Airbnb is cracking down on malicious scammers hijacking users' accounts after an investigation found several peoples' homes were robbed by guests using stolen accounts. In a blog post on Thursday (13 April), the home rental company said online scammers have been taking over guests' accounts with good ratings and reviews on Airbnb using stolen passwords.
The passwords are usually obtained via password dumps from previous hacks as well as online scams such as phishing and malware attacks. After infiltrating the account, the scammer then tweaks some of the personal details such as the name and contact information and then uses it to book stays at various hosts' homes. The scammers then visit the accommodation and rob it before leaving.
BBC reports that at least three people said they have been robbed after leasing their homes to who they thought were verified, reliable guests.
One victim said he was burgled after leasing his apartment to a seemingly verified guest while he was away for a few days to celebrate his birthday.
'While I was enjoying the hotel, having breakfast...I got that horrible text message saying somebody is in the flat," he told the BBC. "It's not me because my account had been compromised. Obviously my birthday was over."
Airbnb's official Facebook page is filled with numerous complaints from users claiming their accounts were compromised as well.
Dubbed "account takeovers" by Airbnb, the problem also works in reverse as well with some hackers taking over hosts' accounts to try and extort money from travellers.
"Historically, we've defended against account takeovers by using a machine learning model that predicts the probability that each login or action on Airbnb is being performed by the true account owner," Airbnb CTO Nathan Blecharczyk wrote. "If the model predicts a high risk that the account has been taken over, we would require the user to provide an additional confirmation."
This predictive model looks for any suspicious behaviour such as logins from an unexpected country, IP address, computer or phone as well as any abnormal number of login attempts.
"Our model is effective at stopping most account takeovers, but unfortunately there have been some incidents where hosts and guests have suffered," Blecharczyk said. "This is not acceptable to us, therefore we're working around the clock to do everything we can to improve our detection and prevention methods."
Now, Airbnb will use two-factor authentication whenever a user logs in from a new device that has not been previously used to access the account. Users will also be notified via text message regarding any changes to their profile to flag them in case a malicious actor is changing their account settings.
"Trust is the fundamental currency of the sharing economy," Blecharczyk said. "It's at the very heart of our Airbnb community. As our global community continues to grow, we remain vigilant of the ways bad actors are looking to take advantage of this trust."