1 11 12 13 14 15 Previous Next 675 Replies Latest reply: Sep 15, 2014 5:11 PM by dhf0820 Go to original post RSS
      • 180. Re: Your Input Needed! you must log-in to your dashboard to respond to inquiries
        anja Senior Contributor

        Correct!   HA informed this aready in the initial notice they published.  I've been repeating this. Others  have repeated this.

        • 181. Re: Your Input Needed! you must log-in to your dashboard to respond to inquiries
          anja Senior Contributor

          This has been stated more than once, Amyg,  by me and  others here who did attend the Webinars and have been trying to shed some light on what was discussed ...because we've been asked to by people on this forum.  At first, I too "worried" but then I realized that I could work with this.  So, just wanted to be reassuring here, in my posts.  And...

           

          ....the main, important thing to understand is that the "new" thing is the  "login"....to retrieve the first inquiry...as HA stated from the beginning. You'll get each other's  full  contact information, in the process...the question is what detail and when {I'd like to know, as others, what "traveler" contact details will be included for the owners to see, in that very first,  initial inquiry?}  The discussion continues with Tom-HA//Security Manager. Attendees gave their feedback to the proposal....the "login" system is in development...discussion is ongoing.

           

          Regardless, what is "unsaid" in the HA notice.... but true...... you and your prospect can both decide, then and there, whether you want to move the conversation outside, by phone and email.

           

          For the purposes of clarity, again....that relates to the "inquiry/calendar" part of RM....which would be the mandated side of RM.   And..

          .  ....the other part of RM is the payment / insurance part....again optional as it always has been...and will remain so.

          • 182. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
            Contributor

            So... trying to take a step back outside the box. and a few thoughts...

             

            As owners, we are victims of phishing - not the culprits.

            As owners, we are a known item to HA/VRBO, when they post our email address, phone # etc to their sites, it has been checked, if they had not gotten their money our info wouldn't get posted.

            As owners, we are to be trusted - HA/VRBO already does and by posting our info imply that we are.

             

            Phishing comes from outside the system, in the guise of travelers.

            Traveler info is not verified, implying not to be trusted.

            HA/VRBO could force a program where every traveler must register to pose an inquiry. Such registration would be invisible to the individual owner, but we would know that a registered traveler is now a trusted traveler.

            Of course this may raise an issue or two from the HA/VRBO standpoint. They would have to declare upfront what happens to traveler registration info, either nothing or it is being mined for HA/VRBO benefit.

             

            A verified, trusted, registered traveler is allowed to email any owner from within the HA/VRBO system without any owner involvement or filter with their email, phone# etc passed to the owner in the initial contact. As another poster suggested, ALL inquiry field must be populated with legitimate data (no blanks or phony numbers) to be passed by the system. A traveler working from within the system is confident of safeguards.

            If you believe an earlier posting: No Smoking = No Phishing = More Custmers.

            We will all be rich and happy (read with sarcasm)

             

            I guess my main point is phishing comes from the non owner (traveler) side of HA/VRBO. Efforts to "fix" should be directed to that side, be transparent, and require NO new action on the part of an owner.

             

            I can't help but wonder if HA/VRBO isn't trying make us look to be part of the problem (same light as the payment badge), even using us to get more info for their databases that we don't need (because we get it for our transaction legitimately anyway).

             

            David

            • 183. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
              Contributor

              Phishing comes from outside the system, in the guise of travelers.

              Traveler info is not verified, implying not to be trusted.

              HA/VRBO could force a program where every traveler must register to pose an inquiry. Such registration would be invisible to the individual owner, but we would know that a registered traveler is now a trusted traveler.

              Of course this may raise an issue or two from the HA/VRBO standpoint. They would have to declare upfront what happens to traveler registration info, either nothing or it is being mined for HA/VRBO benefit.

               

              A verified, trusted, registered traveler is allowed to email any owner from within the HA/VRBO system without any owner involvement or filter with their email, phone# etc passed to the owner in the initial contact. As another poster suggested, ALL inquiry field must be populated with legitimate data (no blanks or phony numbers) to be passed by the system. A traveler working from within the system is confident of safeguards.

              If you believe an earlier posting: No Smoking = No Phishing = More Custmers.

              We will all be rich and happy (read with sarcasm)

               

              I guess my main point is phishing comes from the non owner (traveler) side of HA/VRBO. Efforts to "fix" should be directed to that side, be transparent, and require NO new action on the part of an owner.

