Help Needed: Marriott removing transferred points from Account

[Chris621]

Help Requested if this has happened to anyone else and also FYI for anyone renting / transferring points.

Marriott cancelled a vacation and took points away from our account without authorization from us.

Backstory, we rented points from another owner in October, 2024. These points were transferred to our account and we paid for them. Everything seemed legitimate throughout the process. We communicated with owner via phone and email (or who we thought was the owner).

On Friday, Jan 17, Marriott removed the points and cancelled a reservation we had (we did not recieve any notification from Marriott). We called Marriott to see what was going on and they said the transfer and purchasing of these points was a fraud/cyber incident and the owner did not approve the transfer. Thus they removed the points from our account.

They added this was a cyber incident and this has happened to over 20 other owners. Unclear to us, if someone hacked Marriott to transfer points or hacked individual owners to then submit the transfer form. Either way it seems apparent that Marriott failed to have the appropriate verification controls in place to prevent this from happening.

Their cyber and legal teams are currently investigating.

Personally, these seems like a Marriott problem, as Marriott processes all transfers and they should not be able to remove points from accounts.

Any help/suggestions would be greatly appreciated. Or if this happened to you please let me know and would like to connect. TIA!

 

[claraj]

I wonder if this is related to a discussion on another thread:

Thread 'Evolution of Fraud' https://tugbbs.com/forums/threads/evolution-of-fraud.370599/

 

[StevenTing]

This is definitely related. I spoke with MVC’s cyber security team last week sharing details about VPE and how the site operates.

 

[dioxide45]

I wonder if this is related to a discussion on another thread:

Thread 'Evolution of Fraud' https://tugbbs.com/forums/threads/evolution-of-fraud.370599/

It seems to be the same situation. There was also some discussion in one of the Facebook groups about it.

 

[Dean]

Personally, these seems like a Marriott problem, as Marriott processes all transfers and they should not be able to remove points from accounts.

I'm sorry this happened to you, it would seem you are the victim if you lost the money and the reservation while the owners who had points removed from their account mistakenly are presumably being made whole. People have had their weeks taken by II indadvertenly when they shouldn't have been and the person who got the exchange lost it. I've had this happen to me previously.

 

[daviator]

I commented on this same situation which was posted in a Facebook group.

There is risk when you rent points from a stranger. It’s important to do the best job you can of vetting that person and how they came to have the points they are renting. Are they a broker of points? Probably an even bigger risk. But if the points turn out to be stolen or fraudulent in some way, MVC is going to claw them back and you'll be left with nothing.

It's analogous to unknowingly buying stolen property. It doesn’t matter that you didn’t know, the transaction was illegal and you became part of that crime.

I have rented points a couple of times. Both times I have spoken to the renter on the phone, been satisfied that the points were their own and that they were not brokering them, and so I proceeded believing that there was little chance of fraud. I haven’t had a problem but I guess I’d want to be even more careful in the future.

I'm sorry this happened to someone but I do not believe that MVC should have liability here. If owners expect MVC to protect them against fraud in these sorts of transactions, MVC either eliminate the ability to transfer points or attach a significant fee to doing so.

The OP's claim is against the person he rented points from. The OP should have gotten the name and contact information for the person they rented from, so contacting them would be the first step.

 

[davidvel]

I commented on this same situation which was posted in a Facebook group.

There is risk when you rent points from a stranger. It’s important to do the best job you can of vetting that person and how they came to have the points they are renting. Are they a broker of points? Probably an even bigger risk. But if the points turn out to be stolen or fraudulent in some way, MVC is going to claw them back and you'll be left with nothing.

It's analogous to unknowingly buying stolen property. It doesn’t matter that you didn’t know, the transaction was illegal and you became part of that crime.

I have rented points a couple of times. Both times I have spoken to the renter on the phone, been satisfied that the points were their own and that they were not brokering them, and so I proceeded believing that there was little chance of fraud. I haven’t had a problem but I guess I’d want to be even more careful in the future.

I'm sorry this happened to someone but I do not believe that MVC should have liability here. If owners expect MVC to protect them against fraud in these sorts of transactions, MVC either eliminate the ability to transfer points or attach a significant fee to doing so.

The OP's claim is against the person he rented points from. The OP should have gotten the name and contact information for the person they rented from, so contacting them would be the first step.

Without knowing how this happened, how can you say MVC is blameless? They admitted that they have "allowed" this happen to over 20 people. How are the scammers accessing the MVC accounts and transferring points out? How do they even know the account has points in it, much less whatever they are doing to facilitate transfer. I put this on MVC unless/until they can say the owner definitively allowed access to the scammer.

 

[dioxide45]

Without knowing how this happened, how can you say MVC is blameless? They admitted that they have "allowed" this happen to over 20 people. How are the scammers accessing the MVC accounts and transferring points out? How do they even know the account has points in it, much less whatever they are doing to facilitate transfer. I put this on MVC unless/until they can say the owner definitively allowed access to the scammer.

