pcakes122

15 minutes ago, Wayward Son said:

 

I absolutely agree with this, and the rest of your post, right up to the point where they (or others) start trying to shift the blame -- "XYZ cruise company should have protected these people!!".

 

That's when my grace is lost.

 

My (very firm 🙂) position is that any company that takes my $$ has a responsibility to protect me (and that money.)

2 hours ago, Panhandle Couple said:

As I said, a hacker can take control of a computer and use it remotely.

They can also use a program that randomizes the internet router that actually transfers the data with the target web site, while hiding the original source.

The hacker could really be anywhere in the world.  Many places in the world despise the US, so simply canceling anyone's vacation (and lets be clear, this could also have happened with airline tickets or hotel reservations if those reservations were placed on FB) gives them a quick thrill.

Sadly, this is true. But even sadder (IMO) is when this happens to unsuspecting, trusting people who aren't 'watching out for the bad guy' with every action they take and the general reaction is "Serves you right!  Your fault!  You're stupid!"  It's like a double-whammy. 

Perhaps that's why I tend to give folks a little grace. I've done plenty of 'stupid' things in my day.

And you're right. In today's world we need to proceed expecting and guarding against the worst at all times.

Just now, DorothyB said:

I have a VPN and know that I can be shown as "in" different countries.  I wonder if that could be the case here?

Could be!

4 hours ago, Panhandle Couple said:

You know there are internet programs that randomly choose numbers for wifi calling, right?

They can also punch in the number they want to display to the person answering.

This whole affair is like hacking 101 level.

None of this happened on the phone. It was all online.

7 hours ago, schmoopie17 said:

But anyone who knows her and was impersonating her would know those, just in case they were asked.

Carnival was able to ascertain that the fake online account was created on a computer in British Columbia. The passengers say they don't know anyone there, so they are still stumped as to who might have done this and why.

4 minutes ago, ChiefMateJRK said:

No.  I'm not.  Do all the CAS agents know you by your voice?  How often do you speak with them?  That seems bizarre.

You usually work with one agent, so you develop ongoing relationships with your rep over the years, but occasionally could speak with another if your agent is out of the office.  The Miami CAS team has downsized - there used to be about 10 agents, now there's only a few left (maybe 5-ish?) I knew and worked with them all at one time or another. I cruise 6-8 times a year, so I talk to them pretty frequently to book, change reservations, find out about new offers, reschedule, etc. (There is now an Arizona call center that started out handling cruise certificates that are handed out at land casinos which handles Miami overflow - but I just deal with my regular rep who has been booking my comps for years.)  Even though he knows me, he still has to make me go through the ID stuff (I guess for the recording?)

2 minutes ago, ChiefMateJRK said:

Really?  They all know you?  Are you calling some special number?

I'm going to have to assume from your question that you are not familiar with CAS.

2 minutes ago, Two Wheels Only said:

 

Obviously, she posted enough. 

 

 

People have to now be warned to not post their booking number and email address?

What's next? People need to be warned to not put ammunition in their luggage?

 

 

Once people start to broadcast the information needed for dual authentication, triple authentication will be needed. 

 

 

It's possible, but unlikely. I doubt that Carnival would be willing to inform anyone of how quickly after the cancellation the upgrade was made. It might require a bit more digging for information....

Again, let's just agree to disagree on this one. Have a nice evening!

6 minutes ago, Two Wheels Only said:

 

If you posted ALL of that information on social media and someone cancelled your cruise, would it be NCL's fault?

 

If the cruise line requires 5 things to verify identity and someone posts 8 things about themself which includes the 5 things that the cruise line asks, it's not the cruise line's fault that the information is out there. 

 

Look at post  #3 in this thread. Chase and HSBC did nothing wrong.

"bae" messed up several times. 

The example in post #3 is an internet joke that has been around a while. 😂

And the Carnival cruiser did not post ALL of that info online. Again, we need to agree to disagree here. NCL does not make it easy for people to cancel other people's cruises, because they require you to call in and at least provide some identifying information. (Just the fact you have to call would deter some scammers.) Carnival makes it much easier to cancel other people's cruises because no phone call is required and no identification is verified.

