Friendly reminder - do NOT post your NCL reservation information

[mking8288]

Another reason and reminder to not join and engage those social media, private group and/or promote & use them for cruising ... M*ta has know cyber security issues and when folks willingly share just about everything without safeguards in place, you leave the doors open for being hacked and hijacked, and worst.  

 

And, some - of course, disagree and feel otherwise, to each her/his own.  

Edited June 3 by mking8288

[cruiseny4life]

56 minutes ago, mking8288 said:

Another reason and reminder to not join and engage those social media, private group and/or promote & use them for cruising ... M*ta has know cyber security issues and when folks willingly share just about everything without safeguards in place, you leave the doors open for being hacked and hijacked, and worst.  

 

And, some - of course, disagree and feel otherwise, to each her/his own.  

To each their own, for sure. I'm all for those groups - I've gained a lot of information from them, met some cool people (just like from here), and honestly I do find way more value from them than Cruise Critic roll calls. I also always find myself having to cross post which is annoying given the limited value here. The NCL board, however, is invaluable here compared to any of the groups I'm in at that other place. 

 

As for the security aspect, well we always have someone at our home when we're gone. I know that's a perk many don't have as it's costly. Even my mom requires payment for staying at my place...might have to do with dealing with four dogs and a cat. 🐶🐈

[pcakes122]

5 hours ago, craig01020 said:

You can cancel a cruise online with only the booking number, but first you need to log in to your online account. Not sure how one would cancel with only the booking number without logging in. 🤔

The scammer created an online account using the passenger's name from FB (diifferent email address.) They then added the booking number and cancelled the cruise.

[ChiefMateJRK]

6 hours ago, DCGuy64 said:

We live in a safe neighborhood and our neighbors always know when we're out of town, plus we have a house sitter. I think some people are overly paranoid about mentioning when they're traveling, but that's just me.

It could also be that everybody doesn't live in a safe neighborhood with neighbors who always know that they are out of town.

[ChiefMateJRK]

6 hours ago, cruiseny4life said:

Can I cancel a NCL online?

No.

[schmoopie17]

20 minutes ago, ChiefMateJRK said:

It could also be that everybody doesn't live in a safe neighborhood with neighbors who always know that they are out of town. 

We live in a very, very bad neighborhood. Gunfights and carjackings on an hourly basis. Drug deals going down every minute. Squatters everywhere you look. Mrs. Schmoopie wants to move, but I kinda dig the vibe.

 

Speaking of bad, is it a bad idea to leave our doors unlocked and post a sign in the front yard when we're on a cruise that says, "We're out of town"? I also put up posters on all the trees and telephone polls listing our reservation number for our next cruise. I think it's fine, but Mrs. Schmoopie thinks it's not too wise. I think she needs to loosen up.

[d9704011]

3 minutes ago, schmoopie17 said:

I think she needs to loosen up.

You ought to be able to get something for that nearby.

[Panhandle Couple]

On 6/2/2024 at 8:57 PM, pcakes122 said:

I've been following this person's saga on TikTok. A few details she has shared that weren't mentioned in the article. First, what she posted to FB was a "cruise countdown" email that she received from Carnival encouraging folks to share on social media (these folks are not frequent cruisers and were excited, so they didn't know better.)  Next, her issue is WHY did Carnival allow someone who was not verified and did not have the same address, email or other identifying/contact info to add her booking number to their online "account" - especially when you can cancel bookings online. (I haven't cruised Carnival since before the internet (lol), but I can't cancel my NCL, Princess, MSC or Royal bookings online.)  I would think if the Carnival system allows that type of access/control, they SHOULD be validating/verifying who is managing the bookings.

 

Heck, NCL makes me verify my booking, sail date AND DOB before even speaking to me live about one of my bookings.

 

So, I do think Carnival has some culpability here.

Because a hacker can get into your computer once they find your ISP number. FB Messenger is extremely vulnerable and the hackers probably tracked any messages on their account.

Once they get access to your computer, they can run programs in the background and use your ISP as the portal.

The Carnival computer system matched the ISP to the active account, and thought it was communicating with the correct person. Very easy if you stay logged into the Carnival web site and don't turn your computer off.

 

[pcakes122]

2 hours ago, Panhandle Couple said:

Because a hacker can get into your computer once they find your ISP number. FB Messenger is extremely vulnerable and the hackers probably tracked any messages on their account.

Once they get access to your computer, they can run programs in the background and use your ISP as the portal.

The Carnival computer system matched the ISP to the active account, and thought it was communicating with the correct person. Very easy if you stay logged into the Carnival web site and don't turn your computer off.