               

              David,

               

              In my opinion, there is a fatal flaw in your post. You should never, ever rely on VRBO/HA to determine who is a trusted or verified traveler. There will always be a work-around for scammers, phishers and hackers to masquerade as legitimate customers.

               

              What can HA/VRBO do to verify anyone is who they say they are? No one should be more vigilant in verifying the identity of the customer than you, the one who stands to be out the money, or your possessions, or your identity even.

               

              I do believe that HA/VRBO wants to make us look to be part of the problem. If we answer inquiries through the HA/VRBO system, then we initiate taking our transaction private, which is our right as the business owners, we look (to the naive traveller) like we are stepping outside HA/VRBO's false security system.

               

              In short, we owners should be looking to OURSELVES to take care of our business. Not relying on a "big brother" of questionable ability and motive.

              • 184. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                Contributor

                I agree with Sodamo.  If HA believes that we are part of the problem in the event our email address has been hacked (they could say by a party outside of our communications with HA/VRBO, their system and registered travelers), perhaps we could all create a new email address that we only use for communications with HA/VRBO system and travelers coming from those sites.  That way if that email address is ever hacked, we are certain where the breach occurred and can then address the real problem.

                 

                It would be very helpful (and appropriate at this point) for HA's Secure Communication Group Owner Meredith to participate in this discussion in order to clarify/provide information on the current status of this proposed requirement to log-in to dashboard including the particular reasons/incidents prompting this requirement, a detailed explanation of each step of the process (what information has been required/verified from the traveler in order to make the inquiry, what information on the traveler is visible to the owner upon the initial inquiry/login, what information is communicated/visible to the traveler upon the intial owner reply, etc.), and why HA/VRBO feels this is the best solution and how it will eliminate the phishing problem.

                • 185. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                  Contributor

                  Wiffle

                  No argument here.

                  The way I read some posters here, they see a HA/VRBO solution as a panacea and those of us who do question as "not getting it"

                   

                  I suspect that whatever system HA/VRBO implements will contain two disclaimers:

                  One to limit any HA/VRBO liability, but worded to create the impression of security.

                  Two to discredit any communication occurring directly between owner-traveler outside their system as being not as secure.

                   

                  David

                  • 186. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                    otttoyboy Senior Contributor

                    sodamo wrote:

                     

                    [...] Phishing comes from outside the system, in the guise of travelers.[...]

                     

                    Alas, this is not true.  There is no phishing without spoofing and, unfortunately, both owners and travellers can be spoofed.  In fact, I believe the very problem HA is trying to address can be read about here and here.  This is a case of owners being spoofed and a traveller being phished.

                     

                    I'd say that most of the fake traveller inquiries aren't phishing at all, they are scams/fraud.  An example would be guests trying to pay with fake  cheques and asking for a refund "for a sick mother" before the cheque has cleared.  If you've been on the internet for more than a millisecond or two, undoubtedly you've seen such things.

                     

                    When an owner is phished, generally the phisher is trying to gain information from the owner such that he/she can then turn around and spoof the owner's identity or listing with the intent of defrauding travellers.

                     

                    I generally agree with HomeAway's initial reply to phishing, with the exception of holding the second victim (the owner) financially responsible for the actions of criminals -- especially as long as they've done due dilligence of becoming educated and maintaining strong personal passwords and security.

                     

                    In summary, phishing does not only originate in the guise of travellers.

                    P.

                    • 187. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                      Contributor

                      DB

                      I personally would have no problem having a HA/VRBO only email provided I can access it directly, not having to go to Dashboard or another part HA/VRBO to use it.

                       

                      David

                      • 188. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                        otttoyboy Senior Contributor

                        lrbaldwin wrote:

                         

                        Now, if our email has been hacked, at least the hacker can't get access to our dashboard unless he's also hacked H/V.

                        [with the current system] A scammer simply click the "I forgot my password link" on HA and changes your password.  Access to dashboard granted!

                         

                        P.

                        • 189. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                          Contributor

                          "In summary, phishing does not only originate in the guise of travellers"

                           

                          Not sure why I'd respond to an inquiry if I didn't believe it was from a traveller. A traveller inquiry is what I expect via HA/VRBO along with their marketing spam.

                           

                          Please note I did not say ONLY in my post, that is your qualification.

                          David

                          • 190. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                            lrbaldwin Active Contributor

                            How does he know your ID for H/V to begin with?  Oh, is that our email address?  I have forgotten.  OK, so we have an ID that isn't our email address.  Is that what you mean?