If you think Carnival has safe online practices, great. I don't. I'm also happy that this cruiser posted about it so that people are aware and forewarned.

I used to be annoyed by dual authentication which is on about 80% of the websites I need to visit. Not anymore.

I also hope the person that did this to those cruisers is getting whatever they hoped to get out of their actions by seeing how this all played out (as others have suggested here and elsewhere online, just might have been the people that actually wound up sailing in that presidential suite.)

1 minute ago, ChiefMateJRK said:

Yes, I get that.  I'm asking what other information they should ask for.

Well, I've cancelled quite a few NCL cruises (but always with CAS.)  Most of the agents I speak to have known me for years but still they ask my full name, address (including zip code) and DOB. I've even been asked for the last 4 digits of my CC to confirm where the refund will issued.  They have ALWAYS also asked WHY I am cancelling (and I certainly imagine they would if I was cancelling a $15K cruise 48 hours before sailing.)

10 minutes ago, ChiefMateJRK said:

How would you propose that they verify that the person on the phone is in fact the person holding the reservation?

My question to you is... if somebody called NCL with your booking number to cancel one of your fully-paid reservations, would you be good with NCL immediately processing the cancellation with no further questions or confirmation?

I would absolutely expect NCL to ask for more information than just the booking number.

5 minutes ago, Two Wheels Only said:

 

Either way, continuing to ask questions got to the actual and correct information. 

 

 

This "hurt" was created by the woman who posted the information. She made a mistake since she probably didn't intentionally share the information that was used to hurt her. 

 

 

I understand your point but when people share information that only they would know, it becomes more difficult to decipher if the person on the other end of the computer is the actual person or someone else. If Carnival added 3 security questions but the person shared the answers to those 3 questions, it isn't Carnival's fault if an imposter accesses the account. 

 

 

You can.

Login - Account - Membership - Cancel Membership

 

 

Carnival didn't share her information.....She shared her information.

 

Lol. I'm still not going do business with Carnival, but you go ahead. (Full disclosure - I used to work for them, so I'm familiar with many other areas in which they are lacking lol.)

11 minutes ago, Two Wheels Only said:

It went from "...I clicked the Share Countdown button on the email from Carnival..." (which would NOT reveal anyone's booking number) to "...I shared the screenshot..." which had the booking number and (it seems) also had the email address. 

 

If simply clicking the button caused all of this to happen, it would have been Carnival's fault.

First, the passenger didn't change their story about what was shared. I was the one that misunderstood originally, so that's on me.

Finally, I do think this is also Carnival's fault. In 2024 and this digital age, online security is paramount. When I do business with a company, I have a right to reasonably expect that they don't make it easy for people to hurt me.

Carnival should not allow people who are not verified as the booking owner to cancel bookings or do anything that would have a financial impact on their customers. Just having a booking number or even the passenger's email address should not be enough to cancel somebody's cruise, and cause them to lose $15K. Heck, I can't even cancel Netflix online. My phone company won't talk to me about my account unless they send me a text to my mobile number and I click OK. And that's just to have a conversation with me.

Everyone does have a responsibility to guard their personal information, but businesses ALSO have a responsibility to guard our personal information. And when they don't, they should take accountability.

36 minutes ago, Two Wheels Only said:

According to Good Morning America, "...that screenshot included her email address and confirmation number...".

 

That's where I got the idea that her email address was given. 

 

Again, there is conflicting information. 

Something doesn't make sense about that. The bad actor didn't use the real email address for anything because  1) If they attempted to set up an online account with that email address, Carnival's system SHOULD have responded "Already an account with that email."  2) Even if somehow they WERE able to use the real email address, the real owner would then have received some type of email notification that the booking was cancelled (which they did not - they only received an email that an EXCURSION was cancelled which was done automatically by Carnival when the booking was cancelled.)

