Evolution of Fraud

[pedro47]

Wow. This is some heavy stuff. Is this fraud situation a part of Marriott's hack problem in 2024?

 

[LeslieDet]

Wow. Just FYI - I transferred points to another owner who rented from me in August, and I received a confirmation that points were removed from my account. It did not say where they went, but it definitely notified me of the quantity I transferred. Unfortunately, I did not save that confirmation email; so I cannot quote it verbatim.

And, when I go into my owner account I can see all point transactions, including any transfers made. I get that folks may not be monitoring their accounts, but the history should all be there.

 

[LeslieDet]

Wow. This is some heavy stuff. Is this fraud situation a part of Marriott's hack problem in 2024?

The "Marriott" data breach was Marriott International Inc., not Marriott Vacations Worldwide. Different companies.

 

[StevenTing]

At one point in time I was considering offering an Escrow service. But after this latest experience, it wouldn’t be enough. If MVC can claw back points 2 or 3 or 4 months later, it’s really hard to establish trust and everyone remains vulnerable.

I’ve contemplated raising the Verified fee significantly but I don’t know if that would actually deter a scammer. A successful scam will probably result in them gaining $1000 or more so any amount I set likely wouldn’t be a deterrent.

I thought a drivers license would be enough of a deterrent but I’ve been proven wrong.

I’m thinking I use my existing process but expand it to include a video call. At the same time, maybe the buyers should be taking on some of this responsibility. But then I’m conflicted again because buyers don’t have a copy of the DL so don’t necessarily know what the person is supposed to look like.

 

[StevenTing]

Wow. Just FYI - I transferred points to another owner who rented from me in August, and I received a confirmation that points were removed from my account. It did not say where they went, but it definitely notified me of the quantity I transferred. Unfortunately, I did not save that confirmation email; so I cannot quote it verbatim.

And, when I go into my owner account I can see all point transactions, including any transfers made. I get that folks may not be monitoring their accounts, but the history should all be there.

I completed a transfer of points yesterday. No notification email. The buyer messaged me later than afternoon that he sees the points in his account now. So less than a day for processing. Still no notification. I can see the transaction history but an email notification should have been sent by now.

 

[LeslieDet]

I completed a transfer of points yesterday. No notification email. The buyer messaged me later than afternoon that he sees the points in his account now. So less than a day for processing. Still no notification. I can see the transaction history but an email notification should have been sent by now.

I do not understand why there is so much inconsistency in the process. Next time I rent out some points, I'll save the email and share it with you directly. So frustrating.

While I don't have any solutions, it would seem that the company's decision to move to non-human contact in order to process point transfers is giving scammers more of an opportunity to scam. Prior to using the online form, at least the owner of the points could call in and verify who they were (I realize that the phone number on file can probably easily be spoofed by a skilled scammer, but it is something), and the owner and the renter could have a three way call to transfer the points to the renter. Perhaps MVC needs to return to the human-to-human transfer process, and needs to beef up the authentication process to verify that the person calling in is really the owner.

I also wonder if the fact that some folks use "point managers" who are then given direct access to the true owner's account by that owner, and then the manager books and rents out reservations as the middleman using the owner's points or weeks; I wonder if those folks are unwittingly creating an easy access point for scammers? If someone is brokering rentals for multiple owners and doing it online, then they must have access to sign in directly to all of those individual owner accounts. The broker/point manager could perhaps be a source for the scammer to hack into the broker/point manager's system, and then voila, the scammer would have all of the login info needed (owner name, owner number, owner email, owner phone number) to post ads, collect the rent money, and actually transfer the points to the renter, all without the original owner's knowledge until they check their account (or get an email saying the transfer was successful).

 

[daviator]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

 

[LeslieDet]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

I've never understood how the point brokers got away with that business model. I am aware that one of them used to promote his services on Facebook, and for a time ran one of the rental groups on FB.

 

[dioxide45]

The "Marriott" data breach was Marriott International Inc., not Marriott Vacations Worldwide. Different companies.

But if someone used the same password between both accounts, it could still be an issue. Though I don't know if plain text or even encrypted passwords were compromised.

 

[dioxide45]

The whole “point broker” thing screams scam opportunity to me. MVC should endeavor to disenable that business model, though I know that would upset a few people here.

I have no issue with owner to owner exchanges/rental and have rented points myself through @StevenTing ’s excellent site. But the idea of giving a third party access to people’s accounts and letting them independently transfer other people’s points, it seems ripe for abuse. It also seems like a clear crossing of the line into “commercial use.”

But I suspect MVC doesn’t really want to shut off this use case because it helps them sell points.