I would agree. We really have no idea of how this happened. Was it 20 owner/recipients or 20 owner/senders? A combination of the two? I can understand one or two owner accounts being compromised. If one, it would seem that owner would need to have a lot of points to facilitate such a scam with 20 recipients.

Also, what has Marriott done to verify that the owner/sender isn't somehow also the scammer?

It would be good to see a different verification process for transfers, but Marriott doesn't really want to invest in such a thing given there is no revenue to them. There should be a second factor of authentication for transfers. Perhaps the owner sending points gets an email text where they need to click a link to finalize the transfer. Perhaps the same thing happens for the recipient. I suspect Marriott would rather just turn off transfers than get in the middle of the mess.

 

[daviator]

I agree that we need to know more, but at the end of the day, under the current system, it isn’t MVC's job to police these transactions, only to facilitate them. If you transact with a crook, you may get burned.

Maybe I’m naive, but I don’t think MVC intended to create a cash marketplace for points when they allowed exchanges. When that happened, they’ve struggled a bit with how to deal with it. The 20,000 point transfer limitation is one result of their struggle to limit these transactions.

Like many person-to-person transactions these days, there are bad actors out there and you have to do your own due diligence to avoid them. If MVC has to spend money policing these transactions, my guess is that they’ll either take away that option or start charging us for the privilege.

But yes, we don’t know who the bad guy is here. For all we know, the original owner gave account access to someone for the purpose of facilitating points rentals, then forgot and freaked when they saw the deductions and complained to MVC. Or one spouse knew and the other didn’t. it's easy to assume the person renting the points out was the bad actor but it might be more complicated than that. My point is that it almost doesn’t matter – if it turns out to be a messy transaction, it’s the person paying to rent points who will get screwed. So caveat emptor.

 

[Hindsite]

Like many person-to-person transactions these days, there are bad actors out there and you have to do your own due diligence to avoid them. If MVC has to spend money policing these transactions, my guess is that they’ll either take away that option or start charging us for the privilege.

If they start to charge, it would be nice if they provided a platform for rentals, even if its only their own surplus points inventory. It would be such fun to throw that at sales, so I doubt it will happen, but is a way they can make money from the process. They already rent out their surplus weeks ownership, so its not too far a stretch to rent out points.

 

[LeslieDet]

Help Requested if this has happened to anyone else and also FYI for anyone renting / transferring points.

Marriott cancelled a vacation and took points away from our account without authorization from us.

Backstory, we rented points from another owner in October, 2024. These points were transferred to our account and we paid for them. Everything seemed legitimate throughout the process. We communicated with owner via phone and email (or who we thought was the owner).

On Friday, Jan 17, Marriott removed the points and cancelled a reservation we had (we did not recieve any notification from Marriott). We called Marriott to see what was going on and they said the transfer and purchasing of these points was a fraud/cyber incident and the owner did not approve the transfer. Thus they removed the points from our account.

They added this was a cyber incident and this has happened to over 20 other owners. Unclear to us, if someone hacked Marriott to transfer points or hacked individual owners to then submit the transfer form. Either way it seems apparent that Marriott failed to have the appropriate verification controls in place to prevent this from happening.

Their cyber and legal teams are currently investigating.

Personally, these seems like a Marriott problem, as Marriott processes all transfers and they should not be able to remove points from accounts.

Any help/suggestions would be greatly appreciated. Or if this happened to you please let me know and would like to connect. TIA!

When you posted in the FB group, didn't you say that you knew the person you were renting the points from was not the actual owner?

Regardless of whether or not you knew, if an owner's account was the victim of a scammer fraudulently transferring points from that owner to you, then the owner is also a victim. MVC remedied that aspect and made the owner, who reported basically a theft of their points, whole. You are a victim of the scammer, not of MVC. Just like when anyone buys stolen goods, the one who paid the money for the stolen goods ends up losing, not the victim who had their property stolen, when that property can be returned to them. Hopefully you can get ahold of the person who you paid, if indeed it was someone who you knew was not the owner, and you can get more details as to why they were renting some one else's points to you.

BTW - the form to transfer points reflects the name and account from where the points are to be withdrawn and the name and account for who is receiving those points. It doesn't verify that the underlying transaction is valid, it simply facilitates the transfer, because the form is completed online after logging into the owner's account. The source of the form is the verification it came from that owner's account. It isn't like there was some random unverified form faxed or emailed into MVC that they acted on to transfer points. No financial aspect involves MVC. If that owner had their account "hacked" by a scammer, then that owner either gave someone access to their account or had their login and password compromised (or perhaps is lying that they did not know about the transfer?). But MVC isn't responsible to ensure that the owner hasn't given their login credentials to someone else or that the owner uses unique passwords for his or her login.

BTW, if MVC had transposed an account number in pulling the points or if MVC had pulled the points without ever receiving a form, then yes, MVC would bear responsibility and it would be MVC's problem.

 

[davidvel]

I guess people don't care about the crappy security on the owner website. Too bad so sad. They have a process where they transfer out points worth thousands of dollars and there is no 2FA to login, or even 2FA when doing this transaction. It has an email to confirm the transaction but allows someone to change it. Elementary school kids could write safer code.