Whether or not the email was shown (not sure GMA got that right - I didn't see it on the screenshot the person shared), I don't see how it would have helped the person doing the scamming.

1 minute ago, julig22 said:

How is it a security gap if the person calling has all the information necessary? What do you expect Carnival - or any other agency - to do to verify? It's not like whoever called is going to be able to benefit financially - since any refunds go to the original form of payment.

No one called to cancel this person's reservation. Someone in British Columbia (per Carnival) created an online account and added this party's booking number to their account.  Then two weeks later (48 hours before sailing) they cancelled the booking online (never spoke to anyone at Carnival.)

The security gap is that anyone can set up an online account and add someone else's booking number AND cancel it, without Carnival ever verifying that the person owning the account is the same person who owns the booking (and paid the $15K.)

Can't explain why someone would do that, but my point is that it shouldn't be that easy.

3 minutes ago, Two Wheels Only said:

It wasn't just the email from Carnival. In addition to posting her booking number, she also posted her own email and her name.

Actually, she didn't. She shared the screenshot of what was posted on social media (and TV interviews.) It was on her husband's FB account. He posted a pic of the ship and commented "16 days."  She replied to his post with a screenshot of the countdown email and said "No, 15 days!" They didn't even post anything about having the presidential suite (others have suggested they posted this on FB to brag that they had a fancy cabin.)

The person had her name because of her FB profile.  They did not have her email address (Carnival wouldn't allow two accounts with the same email - the real party and the fake account.)  They used a random fake email.  They did not have her DOB or anything other info.

Perhaps it's true Carnival did not HAVE to help them, but I still think it would have been the right thing to do (and more importantly, FIX the security gap.)

18 minutes ago, schmoopie17 said:

Anyway, my question was legitimate, since I didn't know if I was missing something, with the title seemingly not matching the content. Cut me some slack...

Just FYI, you can see that someone is new just by clicking on their username.  Helen just joined three hours ago.

Welcome, Helen! 🤗

25 minutes ago, Two Wheels Only said:

Something doesn't add up. If all that she did was "hit the button" from Carnival's email, nobody else would have seen her booking number. 

It has since been shared that she posted a screenshot of the email. I guess I'm just surprised (shouldn't be these days lol) of the amount of people who are so quick to blame this woman/family and not 1) Carnival's lack of secure policies and 2) a random demented person who got joy (?) out of doing this to another person. She shouldn't have posted a screenshot, but I just don't see her as the villain here.

I still can't understand why - since this was all discovered 48 hours PRIOR to sailing and Carnival KNEW it was cancelled in error - Carnival wouldn't let them sail.

Either the cabin sailed empty and Carnival got paid once, or they sold it again and they got paid twice. If the latter, how Carnival gets rewarded in this is beyond me.

1 hour ago, Two Wheels Only said:

What percentage of first-time cruisers give out their booking number to the public? Even if this was her first cruise, I doubt that the public would see the situation much differently.

We'll have to agree to disagree on this one. I definitely don't think Carnival should allow such easy access to others' bookings - even if you happen to know their booking number. No other cruise line does that. Also, this passenger didn't intend to share their booking number - as mentioned earlier she hit a "Share Countdown" button on an email she received from Carnival. It's clear listening to the passenger's story that she didn't even realize the booking # was shown.

Can't tell you the number of times (even on the CC forum) that people have unknowingly and accidentally posted a photo or screenshot that includes a license plate or papers on table that include personal info. It happens. Nobody should lose $15K over that, in my opinion.

This family was naturally upset, but they quickly pivoted and drove to Orlando and spent their week vacation at Disney & area parks. They were not looking for a freebie. It was their friends that encouraged them to make their first post sharing the situation, and MANY, MANY commenters urged them to pursue this with Carnival (or a lawyer.) If they were just trying to get a free cruise, they would have accepted Carnival's $10K FCC offer (they did not because 1) they never want to cruise with Carnival - can't blame them; and 2) the offer came with the stipulation that they needed to make positive statements about Carnival on social media - and they didn't want to be bought.)