 

Unfortunately, I don't think Carnival's system is that sophisticated. For anyone interested in more info about this, the passenger will be on Good Morning America tomorrow at 7:30 AM ET.  In her latest video she said that she has no hope that Carnival is going to reimburse her, but she is raising awareness of this policy to prevent this happening to someone else (it seems since this happened others have come forward to say something similar happened to them.)

[dolls123]

23 hours ago, cruiseny4life said:

To each their own, for sure. I'm all for those groups - I've gained a lot of information from them, met some cool people (just like from here), and honestly I do find way more value from them than Cruise Critic roll calls. I also always find myself having to cross post which is annoying given the limited value here. The NCL board, however, is invaluable here compared to any of the groups I'm in at that other place. 

 

As for the security aspect, well we always have someone at our home when we're gone. I know that's a perk many don't have as it's costly. Even my mom requires payment for staying at my place...might have to do with dealing with four dogs and a cat. 🐶🐈

When my kids house sit for us hubby tells them they are staying at a fully stocked Airbnb so they should be paying us 🤣

[Two Wheels Only]

1 hour ago, pcakes122 said:

In her latest video she said that she has no hope that Carnival is going to reimburse her....

 

There's a good reason why Carnival shouldn't return her money and only offer FCC.

 

Step 1. Book a standard balcony.

 

Step 2. Have my best friend book the best/largest suite on the ship for $10K.

 

Step 3. Have "someone" hack my friend's account and cancel his suite a few days before the cruise.

 

Step 4. Swoop in and get an upgrade from my balcony to the suite for a total (balcony plus upgrade) that is less than $10K.

 

Step 5. My best friend gets a full $10K refund.

 

If allowed, think of how many people would do it.

[pcakes122]

1 minute ago, Two Wheels Only said:

 

There's a good reason why Carnival shouldn't return her money and only offer FCC.

 

Step 1. Book a standard balcony.

 

Step 2. Have my best friend book the best/largest suite on the ship for $10K.

 

Step 3. Have "someone" hack my friend's account and cancel his suite a few days before the cruise.

 

Step 4. Swoop in and get an upgrade from my balcony to the suite for a total (balcony plus upgrade) that is less than $10K.

 

Step 5. My best friend gets a full $10K refund.

 

If allowed, think of how many people would do it.

I think you just made a excellent case as to why Carnival should not allow "just someone" the ability to create fake accounts and cancel other peoples' bookings. 😆

 

The policy is terrible and actually pretty scary. No one should have that kind of easy access to someone else's money.

[Two Wheels Only]

12 minutes ago, pcakes122 said:

I think you just made a excellent case as to why Carnival should not allow "just someone" the ability to create fake accounts and cancel other peoples' bookings. 😆

 

The policy is terrible and actually pretty scary. No one should have that kind of easy access to someone else's money.

 

The onus is on the guest to not broadcast their cruise details. Once the information is put out there, others can use that information for nefarious purposes.

 

The easy access was granted by broadcasting the information.

 

If the woman's warning is to not give out details to the world, that would be a plus.

[cruiseny4life]

1 hour ago, dolls123 said:

When my kids house sit for us hubby tells them they are staying at a fully stocked Airbnb so they should be paying us 🤣

The first time my mom asked to be compensated I was a wee bit floored...we live in a rural setting, not near any major roads, with plenty of acreage to roam....she lives in a super tiny apartment (with my grandmother) in a college town on a (for a small town) really busy road. But, alas, she's apparently happy there. And yep, we buy her groceries too!

 

31 minutes ago, pcakes122 said:

I think you just made a excellent case as to why Carnival should not allow "just someone" the ability to create fake accounts and cancel other peoples' bookings. 😆

 

The policy is terrible and actually pretty scary. No one should have that kind of easy access to someone else's money.

As for Carnival? Well, they're in the wrong. Their IT setup is obviously not secure which allowed this fiasco to happen. Should the woman have posted her deets? Nah. But in this age when "security" is supposedly a top priority, who'd have thunk a major cruise line would have so few protocols. At the very least, multi-factor authentication should be instituted when trying to change a reservation. So yep, I'd be highly ticked off if I were the lady too (and a wee bit embarrassed).

[pcakes122]

6 minutes ago, Two Wheels Only said:

The onus is on the guest to not broadcast their cruise details. Once the information is put out there, others can use that information for nefarious purposes.

I don't know that it's intuitive to protect a booking number like it's your social security number - especially to inexperienced cruisers.

 

I'm disabled and rent various types of equipment from different vendors for my cruises. I have to give ALL of them my booking number - just did that twice this am in fact.

 

Luckily, I'm not sailing Carnival so I don't have to worry, but if I was I would not have known the risk I was taking.

[Two Wheels Only]

32 minutes ago, pcakes122 said:

I'm disabled and rent various types of equipment from different vendors for my cruises. I have to give ALL of them my booking number - just did that twice this am in fact.

