• The TUGBBS forums are completely free and open to the public and exist as the absolute best place for owners to get help and advice about their timeshares for more than 30 years!

    Join Tens of Thousands of other Owners just like you here to get any and all Timeshare questions answered 24 hours a day!
  • TUG started 31 years ago in October 1993 as a group of regular Timeshare owners just like you!

    Read about our 31st anniversary: Happy 31st Birthday TUG!
  • TUG has a YouTube Channel to produce weekly short informative videos on popular Timeshare topics!

    Free memberships for every 50 subscribers!

    Visit TUG on Youtube!
  • TUG has now saved timeshare owners more than $23,000,000 dollars just by finding us in time to rescind a new Timeshare purchase! A truly incredible milestone!

    Read more here: TUG saves owners more than $23 Million dollars
  • Wish you could meet up with other TUG members? Well look no further as this annual event has been going on for years in Orlando! How to Attend the TUG January Get-Together!
  • Sign up to get the TUG Newsletter for free!

    Tens of thousands of subscribing owners! A weekly recap of the best Timeshare resort reviews and the most popular topics discussed by owners!
  • Our official "end my sales presentation early" T-shirts are available again! Also come with the option for a free membership extension with purchase to offset the cost!

    All T-shirt options here!
  • A few of the most common links here on the forums for newbies and guests!

Help Needed: Marriott removing transferred points from Account

davidvel

TUG Member
Joined
May 9, 2008
Messages
8,599
Reaction score
5,535
Location
No. Cty. San Diego
Resorts Owned
Marriott Shadow Ridge (Villages)
Carlsbad Inn
You seem to have a lot more faith in their IT and in general. Implementing 2FA takes much more than "a few hours". Your talking about a rather fundamental change to how a user accesses the site. Not only do they have programming, but you have testing, training owner services to answer questions, owner education. Many smaller companies utilize a vendor to implement SMS 2FA, so you have procurement of said services. Using an authenticator app only increases the owner education end of things. Easy enough...
Not really hard at all with all of the existing services. Email is easier than text but they already have these systems on the marriott.com side. I have programmed 2FA for a website I run, and it took me half a day to set up. It is actually incredibly simple. Generate number. Add to database, send to user, user enters, check against session in database, let them through. (Slightly more complicated but not for a professional.) And I am not a coder by trade. Kids in college learn this in a single lecture.
 

dioxide45

TUG Review Crew: Expert
TUG Lifetime Member
Joined
May 20, 2006
Messages
51,784
Reaction score
23,275
Location
NE Florida
Resorts Owned
Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
Not really hard at all with all of the existing services. Email is easier than text but they already have these systems on the marriott.com side. I have programmed 2FA for a website I run, and it took me half a day to set up. It is actually incredibly simple. Generate number. Add to database, send to user, user enters, check against session in database, let them through. (Slightly more complicated but not for a professional.) And I am not a coder by trade. Kids in college learn this in a single lecture.
You're still ignoring testing, validation, call center and owner education. There is more to this than a single developer writing some code.
 

davidvel

TUG Member
Joined
May 9, 2008
Messages
8,599
Reaction score
5,535
Location
No. Cty. San Diego
Resorts Owned
Marriott Shadow Ridge (Villages)
Carlsbad Inn
You're still ignoring testing, validation, call center and owner education. There is more to this than a single developer writing some code.
Why do you need all that? The validation and testing are done in the coding phase, a few hours.

PLEASE CLICK HERE TO SEND AN EMAIL/TEXT, then fill in the code in the box below.

Educated and trained.
 

dioxide45

TUG Review Crew: Expert
TUG Lifetime Member
Joined
May 20, 2006
Messages
51,784
Reaction score
23,275
Location
NE Florida
Resorts Owned
Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
Why do you need all that? The validation and testing are done in the coding phase, a few hours.

PLEASE CLICK HERE TO SEND AN EMAIL/TEXT, then fill in the code in the box below.

Educated and trained.
That isn't how IT shops should operate. Especially when you are sending changes out to hundreds of thousands of users. Ever wonder why more stuff is broken than what they fixed when they implement overnight maintenance?
 

LeslieDet

TUG Member
Joined
Jun 16, 2017
Messages
1,014
Reaction score
835
OK
Not looking to be argumentative in any manner with anyone on the thread
I rent points and this issue has me wondering how it could happen
I am sure other people are wondering what the facts are around this situation
It sounds like details are not plentiful
Marriott is probably in fraud mode which means they will provide few if any details about the situation
It is what it is
I'm not arguing with you; the OP hasn't returned to provide any details. There are some folks who have no clue about how things work who always jump immediately to MVC must have done something wrong. Ignore those ones. I agree more details are needed.

What I can say is that in the FB group yesterday, there was an anonymous post using these facts. I presume the person making this post is the one who posted in the FB group. Whether in the original post or in a response to a comment made by daviator in that FB group, there was a statement by the anonymous person who was posting the question that they knew that the person they actually conducted the transaction with on VPE was not the owner of the points. I asked them to clarify what they meant by that -- did they mean they knew that at the time of the original rental or did they learn that after the rental when MVC was clawing back the points? Anonymous did not respond, instead the post was deleted. I was never able to confirm exactly what they were saying.