The point managers aren't necessarily breaking any rules. Kinda the same as how DVC point brokers operate. I don't know if Marriott has terms and conditions indicating that you can't share your account credentials with third parties. I know Bluegreen was locking accounts of owners who they found out had provided credentials to a third party broker.

Point brokers do create a single points for someone to steal a lot of account data. Though the one I've watched a few YouTube videos of has indicated they use a type of password keeper. The password is only provided once to the person who has to input it. No one else who logs in actually sees the password. Still a potential issue though.

I do wonder if this situation is one where a point broker was managing an account and the owner saw missing points and called Marriott. That same point broker once mentioned how they rented a certain number of points from an owner, paid them and made reservations. The owner later went in and started cancelling reservations because they didn't know what they were for. Ummm, you rented your points... People get confused or don't fully understand what they are doing or what they did previously.

 

[StevenTing]

I do wonder if this situation is one where a point broker was managing an account and the owner saw missing points and called Marriott. That same point broker once mentioned how they rented a certain number of points from an owner, paid them and made reservations. The owner later went in and started cancelling reservations because they didn't know what they were for. Ummm, you rented your points... People get confused or don't fully understand what they are doing or what they did previously.

Not a point broker. From one of the emails. Using PayPal for funding transfer and claiming it’s a husbands account. That’s always a red flag enter email address doesn’t match the email of the person you’re dealing with.

The paypal address is cahyoadinegoro907.cn@gmail.com and my husband's name is Cahyo Adinegoro. Please note to send it as F&F as that's the only method we're accepting. My number is 801-371-9559, you can send me a text after you've sent the payment and I'll transfer the points right away

 

[LeslieDet]

But if someone used the same password between both accounts, it could still be an issue. Though I don't know if plain text or even encrypted passwords were compromised.

Of course, if an account holder uses the same password among different accounts it is a risk; I was responding to the comment asking if the fraud Steven is reporting about was tied to the "Marriott hack". There was not a "hack" of the MVW systems; the "hack" was the data breach tied back to the hotel company, Marriott International Inc.

 

[Ski-Dad]

FTC Takes Action Against Marriott and Starwood Over Multiple Data Breaches

The Federal Trade Commission will require Marriott International, Inc.

www.ftc.gov

As other have noted it was Marriott not MVC that was hacked, but there are obvious linkages between the two worlds. MVC seems to own part of this with security gaps such the void of email confirmations that Steve has noted.

 

[billymach4]

Has anyone considered that this could also be an insider bad actor?

 

[billymach4]

The "Seller" was one of my Verified Sellers. I have a copy of their license. A copy of their MVC Profile. Everything matches up. The kicker, MVC tells me that the Seller/Owner is also a victim. Somehow their MVC account was compromised. What I cannot wrap my head around is that even though the MVC account might be compromised, I have a copy of the driver license as a secondary security step. I have a picture of the driver license. Not a digital copy or a scanned copy but a photo. It's gone through my mind that the driver license could be AI generated or photoshopped so now I've started requiring a selfie of the person holding their driver license as well.

Thinking in and out of the box here are the vectors for a bad actor.

1. Insider
2. Weak passwords.
3. Brokers that have the owners login credentials
4. Someone lurking here around TUG correlating a TUG member to the VPE membership. Leveraging this information to target the owner using common hacking techniques. Again this could be a Marriott insider obtaining MVC login info.
5. Combination of all of the above.

Bottom line is that Marriott is sloppy with protecting us owners. As I have stated in the past. Our ownership has to be treated like a bank is required to secure cash. But banks and bank customers are fraud victims as well.

 

[Chris621]

Scammers/Bad Actors are now more sophisticated when it comes to Fraud and Abound Points

I had an unpleasant conversation with MVC a few days ago about fraud that is occurring with Abound points. During MVC's ongoing investigation, they've narrowed down the common factor of the victims to VPE. This is very unfortunate. Back in October 2024, a Buyer reached out to me saying that MVC contacted them and that the "Seller" didn't authorize the transfer and that they were researching. Two months go by without any additional word from MVC so the Buyer thought all was good. In early January 2025, Buyer is notified by MVC that they have taken the points back due to fraud. This was for 4,000 points so this was a high value transaction.

The "Seller" was one of my Verified Sellers. I have a copy of their license. A copy of their MVC Profile. Everything matches up. The kicker, MVC tells me that the Seller/Owner is also a victim. Somehow their MVC account was compromised. What I cannot wrap my head around is that even though the MVC account might be compromised, I have a copy of the driver license as a secondary security step. I have a picture of the driver license. Not a digital copy or a scanned copy but a photo. It's gone through my mind that the driver license could be AI generated or photoshopped so now I've started requiring a selfie of the person holding their driver license as well.