 

[dioxide45]

I guess people don't care about the crappy security on the owner website. Too bad so sad. They have a process where they transfer out points worth thousands of dollars and there is no 2FA to login, or even 2FA when doing this transaction. It has an email to confirm the transaction but allows someone to change it. Elementary school kids could write safer code.

It should also be noted that if people somehow have their bank account compromised by a stolen password and Zelle payments are sent out, the banks are unlikely to restore the funds to the bank account owner. Though I know people have had Bonvoy points stolen by people ordering merchandise and Marriott International has restored their Bonvoy points.

Did the person whose account was compromised file a police report? We don't really have any idea what happened or how they did it.

 

[emeryjre]

It should also be noted that if people somehow have their bank account compromised by a stolen password and Zelle payments are sent out, the banks are unlikely to restore the funds to the bank account owner.

My bank accounts are secured by 2FA
In fact, almost all my accounts have 2FA
Except for Marriott and Vistana Vacation Club Sites

 

[LeslieDet]

My bank accounts are secured by 2FA
In fact, almost all my accounts have 2FA
Except for Marriott and Vistana Vacation Club Sites

That doesn't make a difference when the owner of the points gives their login to a broker or family member who manages everything for them. The phone number for 2FA can be changed.

 

[dioxide45]

That doesn't make a difference when the owner of the points gives their login to a broker or family member who manages everything for them. The phone number for 2FA can be changed.

Do we even know that is what happened here? Unless I've missed something, we really have no idea how the account was compromised.

 

[LeslieDet]

Do we even know that is what happened here? Unless I've missed something, we really have no idea how the account was compromised.

No we don't have the info. I'm simply saying 2FA isn't fail proof when the owner of the account gives another access. I'm curious what the OP will say regarding the knowledge that the person who was renting was not the actual owner, as was referenced on the FB post, which is now deleted.

 

[emeryjre]

That doesn't make a difference when the owner of the points gives their login to a broker or family member who manages everything for them. The phone number for 2FA can be changed.

So you are saying this is not an unauthorized access issue
Rather someone playing games after being granted access to an owners account
I am not totally familiar with all the facts that have been presented in this case

I am very familiar with how 2FA security can be broken once initial access is gained
If my accounts have something changed like a new phone number added or a password changed the change is sent to the original email
Even when a new email is added

 

[dioxide45]

No we don't have the info. I'm simply saying 2FA isn't fail proof when the owner of the account gives another access. I'm curious what the OP will say regarding the knowledge that the person who was renting was not the actual owner, as was referenced on the FB post, which is now deleted.

I don't follow Facebook enough, so I wasn't aware of that detail. That seems to be a pretty big red flag. Why would a scammer even divulge such information?

 

[LeslieDet]

So you are saying this is not an unauthorized access issue
Rather someone playing games after being granted access to an owners account
I am not totally familiar with all the facts that have been presented in this case

I am very familiar with how 2FA security can be broken once initial access is gained
If my accounts have something changed like a new phone number added or a password changed the change is sent to the original email
Even when a new email is added

I do not know the details of the actual transaction. There was a FB post yesterday where the "anonymous" poster, in describing what happened, said words to the effect that they knew the person they were renting from was not the owner of the points. I asked a follow up question to clarify, and no response was given. I checked today to see if there was a response, but the entire post had been deleted. So, details are missing.

As to the 2FA, yes, the email is sent when a new phone number or pw is changed. But when someone grants another access, the owner may not even pay attention to the email re change. I mentioned this in the other post about the topic that when I rented out some of my points in August, I actually received an email confirm from MVC saying my request to transfer #quantity of my 2025 usage points were transferred to owner account #. Apparently, that isn't routine, as others have said they didn't receive anything similar. IDK. Unfortunately, I didn't retain that email since the transaction was straight forward. I was paid up front, then I completed the form, and I emailed the person to say check your account after I received the email from MVC. The points they rented from me were in their account. I assumed, perhaps in error, that everyone received similar emails confirming the transfer of points. I do not understand the discrepancy in experiences.

Just BTW - I receive emails when a guest form was completed and the name changed on a reservation; I receive emails saying my banking deadline is approaching; I just recently received an email along with a notification on the app that I have points expiring soon, and those were points I won in that game almost 2 years ago. I simply don't understand the discrepancies among owner account notifications.

 

[dioxide45]

I do not understand the discrepancy in experiences.

Just BTW - I receive emails when a guest form was completed and the name changed on a reservation; I receive emails saying my banking deadline is approaching; I just recently received an email along with a notification on the app that I have points expiring soon, and those were points I won in that game almost 2 years ago. I simply don't understand the discrepancies among owner account notifications.

It can be a lot of things and mostly comes down to people ignoring the email or the email going to spam because they marked something similar from MVC as spam in the past. A lot of people use their spam settings to filter out the "unimportant" stuff they don't want to see day to day.