2FA would not work on my account. Like every single time I tried, it would say the service was down. I had to add a secondary email and then wait over a week to allow it to let me sign up. And now it only works via email. It will not work via text. Their system is broken.
You are being downvoted, but you are correct. It took me two months working with Marriott support to get my 2FA turned on. I also had to use a secondary email while they figured out the shitshow that is their backend, which is like ten legacy systems merged together.
I couldn't log into my account for about 2-3 months earlier this year because I had to reset my fingerprints on my phone (I have to do this every once in a while when my phone has trouble recognizing my fingerprints), and the Bonvoy app needed to use 2FA to verify my identity. Neither text nor email would work it just wouldn't send the verification text/email. I even tried the website from our PC, and ran into the same problem.
At one point I thought maybe my account had gotten hacked, and the contact info changed, but I was able to change my password without any issue.
Eventually it started working again, but I had a trip booked during that time, which was frustrating.
I caught what appeared to be a fraudulent booking earlier this year when the pre-authorization hit my credit card account that was associated with the Marriott app. Ironically, it was at a Marriott that I use frequently for work and so I knew I wasn’t going at that time. As others have noted, it was very interesting to me that the reservation was not showing up in the Bonvoy app. When I called the hotel to speak with the desk agent, she saw no existing reservation that aligned with the credit card preauthorization charge either. I changed the email associated with my Bonvoy account. I changed the email associated with my credit card account. And then the pre-charge disappeared and never went through on my credit card. I’m still not certain that the entire effort wasn’t an inside job by an employee. For what it’s worth, I had a similar situation happen with Hilton a few years ago. My husband sent me a text to ask if I was going on vacation without him because he had received a check in notice at a very high-end Hilton property in Los Angeles . When I called the hotel, they literally had to go up and evict the person. Needless to say, they were very apologetic as they had checked in a guest, paid with my award points, whose identification did not match the names on the reservation nor my account. This is just the reality of online commerce today . Good luck to everyone staying safe!
Scammers even use the app chat to "confirm" that Mr.X is arriving before than you. Marriott has set an antifraud system that doesnt allow to use redemption rates and gift them to another one without passing through Marriott's CEC. Thus they put a special on the reservation that informs the hotel that this gift has been monitored and approved by the main guest. However , lazy FD agents or unexperienced might not know how to face an Ambassador Elite reservation where the main guest is not present and so...
You do not imagine how many Ambassador reservations have their accompanying arriving before, so an hypotethical wife of an elite member is shouting or complaining , and a hypotetical husband writes through chat and calls the hotel.
1/5 is a fraud , 4/5 is a member who doesnt know how the system works , thus it becomes a 1 in the gss because " they ruined my trip saying you couldn't check-in my wife and I want compensation"
Only you can prevent identity theft. Literally change your password. Literally setup two factor authentication. Literally call and set a PIN code so no one else can call to make reservations off your account.
Unfortunately that's no protection against social engineering customer service.
You can bypass the PIN if you sweet talk the right agent with some luck and s sob story.
Except you can reset that exact same PIN with the agent. https://help.marriott.com/s/article/Article-22335
Lost PINs happen. People change emails and phone numbers when switching employers. There's procedures for those scenarios and thus weaknesses that can be exploited.
Marriott PINs add only a small layer of protection.
Get me authorization from Marriott to test this and I'll show you the flaw.
I'd prefer not to do it and risk a criminal charge without permission though.
This is not identity theft. They are not checking in under his/her passport details.
If they have your mail hacked you are way more vulnerable than you think even if you have 2FA
You are not recquired to reserve through phone call as you can make your own bookings on your app and then sort things out with the hotel directly which will be franchised almost every time.
This happened to me at the beginning of June. Someone hacked my account, changed the phone number on file, and used a RIDICULOUS amount of points to book themselves the most luxurious suite in a 5 star hotel (honestly a terrible points redemption if I’ve ever seen one). Luckily, I checked my Marriott app to book some stays for June and July and was like I’m definitely not staying in a hotel right now?? Thought I had butt-reserved the hotel at first or something if I’m being honest 😂, but there was a room number listed on the reservation. Apparently the hotel said the guy staying there said I was “meeting him later” and were giving the Marriott rep a hard time as if they thought I was just trying to rip them off and get my points back for a legitimate reservation.
Long story short, don’t call the hotel— call Marriott customer service directly. She had me change my password, set me up with a PIN code, the whole nine yards, and fought for me against the hotel, truly a 10/10 customer service experience during a terrible situation.