Oh and PS - they DID have travel insurance and since they were victims of identify theft (documented by Carnival), they should be fine financially. (In either case, doesn't seem like they are hurting for money anyway 😉.)

So, naive as I may be, I do believe they are just trying to raise awareness of this risk and encourage Carnival to secure their systems.

6 minutes ago, Two Wheels Only said:

The onus is on the guest to not broadcast their cruise details. Once the information is put out there, others can use that information for nefarious purposes.

I don't know that it's intuitive to protect a booking number like it's your social security number - especially to inexperienced cruisers.

I'm disabled and rent various types of equipment from different vendors for my cruises. I have to give ALL of them my booking number - just did that twice this am in fact.

Luckily, I'm not sailing Carnival so I don't have to worry, but if I was I would not have known the risk I was taking.

1 minute ago, Two Wheels Only said:

 

There's a good reason why Carnival shouldn't return her money and only offer FCC.

 

Step 1. Book a standard balcony.

 

Step 2. Have my best friend book the best/largest suite on the ship for $10K.

 

Step 3. Have "someone" hack my friend's account and cancel his suite a few days before the cruise.

 

Step 4. Swoop in and get an upgrade from my balcony to the suite for a total (balcony plus upgrade) that is less than $10K.

 

Step 5. My best friend gets a full $10K refund.

 

If allowed, think of how many people would do it.

I think you just made a excellent case as to why Carnival should not allow "just someone" the ability to create fake accounts and cancel other peoples' bookings. 😆

The policy is terrible and actually pretty scary. No one should have that kind of easy access to someone else's money.

2 hours ago, Panhandle Couple said:

Because a hacker can get into your computer once they find your ISP number. FB Messenger is extremely vulnerable and the hackers probably tracked any messages on their account.

Once they get access to your computer, they can run programs in the background and use your ISP as the portal.

The Carnival computer system matched the ISP to the active account, and thought it was communicating with the correct person. Very easy if you stay logged into the Carnival web site and don't turn your computer off.

 

Unfortunately, I don't think Carnival's system is that sophisticated. For anyone interested in more info about this, the passenger will be on Good Morning America tomorrow at 7:30 AM ET.  In her latest video she said that she has no hope that Carnival is going to reimburse her, but she is raising awareness of this policy to prevent this happening to someone else (it seems since this happened others have come forward to say something similar happened to them.)

5 hours ago, craig01020 said:

You can cancel a cruise online with only the booking number, but first you need to log in to your online account. Not sure how one would cancel with only the booking number without logging in. 🤔

The scammer created an online account using the passenger's name from FB (diifferent email address.) They then added the booking number and cancelled the cruise.

Not really sure. They never even got an email from Carnival that their cruise was cancelled. They would have found out at the pier except they DID receive an email that an excursion was cancelled which is what prompted them to call Carnival. It was then that they were informed that their cruise was cancelled (and that it had been cancelled online.) Further research led to what was shared in the news article. Someone in British Columbia set up a fake Carnival account and added their booking number to the fake account, and then cancelled the cruise 48 hours before sailing.  No email or notification of the cancellation was sent from Carnival to the actual passengers (who had paid $15K.)

They did attempt to board since they had already flown to Florida and had all their documentation that they had paid in full, but were denied boarding and referred to shoreside customer service.

Since this was discovered PRIOR to sailing - and Carnival KNEW and had acknowledged that this was not cancelled by the actual passengers - why not let them sail? (and if Carnival was able to upgrade someone else into that cabin, why not just give the original passengers a refund?) They were not offered ANY actual money back - just a partial FCC (which they did not accept because it came with a stipulation that they post on social media that Carnival offered them a positive resolution.) 

The Carnival countdown email the person received had a big SHARE COUNTDOWN button on it (which is what they clicked to post to FB.) I don't know how this hasn't happened to more people if Carnival is including the confirmation # in what is shared when you hit the button they provide.

I might feel differently if the people involved wrote a FB post of their own to talk about their trip and either added or included a screenshot of their booking - but that's not what happened here (according to the folks impacted.)