                            • 191. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                              otttoyboy Senior Contributor

                              Sorry sodamo, I totally don't understand your reply.  It seemed like you were trying to say that the phishing that HA is trying to address is originating from travellers.  I'm observing (and have supplied the references to support) that they are trying first and foremost trying to protect travellers from phishing originating from theives who have spoofed owners' profiles.

                               

                              P.

                              • 192. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                                Contributor

                                This highlights an interesting point. Why not focus on making our (owners) HA/VRBO account more secure?

                                Why isn't that a higher priority than traveller-owner communications?  If, indeed, security is the primary concern, how does that not work in that direction?

                                 

                                I have a number of online financial accounts, my email is NOT the user name/password for any, some also require a PIN or other info in addition to my username/password. These are not new systems, been around awhile.

                                 

                                David

                                • 193. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                                  otttoyboy Senior Contributor

                                  lrbaldwin wrote:

                                   

                                  How does he know your ID for H/V to begin with?  Oh, is that our email address?  I have forgotten.  OK, so we have an ID that isn't our email address.  Is that what you mean?

                                  No, no... you asked me how the phisher who had gained access to our e-mail account would be able to access our HomeAway dashboard, I was just letting you know how.

                                   

                                  Peter.

                                  • 194. Re: Your Solutions Now Needed! log-in to dashboard to respond to inquiries. See my 6/23 post page 9!
                                    Contributor

                                    Doing the Two-Step

                                     

                                    I'll wade into the conversation again - hopefully the rocks thrown at me won't have too many sharp edges...

                                     

                                    It's been mentioned before, but I think it needs to be brought up again: The solution HA is suggesting is based on requiring us to go through a two-step authentication system to prove our identity before we can log in.  Two-step authentication is what is lacking in nearly all email systems, including desktop based software like Outlook or Thunderbird.

                                     

                                    For most of us, to log on to your email, all you need is your email address and your password.  If anyone manages to steal these from you, they can read your email and do things like forward it to another address and delete it from your inbox, or all sorts of evil, nasty things.  And they can do it from anywhere with a PC with a browser, even countries off the Gulf of Guinea .

                                     

                                    But with two-step authentication, you need the logon ID, plus two forms of proof.  The first is still a password.  But the second is usually something unique to you, something an imposter couldn't get access to.

                                     

                                    I'll save you the history lesson of RSA key fobs and other stuff, because these days the easiest was to provide that second form of proof is via your mobile phone's SMS / text message system.  There are other ways such as embedded browser helper programs that identify a specific "safe" login machine, etc. - but the most widely used is the SMS / Text Message.

                                     

                                    It costs a lot for a company to do this, because they have to pay 5 to 50 cents per text message they send, but the way it works is simple:

                                    When you log in, you enter your user ID and your password.  You then receive a text message on your mobile phone - it will only send the message to the phone (or phones) in your profile (it might even be a different one than the one in your HomeAway listing).  It includes a 4 or 6 digit code that you then type in.  NOW it will let you in.

                                    And you can STAY logged in on that computer, so that if you get inquiries through the course of the day, you don't have to keep going through the routine of logging in. It doesn't have to be a hassle.

                                     

                                    There are other ways to accomplish something similar, including keeping track of IP addresses.  A security system can be made smart enough to know that if it sees you do a proper two-step log in from the same IP address 3 or 4 times in a row, then it can trust that IP address is really you, and it can stop sending the text message portion of the login process - or only require it every 3rd or 4th log in. 

                                     

                                    And if you want to reset your password because you forgot it?  Yes, you must have your mobile phone to receive a code (and it will only use the phone numbers in your profile) to prove you really have that phone in your physical possession.

                                     

                                    No system is perfect - and I don't know if this is how HA will do it.  If they do, I'm sure they'll have back up processes in case you lose your phone, or whatever other physical confirmation vehicle they end up implementing. 

                                     

                                    But the key is that a two-step process can do what most email security systems can't - it can require that someone not only steal a password, but also steal something physical like a phone, or break into you house to use your physical PC.  And that's about the only way to provide a reliable shield around your conversations.

                                     

                                    BTW: Google Gmail DOES offer two-step authentication for its users, although you aren't forced to use it.  You can read more about THEIR approach at: http://googleblog.blogspot.com/2011/02/advanced-sign-in-security-for-your.html

                                    1 11 12 13 14 15 Previous Next