Just keep in mind that the internal form to transfer points is generated after a login to the owner account. It isn't a random submittal via an external email request or a fax.
 

davidvel

TUG Member
Joined
May 9, 2008
Messages
8,599
Reaction score
5,535
Location
No. Cty. San Diego
Resorts Owned
Marriott Shadow Ridge (Villages)
Carlsbad Inn
That isn't how IT shops should operate. Especially when you are sending changes out to hundreds of thousands of users. Ever wonder why more stuff is broken than what they fixed when they implement overnight maintenance?
I know you think it is a big endeavor, but it really is not. No worries.
 

davidvel

TUG Member
Joined
May 9, 2008
Messages
8,599
Reaction score
5,535
Location
No. Cty. San Diego
Resorts Owned
Marriott Shadow Ridge (Villages)
Carlsbad Inn
I'm not arguing with you; the OP hasn't returned to provide any details. There are some folks who have no clue about how things work who always jump immediately to MVC must have done something wrong. Ignore those ones. I agree more details are needed.

What I can say is that in the FB group yesterday, there was an anonymous post using these facts. I presume the person making this post is the one who posted in the FB group. Whether in the original post or in a response to a comment made by daviator in that FB group, there was a statement by the anonymous person who was posting the question that they knew that the person they actually conducted the transaction with on VPE was not the owner of the points. I asked them to clarify what they meant by that -- did they mean they knew that at the time of the original rental or did they learn that after the rental when MVC was clawing back the points? Anonymous did not respond, instead the post was deleted. I was never able to confirm exactly what they were saying.

Just keep in mind that the internal form to transfer points is generated after a login to the owner account. It isn't a random submittal via an external email request or a fax.
Says the person who habitually bends over backward to find MVC faultless, likely due to her inside "connections."
 

dioxide45

TUG Review Crew: Expert
TUG Lifetime Member
Joined
May 20, 2006
Messages
51,784
Reaction score
23,275
Location
NE Florida
Resorts Owned
Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
As I noted above, the rental form has a changeable field for the email notification. Great grammar btw. 2FA to reach or post the form could be programmed in a few hours if they wanted to.

View attachment 104914
So does the email only go to this address? Why even have this as a field? It should just go to the email address already associated with the account.
 
Last edited:

dioxide45

TUG Review Crew: Expert
TUG Lifetime Member
Joined
May 20, 2006
Messages
51,784
Reaction score
23,275
Location
NE Florida
Resorts Owned
Marriott Grande Vista
Marriott Harbour Lake
Sheraton Vistana Villages
Club Wyndham CWA
I know you think it is a big endeavor, but it really is not. No worries.
I know you think they could just drop something like this by tomorrow. While not a big endeavor it really isn't that simple. If this is how MVC implements change, perhaps that is why they have so many problems with their website.

That also doesn't mean they shouldn't implement 2FA but do you even know if it would have solved the problem here were someone seemed to give out their account credentials to someone who took advantage of it?
 
Last edited:

AlmostRetired

TUG Member
Joined
Jul 20, 2005
Messages
1,470
Reaction score
746
Location
Long Island, NY
Resorts Owned
Grande Ocean Platinum, 3 x Grand Chateau 3 Bedroom (annual, EOY Odd, EOY Even).,
I now rent points frequently and a portion of the points goes to renting weeks reserved. I never thought about fraudulent transfers. I have no clue how this happened but in thinking about it, I am not shocked. We are all dependent on the IT and the verification competency of the companies we do business with. Any business can set up two factor identification to a phone number or email address. This makes it harder for online access. Every company can send an email if password or account information has been changed. I am required to give a four digit pin before Marriott will speak to me about any Marriott reservation. My cell phone provider, credit card company and even my bank allows for a password or pin before they will speak with me.

We have all experienced the IT incompetency of MVCI. When I call MVCI, they ask for my name, address, phone number and email address to speak to me. This will take 30 seconds to find on the internet. How difficult would it be to also have a pin set up for direct contact or two factor verification for account access? Is this foolproof no, but it will make it harder. It is easy to add, maybe not but doing it will show the amount of respect MVCI has for both IT and owners. It would also speak volumes to know what percent of revenue goes to the IT budget.

If an owner uses a broker to rent/transfer points and gives their user information to that broker, they should a have zero protection.

I will continue to rent points from my rolodex of owners I have been successful with. This does show that renting points has a little more risk then I thought without seeing this post.
 

davidvel

TUG Member
Joined
May 9, 2008
Messages
8,599
Reaction score
5,535
Location
No. Cty. San Diego
Resorts Owned
Marriott Shadow Ridge (Villages)
Carlsbad Inn
So does the email only go to this address? Why even have this as a field? It should just go to the email address already associated with the account.
That is my point. It should go to email of record at a minimum. If they want to add another email that is fine. And no we don't know what happened here, if account was comprised, etc., so whether this or 2FA would have changed anything is also unknown.
 

daviator

TUG Member
Joined
May 8, 2011
Messages
1,786
Reaction score
1,729
Location
San Francisco, CA
Resorts Owned
WKORV, WKORVN, WDW, Westin FLEX, Marriott's MOC, Abound (Trust) Points
I am suspicious about this whole complaint. The OP posted anonymously (a brand new account here, and truly anonymously on Facebook.) The FB post got deleted when he didn't get the chorus of support he seemed to want. He also seems unwilling to answer the many questions here from people trying to better understand what happened.

I suspect the whole transaction was shady, and they got caught. I don't know what the OP paid to rent the points, but if you're paying significantly less than the going rate (around 70¢/point, I think?) or you don't do some due diligence on the person renting out the points and how they came by them, you should know that you are taking a big risk.

I doubt we will ever have the full story on this incident, but I somehow doubt it's a result of MVC's lax security, even though their security is indeed lax.

If you use a lengthy and unique password for your MVC account and you don't share the password with anyone else, you are very, very unlikely to lose points from your account. Same goes for Bonvoy and your bank. Change passwords every year or so to be safe. Use a password manager as it would be humanly impossible to remember all your passwords if you're using them correctly. Definitely don't share the password to your passwords! Oh, and don't rent points from anyone that isn't renting out their own points.
 
Top