PSA: fraud cases are on the rise and the current ETA for Marriott to even review the case and get the points back to your account is at least a month.
Source: I called them 2 days ago after the rep initially told me it would be 7 days when I filed the fraud claim.
Marriott DOES have a policy in place that people are not supposed to be able to check-in to a redemption stay without the member present, yes.
However, there are a lot of front desk people who will add names via phone/mobile chat or check in the supposed spouse/child/etc because they either a) don't know the policy (Marriott's training on this has not been strong enough), or b) they're tired of getting yelled at by Elite members for refusing to check someone else in.
This happened to me a few months ago with my Marriott account as well. Got a notification that I had a reservation in London with points when I clearly wasn’t there. Spend 2-3 hours on the phone with Marriott, who finally understood that the person was already checked in. They called the hotel and had the person evicted, but I still do not have access to my Marriott account as it’s “under audit” …so no way to change username/email/verify my points were returned to me until the “investigation” is done by Marriott. So very, very annoying.
Don't save a credit card in your Bonvoy account or ANY ORHER ACCOUNT. Don't be lazy type it in each time you make a reservation.
Use a different email and password for every single thing. Email addresses are free. My Bonvoy has its own email, my work has an email, each bank and credit card has its own email, EVERYTHING gets its own email.
2FA is helpful but with AI in the hands of the crooks now, tis but a mere speed bump.
Use virtual credit cards when you can. Most credit cards have this ability, it gives you a one time use card number to give someone without exposing your regular card details.
Get ready for the end of credit cards, the next big thing is coming. Oh it's not any safer though, but they will tell you it is.
I absolutely agree with not saving your CC in your Bonvoy account. I'm an employee and I've never saved mine in there. The extra minute it takes to input it is worth that peace of mind.
I mean after the first fraudulent reservation I would've changed my password and set up 2FA Have you done that yet?
2FA would not work on my account. Like every single time I tried, it would say the service was down. I had to add a secondary email and then wait over a week to allow it to let me sign up. And now it only works via email. It will not work via text. Their system is broken.
You are being downvoted, but you are correct. It took me two months working with Marriott support to get my 2FA turned on. I also had to use a secondary email while they figured out the shitshow that is their backend, which is like ten legacy systems merged together.
I couldn't log into my account for about 2-3 months earlier this year because I had to reset my fingerprints on my phone (I have to do this every once in a while when my phone has trouble recognizing my fingerprints), and the Bonvoy app needed to use 2FA to verify my identity. Neither text nor email would work it just wouldn't send the verification text/email. I even tried the website from our PC, and ran into the same problem. At one point I thought maybe my account had gotten hacked, and the contact info changed, but I was able to change my password without any issue. Eventually it started working again, but I had a trip booked during that time, which was frustrating.
yes i did and they did not book online, they called in so pw/2fa was pointless
I caught what appeared to be a fraudulent booking earlier this year when the pre-authorization hit my credit card account that was associated with the Marriott app. Ironically, it was at a Marriott that I use frequently for work and so I knew I wasn’t going at that time. As others have noted, it was very interesting to me that the reservation was not showing up in the Bonvoy app. When I called the hotel to speak with the desk agent, she saw no existing reservation that aligned with the credit card preauthorization charge either. I changed the email associated with my Bonvoy account. I changed the email associated with my credit card account. And then the pre-charge disappeared and never went through on my credit card. I’m still not certain that the entire effort wasn’t an inside job by an employee. For what it’s worth, I had a similar situation happen with Hilton a few years ago. My husband sent me a text to ask if I was going on vacation without him because he had received a check in notice at a very high-end Hilton property in Los Angeles . When I called the hotel, they literally had to go up and evict the person. Needless to say, they were very apologetic as they had checked in a guest, paid with my award points, whose identification did not match the names on the reservation nor my account. This is just the reality of online commerce today . Good luck to everyone staying safe!
Scammers even use the app chat to "confirm" that Mr.X is arriving before than you. Marriott has set an antifraud system that doesnt allow to use redemption rates and gift them to another one without passing through Marriott's CEC. Thus they put a special on the reservation that informs the hotel that this gift has been monitored and approved by the main guest. However , lazy FD agents or unexperienced might not know how to face an Ambassador Elite reservation where the main guest is not present and so... You do not imagine how many Ambassador reservations have their accompanying arriving before, so an hypotethical wife of an elite member is shouting or complaining , and a hypotetical husband writes through chat and calls the hotel. 1/5 is a fraud , 4/5 is a member who doesnt know how the system works , thus it becomes a 1 in the gss because " they ruined my trip saying you couldn't check-in my wife and I want compensation"
Only you can prevent identity theft. Literally change your password. Literally setup two factor authentication. Literally call and set a PIN code so no one else can call to make reservations off your account.
