Evolution of Fraud

[pedro47]

Wow. This is some heavy stuff. Is this fraud situation a part of Marriott's hack problem in 2024?

 

[LeslieDet]

Wow. Just FYI - I transferred points to another owner who rented from me in August, and I received a confirmation that points were removed from my account. It did not say where they went, but it definitely notified me of the quantity I transferred. Unfortunately, I did not save that confirmation email; so I cannot quote it verbatim.

And, when I go into my owner account I can see all point transactions, including any transfers made. I get that folks may not be monitoring their accounts, but the history should all be there.

 

[LeslieDet]

Wow. This is some heavy stuff. Is this fraud situation a part of Marriott's hack problem in 2024?

The "Marriott" data breach was Marriott International Inc., not Marriott Vacations Worldwide. Different companies.

 

[StevenTing]

At one point in time I was considering offering an Escrow service. But after this latest experience, it wouldn’t be enough. If MVC can claw back points 2 or 3 or 4 months later, it’s really hard to establish trust and everyone remains vulnerable.

I’ve contemplated raising the Verified fee significantly but I don’t know if that would actually deter a scammer. A successful scam will probably result in them gaining $1000 or more so any amount I set likely wouldn’t be a deterrent.

I thought a drivers license would be enough of a deterrent but I’ve been proven wrong.

I’m thinking I use my existing process but expand it to include a video call. At the same time, maybe the buyers should be taking on some of this responsibility. But then I’m conflicted again because buyers don’t have a copy of the DL so don’t necessarily know what the person is supposed to look like.

 

[StevenTing]

Wow. Just FYI - I transferred points to another owner who rented from me in August, and I received a confirmation that points were removed from my account. It did not say where they went, but it definitely notified me of the quantity I transferred. Unfortunately, I did not save that confirmation email; so I cannot quote it verbatim.

And, when I go into my owner account I can see all point transactions, including any transfers made. I get that folks may not be monitoring their accounts, but the history should all be there.

I completed a transfer of points yesterday. No notification email. The buyer messaged me later than afternoon that he sees the points in his account now. So less than a day for processing. Still no notification. I can see the transaction history but an email notification should have been sent by now.

 

[LeslieDet]

I completed a transfer of points yesterday. No notification email. The buyer messaged me later than afternoon that he sees the points in his account now. So less than a day for processing. Still no notification. I can see the transaction history but an email notification should have been sent by now.

I do not understand why there is so much inconsistency in the process. Next time I rent out some points, I'll save the email and share it with you directly. So frustrating.

While I don't have any solutions, it would seem that the company's decision to move to non-human contact in order to process point transfers is giving scammers more of an opportunity to scam. Prior to using the online form, at least the owner of the points could call in and verify who they were (I realize that the phone number on file can probably easily be spoofed by a skilled scammer, but it is something), and the owner and the renter could have a three way call to transfer the points to the renter. Perhaps MVC needs to return to the human-to-human transfer process, and needs to beef up the authentication process to verify that the person calling in is really the owner.

I also wonder if the fact that some folks use "point managers" who are then given direct access to the true owner's account by that owner, and then the manager books and rents out reservations as the middleman using the owner's points or weeks; I wonder if those folks are unwittingly creating an easy access point for scammers? If someone is brokering rentals for multiple owners and doing it online, then they must have access to sign in directly to all of those individual owner accounts. The broker/point manager could perhaps be a source for the scammer to hack into the broker/point manager's system, and then voila, the scammer would have all of the login info needed (owner name, owner number, owner email, owner phone number) to post ads, collect the rent money, and actually transfer the points to the renter, all without the original owner's knowledge until they check their account (or get an email saying the transfer was successful).

 

[daviator]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

 

[LeslieDet]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

I've never understood how the point brokers got away with that business model. I am aware that one of them used to promote his services on Facebook, and for a time ran one of the rental groups on FB.

 

[dioxide45]

The "Marriott" data breach was Marriott International Inc., not Marriott Vacations Worldwide. Different companies.

But if someone used the same password between both accounts, it could still be an issue. Though I don't know if plain text or even encrypted passwords were compromised.

 

[dioxide45]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

The point managers aren't necessarily breaking any rules. Kinda the same as how DVC point brokers operate. I don't know if Marriott has terms and conditions indicating that you can't share your account credentials with third parties. I know Bluegreen was locking accounts of owners who they found out had provided credentials to a third party broker.

Point brokers do create a single points for someone to steal a lot of account data. Though the one I've watched a few YouTube videos of has indicated they use a type of password keeper. The password is only provided once to the person who has to input it. No one else who logs in actually sees the password. Still a potential issue though.

I do wonder if this situation is one where a point broker was managing an account and the owner saw missing points and called Marriott. That same point broker once mentioned how they rented a certain number of points from an owner, paid them and made reservations. The owner later went in and started cancelling reservations because they didn't know what they were for. Ummm, you rented your points... People get confused or don't fully understand what they are doing or what they did previously.

 

[StevenTing]

I do wonder if this situation is one where a point broker was managing an account and the owner saw missing points and called Marriott. That same point broker once mentioned how they rented a certain number of points from an owner, paid them and made reservations. The owner later went in and started cancelling reservations because they didn't know what they were for. Ummm, you rented your points... People get confused or don't fully understand what they are doing or what they did previously.

Not a point broker. From one of the emails. Using PayPal for funding transfer and claiming it’s a husbands account. That’s always a red flag enter email address doesn’t match the email of the person you’re dealing with.

The paypal address is cahyoadinegoro907.cn@gmail.com and my husband's name is Cahyo Adinegoro. Please note to send it as F&F as that's the only method we're accepting. My number is 801-371-9559, you can send me a text after you've sent the payment and I'll transfer the points right away

 

[LeslieDet]

But if someone used the same password between both accounts, it could still be an issue. Though I don't know if plain text or even encrypted passwords were compromised.

Of course, if an account holder uses the same password among different accounts it is a risk; I was responding to the comment asking if the fraud Steven is reporting about was tied to the "Marriott hack". There was not a "hack" of the MVW systems; the "hack" was the data breach tied back to the hotel company, Marriott International Inc.

 

[Ski-Dad]

FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches

The Federal Trade Commission will require Marriott International, Inc.

www.ftc.gov

As other have noted it was Marriott not MVC that was hacked, but there are obvious linkages between the two worlds. MVC seems to own part of this with security gaps such the void of email confirmations that Steve has noted.

 

[billymach4]

Has anyone considered that this could also be an insider bad actor?

 

[billymach4]

The "Seller" was one of my Verified Sellers. I have a copy of their license. A copy of their MVC Profile. Everything matches up. The kicker, MVC tells me that the Seller/Owner is also a victim. Somehow their MVC account was compromised. What I cannot wrap my head around is that even though the MVC account might be compromised, I have a copy of the driver license as a secondary security step. I have a picture of the driver license. Not a digital copy or a scanned copy but a photo. It's gone through my mind that the driver license could be AI generated or photoshopped so now I've started requiring a selfie of the person holding their driver license as well.

Thinking in and out of the box here are the vectors for a bad actor.

1. Insider
2. Weak passwords.
3. Brokers that have the owners login credentials
4. Someone lurking here around TUG correlating a TUG member to the VPE membership. Leveraging this information to target the owner using common hacking techniques. Again this could be a Marriott insider obtaining MVC login info.
5. Combination of all of the above.

Bottom line is that Marriott is sloppy with protecting us owners. As I have stated in the past. Our ownership has to be treated like a bank is required to secure cash. But banks and bank customers are fraud victims as well.