Marriott.com uses 2fa

 

[travelhacker]

Marriott.com uses 2fa

Yep, but none of the MVW sites do though (MVC, Vistana, Hyatt Vacation Club, Interval).

Marriott.com uses allows users to use either email or SMS which are less secure, but I'd be pleased to at least see that implemented.

 

[jp10558]

They really should use TOTP if they're going to do it, or else have people register devices to implement the newer certificate or maybe it's public key thing - I can't recall the generic name but Microsoft was pushing it recently.

Personally I just think a password manager doing strong unique passwords has solved this for anyone paying attention since like 2007 or so. Probably earlier. Now if you're extra paranoid like I am, you don't want it super integrated into the browser so it's a little bit of copy paste, but that's up to you. I've used Keepass (now XC) for over a decade and just sync it between my devices using syncthing.

 

[Hindsite]

Would changing MVC Account passwords before and after a transfer transaction provide any additional security for VPE users? If it could reduce the risk its a simple move that people can take to protect themselves and adding another layer to what you, and MVC do can only be good.

 

[Dean]

Steven, sorry this has happened to you, I'm sure it's been quite stressful. You provide a valuable service and many of us appreciate it greatly even those that do not rent. Please keep us informed when there are additional developments.

 

[chunkygal]

Simple passwords is one thing. They also have to know the username. However, one can easily find out the username because the form asks for First Name, Last Name, and Customer ID. Because of the way MVC does the transfers, getting the Customer ID is relatively easy. When you do a transfer for someone, they have to provide you their Customer ID. All of the info to find out their username. Then it's just a matter of figuring out the password.

I want to say when I called into MVC, they ask me my email address for verification. I want to say in the past they asked for zip code. Both are not difficult to find on the dark web. With the recent National Public Data breach last year, there's a lot more to work with for bad actors.

And to your last point, there are ways they can validate. I believe for online transactions, they check their log files and compare IP addresses to past/historical logins. But that's only if they use the form. If they call in, not sure how they trace that. I'm under the impression that they no longer allow you to call in for transfers, but maybe that's just something I made up. I wonder if you could call in and transfer without providing much more than the Customer ID's of your account and the buyers account.

 

[chunkygal]

Steve
I appreciate your service and have used the site many times. Used to be easier, now hard to know who to trust or what to do. I personally am changing over to the proton mail/ pass/VPN. Hope it helps.

 

[AlmostRetired]

It is the world we live in and it will continue to get worse with uncontrolled AI and peoples willingness to communicate only through electronics.
Trying to fix the MVCI side is impossible when banks can't fix the problem.

The only way to add more security is going to take more time and more money on your part. The last 3 years I rented the max points from owners and I plan to do the same in 2026. BeenVerified is a great search engine to find out about people the first time I do business with them. I can do a trial and cancel for very little. Not sure how much a real membership is. You many have to increase membership for owners of points or a fee for renters. If people drop out because of it, this might be a case when less is more. Again it will take more of your time and more money.

Thank you for the site and the time you put in.