Skip navigation

Join the Vacation Rentals Conversation!

Get answers to all of your questions from fellow owners and travelers.

Join the CommunityX

CommunitySeek, Ask, and Share in the Vacation Rentals Community
147940 Views 672 Replies Latest reply: Apr 11, 2014 4:05 PM by swmarketing RSS Go to original post 1 ... 14 15 16 17 18 ... 46 Previous Next
  • sodamo Contributor 260 posts since
    Nov 5, 2011

    Much much better analogy than the illogical "no smoking = no phishing = more customers"

     

    Sent from my iPad (3rd Gen) with Aloha

    Please visit vacation.ninolehawaii.com

  • info@stayattremblant.com Active Contributor 543 posts since
    Aug 25, 2011

    sodamo wrote:

    Much much better analogy than the illogical "no smoking = no phishing = more customers"

    LOL -- just remember that was never my analogy; that was someone's misinterpretation of a completely different analogy.  ;o)

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    [with the current system] A scammer simply click the "I forgot my password link" on HA and changes your password.  Access to dashboard granted!

     

    P.

    RE: http://community.homeaway.com/message/26170#26170

     

    You're right.  The current system needs to be improved so there is some second point of confirmation -

     

    Like if HomeAway were to send a text message with a code to the phone number in your profile and you had to type that code in to the password reset screen before it would send you a new password.  Unless someone also steals your phone, they wouldn't be able to get or reset your HomeAway password to get in.

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    You're right - an SMS / text message can not be the only way to provide the second form of verification - whether for reseting a password or any sort of regular logon either.

     

    Even for people in the US, it's unreasonable to expect people to always have their phone with them, that it always has a charge, or even that they have enough credits to receive a text message.  Thankfully (I say sarcastically) all the cellular carriers are going to be pushing us to unified data plans that combine internet volume and text message volume into one bill.

     

    Sending text messages to overseas carriers would cost HomeAway and arm and two legs, so I have to imagine that they have some other validation method in mind. 

     

    The overview of 2-factor / 2-step authentication on wikipedia is pretty inclusive: http://en.wikipedia.org/wiki/Two-factor_authentication 

     

    One of the things it says is that challenge questions are typically not considered a strong enough way to confirm someone's identity.  At the very least, they'd have to use questions more unique than just the old "mother's maiden name" question.

     

    The wikipedia article points out that using phones for authentication is relatively new.  So, HomeAway could send homeowners traditional RSA SecurID tokens (similar to what swlinph described earlier).  Or they could send out USB tokens.  Either would work, but would entail a cost to purchase, send, and replace when lost.

     

    My guess is that they will offer a soft token solution of some sort.  Cheap to license, easy to distribute, can be quickly enabled or disabled, and generally easier for the end use to make use of.  I'd be pushing for that if I were their accountant or support manager.

     

    Anyone here work for a company that does two-factor authentication for remote access by VPN?  Care to share how they validate that you are really you?

  • info@stayattremblant.com Active Contributor 543 posts since
    Aug 25, 2011

    VPN connections, RSA SecurID tokens, softtokens, USB tokens, 2-factor/2-step authentication, text messages to a cellular?  I think it's time to learn a new internet word... are you sure you guys aren't just trolling here?

     

    These can't be serious suggestions.  If so, then I think it's clear you're not listening to those of us who are serious about proposing a viable and realistic solution as well as aiming for simplification of the process.

     

    No disrespect intended but I feel like someone has suggested that the Ambassadors propose outlandish solutions so that when HA rolls out their final solution we'll all sit back and say:  "Phew, it could have been worse!  I could have had to carry an RSA SecureID token with me wherever I went. Aren't we lucky we only have to log on to HA six times a day to reply to our inquiries."

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    Nope, not trolling - just trying to think through logical ways to cover the extremes.  No one has even come close to suggesting that a physical token would be a requirement for everyone - but it might be a fall-back solution for the few that cannot make use of a simpler method of validation. 

     

    As for:

    "....... Aren't we lucky we only have to log on to HA six times a day to reply to our inquiries."

    I don't understand.  Do you log in and out of your email 6 times a day, or do you just keep it open all day long?  I keep mine open all day.  I also keep my HomeAway open all day.  As long as no-one can physically take over my physical PC, it's safe to leave open.

     

    Is the issue that some people only have access at public / shared PC's? I'd say that they're a small minority these days, but wouldn't they have to log in and out of their email account to check and respond to inquiries just the same as if they did their communication through a dashboard application?  Same number of log ins / log outs either way.  Seems like a red herring to me, but maybe I'm missing something.

  • info@stayattremblant.com Active Contributor 543 posts since
    Aug 25, 2011

    I never log out of email.  Ever.