MVC indicated that they have narrowed down the bad actor to an individual and this person is not an owner. They have call recordings of the bad actor. They implied that this bad actor has compromised multiple accounts and transferred points out of the accounts. Some of the affected owners didn't find out until 2-4 months after the fact that their points had been transferred out.

While on the phone with MVC, I looked at the login page more closely. MVC does not have MFA or any additional security on the page. When you use the online form to transfer points to another owner, you do not receive a confirmation or notification that points are being transferred.

All of this is different from the simple fraud of people transferring money and the bad actor ghosting them. In these cases, they're taking over accounts, transferring points, and repeating this over and over. I will do what I can to improve my verifications but as MVC put it, there are many layers to this fraud that even they can't seem to figure out how it's perpetrated.

Because many minds are better than just one, I would love any theories or ideas of how you think this fraud is occurring. I'm also open for suggestions that I can use for verification. I'm also happy to share any security ideas to MVC as well.

Hi Steven - would love to connect with you regarding what you have learned from MVC. We were one of the individuals where Marriott clawed back points, several months after the transfer. Would like to understand the specifics here and what you have learned to date. Agree pretty wild no MFA or call back procedures.

 

[pspercy]

Good luck Steven, this crap is everywhere these days.
I had $$$$ lifted from an account at Fidelity last Christmas Eve and it’s still not resolved.

 

[rickandcindy23]

It's odd that the vacation club has these issues. Marriott hotel site, I have to answer a text just to go forward to log in. It hasn't always been that way, but it is now. No one could use my hotel points.

 

[SmithOp]

Good luck Steven, this crap is everywhere these days.
I had $$$$ lifted from an account at Fidelity last Christmas Eve and it’s still not resolved.

That's highly unusual, my Fidelity account has an automatic 30 day waiting period to change a linked account for money transfer.

 

[Hindsite]

Well this is new and at least the most basic form of progress.

 

[Sandy VDH]

What is VPE? I can find no references to this.

To be on the safe side, my bank and fidelity and other cash equivalent accounts have a completely different userid and password from my main ones.

 

[dioxide45]

What is VPE? I can find no references to this.

To be on the safe side, my bank and fidelity and other cash equivalent accounts have a completely different userid and password from my main ones.

VPE is a website used by Marriott owners to rent out Club Points.

 

[daviator]

What is VPE? I can find no references to this.

To be on the safe side, my bank and fidelity and other cash equivalent accounts have a completely different userid and password from my main ones.

I used to do that – I had one username and password I used for financial accounts and “important” stuff and another I used for everything else.

Unfortunately, I don’t think that’s good enough any more. You need to use a different password on every single site. Sites DO get hacked and your passwords do get sold and traded across the dark web. When that happens, it’s much better if the stolen password only has the potential to work on ONE site, and not on a bunch of sites.

Using a password manager like 1Password or Apple Passwords is really the only way I know to be safe these days. There is no way anyone could remember or keep track of different passwords for each site any other way.

Think of it this way - if every door in your house had a lock on it, and you lost one of your keys, would you want the person finding it to be able to access every door in your house, or just one of them?

Just food for thought, I don’t want anyone to be at risk of being victimized by the many criminals out there online.

 

[davidvel]

I used to do that – I had one username and password I used for financial accounts and “important” stuff and another I used for everything else.

Unfortunately, I don’t think that’s good enough any more. You need to use a different password on every single site. Sites DO get hacked and your passwords do get sold and traded across the dark web. When that happens, it’s much better if the stolen password only has the potential to work on ONE site, and not on a bunch of sites.

Using a password manager like 1Password or Apple Passwords is really the only way I know to be safe these days. There is no way anyone could remember or keep track of different passwords for each site any other way.

Think of it this way - if every door in your house had a lock on it, and you lost one of your keys, would you want the person finding it to be able to access every door in your house, or just one of them?

Just food for thought, I don’t want anyone to be at risk of being victimized by the many criminals out there online.

Not a proper analogy. If they get in one door they don't need access to others. Now if you owned 5 homes and they all the same keys with the addresses on the keychain, well...

 

[daviator]

Not a proper analogy. If they get in one door they don't need access to others. Now if you owned 5 homes and they all the same keys with the addresses on the keychain, well...

Well, if you have valuables in all the other locked rooms, then all they can do is roam the hallways. I agree it's not a perfect analogy, but the point is still valid. Don't use the same password for multiple sites.