Flipkey has now implemented a new email communications security measure between travelers and owners, but still using email to correspond, and not force login to Dashboard.
I sent a test inquiry through my Flipkey ad. When I, the Owner, received the inquiry and click on reply, the send to email address appears as follows:
When I, the Inquirer, received the Owner’s response and click on the reply, the send to email address appears as follows:
My conclusion: email correspondence between Owners and Travellers now channels through Flipkey email server first to serve as a redirector, then forwards the email to Owner or Traveller.
My Take: Why can’t HomeAway/VRBO use the same method and not force Owners to login to their Dashboard?
So this is how you would like to communicate with your guests? You want to always send your email to someone else first instead of communicating directly with them? What if you want to send them a Christmas wish email? Do you send it to Flipkey so they can forward it to them?
I wonder if the guests get confused as to who they are really communicating with. Looks like junk email address to me. How do they know the diferrence?
We pay to advertise on your site HA/VRBO. A guest is interested in our property. Let us know who it is and then leave us alone! You (HA/VRBO) have done your job! The more complex the transaction becomes the less likely we are to receive inquiries. If we got to start using some super secret hand shake code, do we really think that will make most guests comfortable with the transaction. Ah yes, that email came from slkfjsldkfjoiueoire89*&*608968s.homeaway.com. It must be Randy!
If you (HA/VRBO) don't want to be responsible for sending us our guest information , then at the least send us an email with everything except for the personal stuff like name, phone, and email address. We can check out guest inquiries and get what we need from there. Then we can communicate with our guest however we see fit. Don't want to see this happen (think over kill) but I think it is better than using third party (HA/VRBO) to communicate with our guests!
I wonder what the current statistics are of HA/VRBO emails getting intercepted and fraud occurring?
On Owner's response to Inquiry, Owner always has the option, if desired, to ask for Traveler's email address and whatever information Owner desires. That is his/her business to conduct. The coded address is used only when Owner or Traveler hit the reply button in their email client, but it doesn't preclude them from asking for the other's email address.
Addendum: actually, all the information is supplied to the Owner. Whatever data fields the Inquirer filled up when sending the inquiry is sent to the Owner including Traveler's email address.
I experimented with Flipkeys coded email address and didn't find any security improvement after all. So, I'm wondering why they made the change.
Looking at the Inquiry, I copied the entire contents of the Email Inquiry (body, coded email return address, subject), and pasted it to my wife's email address, then composed a reply & sent. This is the kind of thing that a scammer might do in intercepting a phished email account. I was hoping it will be intercepted at Flipkey's Email Redirector, but it didn't. It went through. Not impressed with this change after all.
FWIW, I received my first FlipKey inquiry today and the email address was still contained in the body of the email and I was able to reply directly to the guest using their non-encrypted email address.
There is also a reply button in the body of the email that appears to re-direct through the site (and I did have to log in) for those who wish to do so.
Seems the new FlipKey re-direct isn't yet universally deployed.
Also FWIW, while I much prefer direct email, it would be acceptable to me, personally, to have the email re-directed via FlipKey or HA for the initial email if that would placate those concerned about phishing. At least that method wouldn't bring my business to a grinding halt.
While I feel as a kindred spirit with pcb-randy, in this case I actually think FlipKey has struck a (barely) acceptable balance if what tfv describes is rolled out. I don't see the necessary connection between the encrypted email and identifying owners or guests...
Still I think it would be better to address phishing and fraud at the root-cause level rather than inconvenience owners and guests with any of these stop-gap schemes.
Owner's receipt of Inquiry shows an encrypted email address for the inquirer, and upon hitting reply, the encrypted address appears at the "to" field. I therefore assume that owner's response is first routed to Flipkey and then forwarded to the inquirer. Likewise, upon inquirer's receipt of owner's response, the "from" field shows an encrypted email address, and upon hitting reply, the encrypted address appears at the "to" field. Therefore, communications back and forth between owner and traveler, so long as both of them uses the "reply" button, goes to Flipkey first, before it is forwarded to the intended recepient. For what purpose, I can only assume there must be some security purpose; however, I haven't yet figured that out.