     

    I always log out of any Web Site and clear cookies regularly (as should anyone who is concerned about phishing or theft of identity).

     

    In the course of a day, I will use three different computers (home, work and portable), one tablet and one smart phone.  All devices lock tight after several minutes of inactivity.

     

    All devices are permanently logged into email but actual device access is controlled by strong passwords and aggressive timeouts.  I am always on the go and continually swapping devices depending where I am or what I am doing.  I work in high tech and security is paramount.  I use RSA softtoken and VPN to log on and test the largest routers in the world using these same devices... I can not stay logged in to HA.

     

    My situation will not be unique.  Most people these days have multiple devices with always-on email.

     

    The proposed system will often mean an 8-hr delay until I get home after work before I can log on and reply to my inquiries (where now I simply hit reply and it's done within a few minutes).   I am busy enough during the day that 5 minutes I can barely spare but 10 minutes is a no-go and I'll need to do it later.

     

    For some of us, this proposal could kill our businesses.

     

    P

  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    @ Info -

     

    Do you consider your email safe enough to not ever exit because it is a native app, not a browser based interface?

     

    I won't question your logic of logging out of web sites even when you consider your device to be secure.  Those are policies you've set for yourself, and in your security circles consider it a necessary step.  There are those who differ with you, but it's a sideroad we don't need to travel in this conversation.

     

    The one thing I noticed is that the smart phone is a constant throughout your day.

     

    What if you were able to access your inquiries from a native iOS or Android app (not browser) without constant log in.  Just like with your native email client, the device itself, and the security on the device, is all the authentication needed.  So just like your email, it could remain open, albeit behind your device's security measures. 

     

    With constant, easy access from your secure smart phone, you would be able to see all the new guests' inquiry contact info and email it to yourself.  You could then use your native email client, on whatever device met your fancy at the time, to communicate with the client.  This of course assumes we can convince HomeAway to display the guest contact info from within their secure environment.  Could this work for you?

     

    I sincerely think your case is unique. And if HomeAway makes changes that require us to gather initial guest info through a special gateway, it may add additional steps for you.   But, I believe the vast majority of homeowners access their guest communications from one or at best 2 different, yet secure locations through the day.  And the promise of being able to do all their business via a smart phone app would be a new, easier option altogether for most.  Although tempted, I won't repeat the old Spock quote....

  • info@stayattremblant.com Active Contributor 543 posts since
    Aug 25, 2011

    No.  Smartphone is unacceptable for running a business with often long emails.  Yes, logging off is more secure despite device being physically secure (and is good security habit to get into for all logins).  No an IOS and Android apps will not help (I don't have either one and I'm sure others also don't). There is no way my situation is unique.  I REQUIRE consistency and efficiency in running my business. Period.  Any extra steps imposed by HA will prompt me to seek another solution.

     

    If I speak only for myself, then they can just ignore me.  But I think HA ignores this feedback at their peril.

     

    I've made my position clear and suggested alternatives.  I think I'm done here.

     

    P.

  • mike-dfv Community All-Star 835 posts since
    Mar 5, 2011
    swiss-house wrote:
    Although tempted, I won't repeat the old Spock quote....
    "I believe this bark has sufficient tensile cohesion"?
    Mike
  • swiss-house Contributor 260 posts since
    Jul 6, 2011

    Re: Is this where we are headed

     

    Please, drama for the sake of drama does nothing to move the conversation forward, it only drags us back into the mud.

  • Contributor 86 posts since
    Oct 31, 2011

    Not sure how you ended up in the mud!  Not sure how this is "drama".  Examples of what happens to others might help open the eyes of some.  Who is to decide what is drama and what is not?  Who is to decide what we should or shouldn't say at all?

     

    To me it is another example of how companies make decisions that "they" think are the best for their customers.  Sometimes they get away with it and sometimes not!  Sometimes decisions are made that are best for the company but not always best for all the customers!  It is a risk they take!

     

    One more time.  How about a simple statement of the business problem they (HA) perceive exists and a simple statement of their proposed solution.  I still don't think it is clear what is the risk and what is our reward.

     

    For me, don't make it take me any longer to respond to my guests and don't capture any private information that is exchanged between me and my guests.

     


    Randy

  • tsvr Contributor 220 posts since
    Feb 28, 2011

    I agree! My reviews (for 4 properties) have already become almost non-existant since guests are now required to set up a Travelers Account. For the the guests that have responded to my query as to why they didn't provide a review...each and everyone of them has stated that they do not want to sign-up!!!

    I have notified HA of these replies numerous times. They just say that they are keeping track of how the requirement effects reviews..

1 ... 14 15 16 17 18 ... 46 Previous Next

Not a member?

JOIN THE COMMUNITY

Register Now

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)