Airbnb updates security after hackers hijack accounts to rob hosts' homes
Scammers imitate highly rated users, book stay, then steal from host
There’s no doubt that Airbnb is causing a disruption in local housing markets, as the short-term rental website, and others like it, have been accused of making housing more expensive in certain communities and placing some units completely out of reach except for short-term renters.
But Airbnb has a new problem on its hands.
In Airbnb parlance, the situation is called an “account takeover.” The company’s chief strategy officer, Nate Blecharczyk, posted a blog last week discussing the new security measures Airbnb put into place to address the account takeovers.
Basically, account takeovers are when people hack into the profiles of guests who have built up good ratings and reviews on Airbnb, and use those accounts — with some minor tweaks to the personal details — to book stays in the homes of hosts that they then burglarize. The BBC spoke to at least three people who said they’ve been robbed this way.
Takeovers can also work in the reverse — hackers take over host profiles, and try to get unwitting guests to send them money.
According to Blecharczyk, Airbnb’s system is “effective” at stopping “most” account takeovers. But Blecharczyk adds: “Unfortunately there have been some incidents where hosts and guests have suffered. This is not acceptable to us, therefore we’re working around the clock to do everything we can to improve our detection and prevention methods.”
According to Blecharczyk, Airbnb user’s accounts are accessed in several ways (from Airbnb’s blog post):
- Password dumps. You’ve probably heard about high-profile security breaches of personal information at a number of different companies over the last few years. When these breaches occur, bad actors often download massive lists of usernames and passwords that they sell on the black market. Scammers then use the usernames and passwords they’ve purchased to see if they are a match for any number of other accounts, as many people tend to use the same password across platforms. Thus, this could in turn put your Airbnb account information at risk, despite the fact that our platform was not compromised.
- Phishing. Bad actors will email or SMS you a link that asks you to enter your account credentials into a website that looks like one you know and use — but is actually malicious. They then record the information you provide and can use it to access your account.
- Malware. If your computer is compromised by malicious software, it can capture your keystrokes and record your usernames and passwords. Once a bad actor has collected your password this way, they can maliciously access your account.
To protect against these intrusions, Airbnb added multi-factor authentication, which requires the user to enter a separate code when trying to access an account from a different device than what’s on record.
Airbnb also added new forms of account alerts that the company claims will help users be more aware of what’s happening with their account.