 

Giving the information to THEM is not the same as broadcasting it via social media. If a vendor made your information public, nobody would blame you. The blame would go to the vendor aka the one who broadcast the information. If Carnival broadcast the information, the blame would go to Carnival. In this case, the woman did the broadcasting.

 

35 minutes ago, pcakes122 said:

I don't know that it's intuitive to protect a booking number like it's your social security number - especially to inexperienced cruisers.

 

If the woman is going to use this situation to warn others, that's commendable. If she somehow sees this as Carnival's fault, that's being irresponsible.

 

What percentage of first-time cruisers give out their booking number to the public? Even if this was her first cruise, I doubt that the public would see the situation much differently.

 

[pcakes122]

1 hour ago, Two Wheels Only said:

What percentage of first-time cruisers give out their booking number to the public? Even if this was her first cruise, I doubt that the public would see the situation much differently.

We'll have to agree to disagree on this one. I definitely don't think Carnival should allow such easy access to others' bookings - even if you happen to know their booking number. No other cruise line does that. Also, this passenger didn't intend to share their booking number - as mentioned earlier she hit a "Share Countdown" button on an email she received from Carnival. It's clear listening to the passenger's story that she didn't even realize the booking # was shown.

 

Can't tell you the number of times (even on the CC forum) that people have unknowingly and accidentally posted a photo or screenshot that includes a license plate or papers on table that include personal info. It happens. Nobody should lose $15K over that, in my opinion.

 

This family was naturally upset, but they quickly pivoted and drove to Orlando and spent their week vacation at Disney & area parks. They were not looking for a freebie. It was their friends that encouraged them to make their first post sharing the situation, and MANY, MANY commenters urged them to pursue this with Carnival (or a lawyer.) If they were just trying to get a free cruise, they would have accepted Carnival's $10K FCC offer (they did not because 1) they never want to cruise with Carnival - can't blame them; and 2) the offer came with the stipulation that they needed to make positive statements about Carnival on social media - and they didn't want to be bought.)

 

Oh and PS - they DID have travel insurance and since they were victims of identify theft (documented by Carnival), they should be fine financially. (In either case, doesn't seem like they are hurting for money anyway 😉.)

 

So, naive as I may be, I do believe they are just trying to raise awareness of this risk and encourage Carnival to secure their systems.

[Two Wheels Only]

11 minutes ago, pcakes122 said:

Also, this passenger didn't intend to share their booking number - as mentioned earlier she hit a "Share Countdown" button on an email she received from Carnival. It's clear listening to the passenger's story that she didn't even realize the booking # was shown

 

On 6/2/2024 at 8:53 PM, reeinaz said:

The email has your booking number but the countdown that is shared when you click the link does not. Did they just copy and paste the email?

 

Something doesn't add up. If all that she did was "hit the button" from Carnival's email, nobody else would have seen her booking number. 

 

 

 

[pcakes122]

25 minutes ago, Two Wheels Only said:

Something doesn't add up. If all that she did was "hit the button" from Carnival's email, nobody else would have seen her booking number. 

It has since been shared that she posted a screenshot of the email. I guess I'm just surprised (shouldn't be these days lol) of the amount of people who are so quick to blame this woman/family and not 1) Carnival's lack of secure policies and 2) a random demented person who got joy (?) out of doing this to another person. She shouldn't have posted a screenshot, but I just don't see her as the villain here.

 

I still can't understand why - since this was all discovered 48 hours PRIOR to sailing and Carnival KNEW it was cancelled in error - Carnival wouldn't let them sail.

 

Either the cabin sailed empty and Carnival got paid once, or they sold it again and they got paid twice. If the latter, how Carnival gets rewarded in this is beyond me.

[Two Wheels Only]

21 hours ago, pcakes122 said:

It has since been shared that she posted a screenshot of the email.

 

It wasn't just the email from Carnival. In addition to posting her booking number, she also posted her own email and her name.

 

 

If someone calls Carnival and the conversation goes...

 

Hello, this is Carnival, can I have your name?

Jane Doe

 

And your booking number, ship, and sail date?

123456789 Carnival Sensation June 2, 2024

 

And your email address on file?

Janedoeisthebest@AOL.com

 

And your date of birth?

1/23/45

 

How can I help you?

I'd like to cancel my cruise for next week....

 

 

...it wouldn't be the fault of Carnival if the person who called got all of the answers correct. 

The person in Canada who created the fake account had all of the answers.

 

 

21 hours ago, pcakes122 said:

I guess I'm just surprised (shouldn't be these days lol) of the amount of people who are so quick to blame this woman/family and not 1) Carnival's lack of secure policies and 2) a random demented person who got joy (?) out of doing this to another person. She shouldn't have posted a screenshot, but I just don't see her as the villain here.