The owner is able to see all data fields that the inquirer answered, therefore inquirer's email address is shown in the body of the inquiry. Likewise, inquirer is able to see the owner's true email address somewhere at the lower part of owner's email. Now assuming, owner's email credential is compromised due to phishing, scammer would be able to view the inquirer's email address and will have the ability to communicate to inquirer. So, it puzzles me as to what purpose is Flipkey implementing this change.
Since communications between owner and inquirer goes through Flipkey first, before it is forwarded to recepient, Flipkey should now have the means to perform some checking for bonafide owner and inquirer, but as to what exactly it is doing, I still haven't figured that out.
One thing that is becoming clear, HA/VRBO customers are not pleased with the forced changes and penalties imposed upon them when they do not use what HA/VRBO thinks is best for us! I talked to a friend yesterday and he told me that he has pulled all his listings from HA/VRBO and is using Flipkey. He has been getting great responses and is booked until fall for all his properties.
I know what HA/VRBO is probably thinking about - not everyone will be happy with our changes but it will just be a few so we will be ok. Isn't that what Netflex thought about its customers when they changed their plans and pricing?
A great business never loses site of the customer and listens to what they have to say! A company that thinks it is great, does what it thinks is best for its customers!
Randy, I agree with much of what you have said in your posts throughout this thread. But, Netflix is not a good example to cite to Homeaway as reason not to change policies. Just recently Netflix was touted in many financial columns for it's successful efforts to increase it's customer base and the stock jumped in value. I think I read somewhere that it reached a new 52 week high (?). Not to say Netflix is the success it was or could have been prior to the shake up, but it's hardly been the disaster that was predicted at the time of the botched decisions. Many users have returned to Netflix - is there an alternative available - do customers really have a choice?
As an owner that advertises one vacation property on homeaway and vrbo, and manages all aspects of the rental process independently, I am distressed with the systemic changes that are, in my opinion, making my property unattractive to prospective guests.
I'm waiting to learn how the changes in progress will work and how someone who uses the site for advertising will be able to function.without having to participate in and purchase services they do not wish to have.
And the quesiton becomes - is there an alternative available and will customers (owners) have a choice?
The likely answer: no.
I too, will consider dropping my membership with VRBO. I ALWAYS do an internet search on the inquiry name and email address and telephone number. I just did this last nite, and have "round filed" the inquiry due to the telephone being in the pacific ocean and the email address associated with nefarious activities.
This is so not acceptable. Please do not implement.
This is getting ridiculous with VRBO...if we have to sign into our dashboard, then let's fix the sign in process. I just had a cancelation and need to sign in to delete the reservation and I can't even do that. So now I have next weekend available but I can't delete the reservation to show its available. VRBO has been having a lot of sign in issues and then when you do finally get logged in, it takes forever to enter a new reservation in. It either locks up or it won't enter in the correct information.since VRBO has increased its yr rates, it seems they have had more issues and you can't just log in, enter in your reservation and then you're out. I've heard a lot of good things about flip key and I see a lot of my neighbours listing their rentals there and it's a heck of a lot cheaper. With the economy so bad these days, I need to watch every Penney!
We too use FlipKey/TripAdvisor and like it a lot. It even has a Reservation Manager system with credit card processing from VRP, same as HomeAway/VRBO. And they don't have multi-level pricing. Everyone pays the same, and sort order is by number and rating of reviews for the most part.
That being said, I have never had any issues logging in with HomeAway/VRBO, although I usually stick to HomeAway for making reservations. Also Kathy, are you sure after you canceled the reservation and it showed as "canceled" in your Dashboard, that it still showed as booked in the guest view on the site? If you pull up your listing via the direct link like any traveler would, does it show as booked or available?
Just another thought - since VRBO technical support is only available from 7am to 7pm central time, what do we do if we received notification that we have an inquiry waiting for us but we can't log into VRBO for some reason to see it and it is after 7pm central time? Wait until 7am central time to follow up on an inquiry?
As a traveller who actually lost money to a phisher, I read this news about Homeaway's new secure communication system with relief (and quite a bit of anger that it has taken so long).
