Scammers have used the stolen account details of Airbnb users to target properties for burglaries.

What Is Airbnb?

Airbnb is an online marketplace that allows people to rent out their properties or spare rooms. Hosts can register on the site, set a price per night for their accommodation (which is typically lower than a hotel price), upload pictures of what’s on offer, and set house rules. Potential guests go to the Airbnb website, select their travel dates, and then pick from a list of options. Guests and hosts write reviews about each other.

Airbnb guests can verify their profiles by submitting identification (such as passport details) to Airbnb and ‘good’ guests with good ratings and reviews are preferred by property owners.

The Scam

The recent four-stage criminal process has meant that scammers have:

  1. Obtained the stolen account details of verified Airbnb customers who have good reviews. These account details are believed to have been obtained in the first place via password dumps from previous hacks as well as from online scams such as phishing and malware attacks.
  2. Accessed the customer accounts using the stolen details and changed some of the key personal details, such as the name, location and photograph.
  3. Targeted properties and made bookings using the altered accounts.
  4. Burgled the targeted properties.

Not The First Time

This is not the first time that Airbnb properties have been targeted by burglars. Last summer in the US, thieves were booking Airbnb properties and then cancelling the booking last-minute as soon as the property’s security codes (garage codes, key codes, alarm codes) had been given to them. The properties were then immediately burgled.

New Security Measures

In the light of the recent scams, Airbnb have announced that they introducing new measures to improve their scam detection and prevention methods. These improved security measures include sending text warnings if profiles are altered and requiring potential guests to use two-factor authentication when logging in to Airbnb on a device that has not previously been used to access their account. It has been reported that those property owners whose properties have been burgled as a result of the scam will be reimbursed by Airbnb, which offers hosts a $1 million insurance policy.

What Does This Mean For Your Business?

This story illustrates how vulnerable single stage, simple password verification systems are to attack, even if some form of ID verification has been carried out in the past. Businesses who collect, store, and use the personal data of customers (e.g. for booking / ordering) firstly need to make sure that the data is securely protected. Secondly, multi-stage / two-stage verification processes with each login should be used in place of simple password logins. Some organisations are now using biometric systems to make account access even more secure.