Airbnb seems like a great idea.
Founded in 2008, it allows homeowners to rent out rooms or whole premises if they’re going on holiday themselves. With over 2 million listings across 191 countries, Airbnb offers hosts an easy way of making some cash from their superfluous space, while travellers benefit from generally cheaper, and arguably friendlier, accommodation.
As ever, though, you’ve got to take the rough with the smooth. You might think homeowners are most at risk, but guests also face major concerns when booking, and during their actual stay.
Discovered @Airbnb has a disaster relief temp housing program. Pretty cool of them.
— Rebekah Rogers (@evolscientist) October 10, 2016
Airbnb can be a security nightmare for those renting — but what can you do about it?
You’ll find all kinds of phishing scams on classified advertisement sites like Gumtree and Craigslist: in retrospect, such exploitation methods seem obvious, but we never think it’s going to happen to us.
It should not be a surprise, therefore, to find that Airbnb-inspired scams occur via these places.
Scammers do this a number of ways. The first is by taking conversations away from the Airbnb platform, which is naturally frowned upon. Airbnb, however, typically charge 15% more than the homeowner requests, so cutting out the middle man is tempting.
Picture the scenario. You find a great apartment on Airbnb, and there’s an email address also listed to send questions to. You do exactly that, requesting certain dates. Unfortunately, you’re told the apartment isn’t available for those dates, but that there are some related properties nearby. Helpfully, there’s a link to these apartments.
This should be ringing alarm bells, but the link is back to Airbnb, so what’s the harm? The site, though, is a fraud, created to look like the genuine Airbnb website using fake content, copied from the original. Sarah Ruiz-Grossman, who was victim to such a scam, notes:
Their site has the Airbnb logo, and the design matches Airbnb’s to a T. The URLs almost looked legit — they said “airbnb.intinerary-booking.com,” and the difference went right over our heads. Who looks that closely at URLs? Clearly, we don’t. The listings also had glowing reviews that look just like the ones on Airbnb… The killer move? The fake site’s “About” information, which appears at the bottom of each page, links back to the real Airbnb’s “About Us” page. Genius.
And in case you’re skeptical, the fake site also offers an instant messenger supposedly with the Airbnb team to verify properties are real. Except the real Airbnb doesn’t have an instant messenger service.
Victims are then encouraged to make bookings through bank transfer, which is never advisable.
The second way cybercriminals can make serious cash is easier than setting up a fraudulent website: they set up a fake listing.
— Alberto Población (@Pobla) October 15, 2016
It’s the same principle: scammers get photos of other people’s properties, and dress them up as their own. It’s obvious how that scam progresses. If you don’t smell something fishy, you could not only end up being scammed out of hundreds of dollars, but also go on vacation expecting to have accommodation — then realize you’re out of luck while away from home.
It’s a nightmarish scenario, and there’s even a whole website dedicated to horror stories, AirbnbHell.
There, you’ll find tales of grime, leaks, and various miscellaneous problems to leave you ready for Halloween. You’ll also see complaints about fake listings from verified users. Yes, verified. The system was introduced to reassure users, but ever-resilient scammers have used it to their advantage, often through identity theft.
Airbnb is cracking down on fraudulent listings, but is generally little help to victims unknowingly duped into transactions away from the platform.
Still, the ease with which fake hosts can put up advertisements is troubling. One first-time user recalls how they almost engaged with a supposed homeowner outside of Airbnb, but realized how dangerous it was. However, the scammer then created fake listings under the guise of that user, using photos and details scoured from Facebook. The victim then had issues complaining to Airbnb:
If I don’t have an officially listed property, have not become a member, and do not have an account, why did the Airbnb system not recognise that? … It’s a shame but the company’s arrogant and hands-off attitude to dealing with serious problems is earning them no friends. They are so difficult to actually get hold of. In fact, it’s impossible if your problem doesn’t fit one of their neat little categories.
Let’s say you’ve actually managed to secure accommodation. You’re relaxing in a lovely apartment, and plan to check out the local area. You search the internet with your smartphone or tablet, and — as you come to expect from any commercial overnight stop — you do so using their complimentary Wi-Fi. It’s free, fast, and saves on mobile data.
Unfortunately, scammers can still take advantage, and potentially inflict more damage than via fake listings!
You should know about the dangers of using public Wi-Fi, which includes sidejacking and shoulder-surfing. It’s not recommended, especially if you’re accessing private information. Security expert, Jeremy Galloway, warns that connecting to a router at a rented property could be worse than that — and it’s not necessarily the fault of the homeowner.
The homeowner might use their own internet to infect their guests’ devices, but it’s just as likely that previous guests could’ve compromised the accommodation’s Wi-Fi. Having direct access to the router can lead to the so-called paperclip threat, which literally means hitting the reset button using a paperclip. Galloway recalls this as a sort of hobby while on vacation:
I snowboard like a Texan, and I wanted to lift my spirits, so I thought: “I’ll head back to the rental, and hack the network to mess with my friends’ browsing”. Within five minutes flat, I owned the network.
By accessing these credentials, a cybercriminal could enable a fake Wi-Fi connection, or ongoing man-in-the-middle (MITM) attacks, thereby intercepting any communication between two parties.
Similarly, packet-sniffing means a hacker can collect a wealth of data that runs across a network, and browse at their leisure. You could be falling victim to a guest who stayed in the same property a year ago, and not even realize it.
Advice for Staying Safe
Do not leave Airbnb. It doesn’t matter how real an email looks. If it has a link in it, don’t click it. Even if it purports to lead back to Airbnb itself. Indeed, there have been reports of emails from addresses like firstname.lastname@example.org, which looks real but absolutely isn’t. Real emails can be spoofed too, so don’t rely solely on checking the “From” address. Look out for tell-tale signs, like bad spelling and grammar.
Yeah, this AirBnb seems decent. ? pic.twitter.com/yO2d8DOmnY
— Diana Kristinne (@DianaKristinne) October 15, 2016
You might think you’re safe if you click on a link but don’t insert payment details. However, you could be leaving yourself open to ransomware. Instead, delete the message, open a new browser window and sign into your Airbnb account; genuine messages will appear there.
Similarly, don’t be taken in by “Special Offers” supposedly from Airbnb. More often than not, they include links to fake sites.
Beware bank transfers. Use Airbnb’s internal payment system, no matter how persuasive the supposed homeowner is.
It's a promising sign for our goal of seeing wildlife that our Airbnb is stocked with a can of grizzly bear spray: pic.twitter.com/bEsdssU6CG
— jeremiah jacques (@js_jacques) October 13, 2016
Reverse image search can help combat fake listings; you simply right-click on a photo and go on “Search Google for image”. There’s a handy Firefox add-on that does the same too. See if the same image crops up on Craigslist, and check credentials. Is the property really the correct place being advertised? In addition to that, you might find reviews that will sway your decision either way.
And when you arrive at your accommodation, use a Virtual Private Network (VPN) if you really must connect to their Wi-Fi. It encrypts your data, which certainly isn’t fool-proof, but is a very solid step to securing your personal information.
The Onus Isn’t Always on the Guest
Lock the router up and it keeps it away from people that are curious… The point isn’t to create perfect security; the point is to raise the bar. Right now, all an attacker needs to do to own a network is want to.
It might seem extreme, but if it side-steps serious security problems, it’s worth it for everyone.
What further steps do you take when renting a property? Do you use an alternative to Airbnb? Or are you trusting of the service?
Image Credits: Elnur/Shutterstock