Reading through your messages, I can understand how this adds an additional burden when responding to inquiries. If you are posting on this thread, you are probably among the few homeowners who would not fall for a phishing email. Unfortunately, your fellow homeowners are not-so-savvy. These phishing scams work by two different means - by getting a homeowner to login to their Homeaway account on a fake login screen, or by sending an email with a link to a page telling the homeowner that their yahoo or gmail session has expired, prompting the user to reenter his or her email login credentials. The crooks block inquiries coming to your email account, either by diverting the emails directly through the Homeaway site or by putting in filters in your email account to filter out any inquiries from Homeaway.
You should be aware that when a homeowner falls victim to phishing, and travellers lose money, Homeaway's first course of action is to wash their hands of the matter and tell travellers to seek restitution from homeowners (even if that means small claims court). I am in contact with several other victims, and all have had the same experience. Homeaway sends out a form email disclaiming liability. If you call, they ignore you, take days to respond, promise phone calls back and never call. While their legal liability is an open question, I can tell you that the system as it stands is, unquestionably, a customer service nightmare. Homeaway estimates $1 Million of transactions affected by phishing for 2012, but that's doesn't count the $1M of lost income for homeowners, or the additional money homeowners lose when they are pressured to compensate the victims. Here is a telling excerpt from an article I'm sure most of you have seen:
"... because HomeAway is the world's largest online marketplace for the vacation rental industry, it can dictate the terms of compensation and compel them to quietly accept them... One rental management company representative told me that her company spent thousands of dollars compensating customers who lost $2,000 to $2,500 apiece in five separate phishing incidents last November. It had no choice: More than half of its business comes from HomeAway, which was threatening to pull the management company's listings if it didn't compensate the defrauded customers. HomeAway says it wasn't involved in any settlement matching that description and that at any rate, the rental management company's interpretation of its view is distorted." http://articles.chicagotribune.com/2012-04-03/travel/sns-201204031630--tms--traveltrctntt-b20120403apr03_1_homeaway-phishing-rental-owners/2
When I tell people I know about how this scam works, they are astounded. Nobody wants to use Homeaway! Even WITH the knowledge that they should never wire money, people just don't want to use that form knowing that some crook is going to learn when they are going to be on vacation. If people are going to use any kind of electronic communication, they need to feel that they are communicating with a legitimate homeowner or rental company.
Yes, email is easy. It is also extremely vulnerable. It was never a safe way to communicate with renters, and the platform should never have been designed with this vulnerability in place. Just like people got used to riding in cars without seatbelts, you have gotten used to using email for business transactions that are highly vulnerable to cybercrime, and that has to change.
Wow, very interesting article Jen! I once had one of my e-mail accounts hacked (not the one used for vacation rental business though) and they set my settings to forward all the mail from the server to their e-mail address and delete it from the server so that I never got it. It was only after some time that I realized I was not getting mail from one of my addresses regularly that I discovered this.
I would like an opinion however that if no traveler ever wired money to a homeowner or property manager ever again, would their still be a risk? If say they took a check they would be revealing their identity (or a paper trail to it) and if they used a service like PayPal, VRP or some other credit card processor would that processor be responsible or at least likely to reverse the charge and refund the money, and would that also provide a trail to the perpetrator??
Sorry to hear about your loss! What I don’t understand is why you are relieved about this new secure communication system that is being proposed.
First, we haven’t even seen anything from HomeAway to tell us what they are planning to do. All we have seen is speculation of what they might do and what homeowners do or do not like about this speculation. Second, based on your explanation of the two different means phishing scams work, the proposed solution will not be any more secure. How would it stop people from still signing in to their HomeWay account with a fake login screen? How would it stop people from responding to fake emails telling them to reenter their email login credentials?
Last, with the proposed change do you think HomeAway will take on any additional responsibility for fraud? My guess is that if you read the small print, they will protect themselves! I’m not saying that nothing should be done. I’m just not sure that we understand their real intentions and if the changes they make will be any more secure. I’m not convinced that the additional steps will make us any more secure and I know it will delay my response to my guests.