Skip to main content

Airbnb adds new security measures to prevent scammers from hijacking hosts

Airbnb adds new security measures to prevent scammers from hijacking hosts

Share this story

Photo by Amelia Holowaty Krales / The Verge

Airbnb today announced a new set of mandatory security measures, including multi-factor authentication, it’s implementing to prevent account takeovers. Now, for the first time, Airbnb will require both hosts and guests logging in from new devices to verify their identity with a second account, either via SMS or email. A vast majority of other social and communication apps use multi-factor authentication, including Facebook, Google, and Twitter, making Airbnb a bit of an outlier to have gone so long before enabling it by default.

Airbnb is late to the multi-factor party

The company says that one of the most common security breaches suffers is when a scammer or other bad actor takes control of someone’s account by obtaining the password. Normally, this would mean access to someone’s email or the ability to purchase stuff on their behalf. But in the case of Airbnb, it could mean giving a stranger access to private details about your home and the ability to rent it out to others. That arguably raises the stakes when it comes to account security.

Airbnb says it already uses predictive models, trained using machine learning techniques, that look for uncharacteristic behavior to flag. For instance, if the account is seeing an abnormal number of login attempts or a login from a foreign country, Airbnb’s system might ask for an additional confirmation that the person logged in is truly the host. Unfortunately, the company says this isn’t enough and both guests and hosts have suffered lost funds and fraudulent bookings as a result.

Now, at the very least, there’s an additional wall of security to prevent malicious takeovers of your Airbnb account. In addition to multi-factor authentication, Airbnb is also adding SMS alerts to let people stay up to date about changes made to their account in the event a stranger has gained access and starts tinkering with settings.