 

She's not the villain. The person who cancelled the cruise is the villain.

 

Carnival's security was compromised by the woman who (knowingly or unknowingly) shared the "answers" to her security "questions". Just like in post #3 in this thread, "bae" was the start of the problem, not Chase / HSBC.

 

21 hours ago, pcakes122 said:

I still can't understand why - since this was all discovered 48 hours PRIOR to sailing and Carnival KNEW it was cancelled in error - Carnival wouldn't let them sail.

 

Carnival did let them sail but the woman (rightfully) refused the 2 interior staterooms that Carnival offered.

 

21 hours ago, pcakes122 said:

Either the cabin sailed empty and Carnival got paid once, or they sold it again and they got paid twice. If the latter, how Carnival gets rewarded in this is beyond me.

 

It's likely that someone upgraded to that suite. Someone else upgraded to the now empty balcony. Someone else upgraded to the now empty Oceanview. What remained was the two interior staterooms. Should all of the people who upgraded have been moved back to their original staterooms?

[pcakes122]

3 minutes ago, Two Wheels Only said:

It wasn't just the email from Carnival. In addition to posting her booking number, she also posted her own email and her name.

Actually, she didn't. She shared the screenshot of what was posted on social media (and TV interviews.) It was on her husband's FB account. He posted a pic of the ship and commented "16 days."  She replied to his post with a screenshot of the countdown email and said "No, 15 days!" They didn't even post anything about having the presidential suite (others have suggested they posted this on FB to brag that they had a fancy cabin.)

 

The person had her name because of her FB profile.  They did not have her email address (Carnival wouldn't allow two accounts with the same email - the real party and the fake account.)  They used a random fake email.  They did not have her DOB or anything other info.

 

Perhaps it's true Carnival did not HAVE to help them, but I still think it would have been the right thing to do (and more importantly, FIX the security gap.)

[Two Wheels Only]

12 minutes ago, pcakes122 said:

They did not have her email address (Carnival wouldn't allow two accounts with the same email - the real party and the fake account.)  They used a random fake email.

 

According to Good Morning America, "...that screenshot included her email address and confirmation number...".

 

 

That's where I got the idea that her email address was given. 

 

Again, there is conflicting information. 

 

 

18 minutes ago, pcakes122 said:

Perhaps it's true Carnival did not HAVE to help them, but I still think it would have been the right thing to do (and more importantly, FIX the security gap.)

 

What could Carnival have done once the family showed up at the port if someone else had already booked that suite or upgraded to that suite? If it was still empty, sure, put the original guests back in there. If someone else has it booked,.....then what?

[julig22]

35 minutes ago, pcakes122 said:

Perhaps it's true Carnival did not HAVE to help them, but I still think it would have been the right thing to do (and more importantly, FIX the security gap.)

How is it a security gap if the person calling has all the information necessary? What do you expect Carnival - or any other agency - to do to verify? It's not like whoever called is going to be able to benefit financially - since any refunds go to the original form of payment.

 

Maybe they scammer got the information simply from what was posted in this instance, but it's also possible it came from multiple sources. It might be someone they know. It wouldn't be hard to get the required info. But what a scammer would get out of it is a mystery. Someone with a grudge?

[pcakes122]

1 minute ago, julig22 said:

How is it a security gap if the person calling has all the information necessary? What do you expect Carnival - or any other agency - to do to verify? It's not like whoever called is going to be able to benefit financially - since any refunds go to the original form of payment.

No one called to cancel this person's reservation. Someone in British Columbia (per Carnival) created an online account and added this party's booking number to their account.  Then two weeks later (48 hours before sailing) they cancelled the booking online (never spoke to anyone at Carnival.)

 

The security gap is that anyone can set up an online account and add someone else's booking number AND cancel it, without Carnival ever verifying that the person owning the account is the same person who owns the booking (and paid the $15K.)

 

Can't explain why someone would do that, but my point is that it shouldn't be that easy.

[pcakes122]

36 minutes ago, Two Wheels Only said:

According to Good Morning America, "...that screenshot included her email address and confirmation number...".

 

That's where I got the idea that her email address was given. 

 

Again, there is conflicting information. 

Something doesn't make sense about that. The bad actor didn't use the real email address for anything because  1) If they attempted to set up an online account with that email address, Carnival's system SHOULD have responded "Already an account with that email."  2) Even if somehow they WERE able to use the real email address, the real owner would then have received some type of email notification that the booking was cancelled (which they did not - they only received an email that an EXCURSION was cancelled which was done automatically by Carnival when the booking was cancelled.)

 

Whether or not the email was shown (not sure GMA got that right - I didn't see it on the screenshot the person shared), I don't see how it would have helped the person doing the scamming.