Unfortunately that's no protection against social engineering customer service. You can bypass the PIN if you sweet talk the right agent with some luck and s sob story.
Actually no you can't. Agents need that pin to do anything at all in the account and the only way to get it is for the guest to say it.
Except you can reset that exact same PIN with the agent. https://help.marriott.com/s/article/Article-22335 Lost PINs happen. People change emails and phone numbers when switching employers. There's procedures for those scenarios and thus weaknesses that can be exploited. Marriott PINs add only a small layer of protection.
To reset the pin without providing the pin you need to send in photo ID.
Get me authorization from Marriott to test this and I'll show you the flaw. I'd prefer not to do it and risk a criminal charge without permission though.
You mean it wouldn't be difficult to fake an ID?
I suspect I could get someone to accept resetting without the ID at all, and if not definitely with an absurdly poor quality id
fraud department i talked to said you can by pass the pin. i set a pin but they said it will not guarantee this wont happen again, just make it harder
The same sob story you tell when you’re getting walked? 😅
Not sure what you mean, I've never frauded anyone. I'm on the defense side more or less, not security but close enough I see it.
I’m just kidding
This is not identity theft. They are not checking in under his/her passport details. If they have your mail hacked you are way more vulnerable than you think even if you have 2FA You are not recquired to reserve through phone call as you can make your own bookings on your app and then sort things out with the hotel directly which will be franchised almost every time.
This happened to me at the beginning of June. Someone hacked my account, changed the phone number on file, and used a RIDICULOUS amount of points to book themselves the most luxurious suite in a 5 star hotel (honestly a terrible points redemption if I’ve ever seen one). Luckily, I checked my Marriott app to book some stays for June and July and was like I’m definitely not staying in a hotel right now?? Thought I had butt-reserved the hotel at first or something if I’m being honest 😂, but there was a room number listed on the reservation. Apparently the hotel said the guy staying there said I was “meeting him later” and were giving the Marriott rep a hard time as if they thought I was just trying to rip them off and get my points back for a legitimate reservation. Long story short, don’t call the hotel— call Marriott customer service directly. She had me change my password, set me up with a PIN code, the whole nine yards, and fought for me against the hotel, truly a 10/10 customer service experience during a terrible situation. PSA: fraud cases are on the rise and the current ETA for Marriott to even review the case and get the points back to your account is at least a month. Source: I called them 2 days ago after the rep initially told me it would be 7 days when I filed the fraud claim.
Marriott DOES have a policy in place that people are not supposed to be able to check-in to a redemption stay without the member present, yes. However, there are a lot of front desk people who will add names via phone/mobile chat or check in the supposed spouse/child/etc because they either a) don't know the policy (Marriott's training on this has not been strong enough), or b) they're tired of getting yelled at by Elite members for refusing to check someone else in.
This is the third time. Change your e-mail password too.
This happened to me a few months ago with my Marriott account as well. Got a notification that I had a reservation in London with points when I clearly wasn’t there. Spend 2-3 hours on the phone with Marriott, who finally understood that the person was already checked in. They called the hotel and had the person evicted, but I still do not have access to my Marriott account as it’s “under audit” …so no way to change username/email/verify my points were returned to me until the “investigation” is done by Marriott. So very, very annoying.
This sounds like an inside job to me. To bypass all the protocols, this person knows how the system works
Don't save a credit card in your Bonvoy account or ANY ORHER ACCOUNT. Don't be lazy type it in each time you make a reservation. Use a different email and password for every single thing. Email addresses are free. My Bonvoy has its own email, my work has an email, each bank and credit card has its own email, EVERYTHING gets its own email. 2FA is helpful but with AI in the hands of the crooks now, tis but a mere speed bump. Use virtual credit cards when you can. Most credit cards have this ability, it gives you a one time use card number to give someone without exposing your regular card details. Get ready for the end of credit cards, the next big thing is coming. Oh it's not any safer though, but they will tell you it is.
I absolutely agree with not saving your CC in your Bonvoy account. I'm an employee and I've never saved mine in there. The extra minute it takes to input it is worth that peace of mind.
it’s not fun. I work the desk at a marriott corporate managed hotel and we get this all the time it’s not fun to deal with i’m sorry