What we’re doing to prevent account takeovers

Trust is the fundamental currency of the sharing economy — it’s at the very heart of our Airbnb community. As our global community continues to grow, we remain vigilant of the ways bad actors are looking to take advantage of this trust. Online scammers in particular are constantly adapting and refining their attacks.

One fraudulent tactic that is receiving increased attention is called an account takeover, or ATO for short. I want to take some time to explain to you how seriously we take this threat and to explain what we are doing here at Airbnb to confront it.

An ATO occurs when a bad actor gets access to a user’s account by stealing their password, usually through one of the following methods:

  1. Password dumps. You’ve probably heard about high-profile security breaches of personal information at a number of different companies over the last few years. When these breaches occur, bad actors often download massive lists of usernames and passwords that they sell on the black market. Scammers then use the usernames and passwords they’ve purchased to see if they are a match for any number of other accounts, as many people tend to use the same password across platforms. Thus, this could in turn put your Airbnb account information at risk, despite the fact that our platform was not compromised.
  2. Phishing. Bad actors will email or SMS you a link that asks you to enter your account credentials into a website that looks like one you know and use — but is actually malicious. They then record the information you provide and can use it to access your account.
  3. Malware. If your computer is compromised by malicious software, it can capture your keystrokes and record your usernames and passwords. Once a bad actor has collected your password this way, they can maliciously access your account.

Historically, we’ve defended against account takeovers by using a machine learning model that predicts the probability that each login or action on Airbnb is being performed by the true account owner.  If the model predicts a high risk that the account has been taken over, we would require the user to provide an additional confirmation.

The model is trained by observing hundreds of millions of historical login events that have been labeled as “good” or “bad”.  The model then evaluates hundreds of signals simultaneously to determine the risk level, looking for various patterns such as:

  1. Login from an unexpected country
  2. Login from an unexpected IP address, computer, or phone
  3. An unexpectedly high number of logins from a particular IP address

Our model is effective at stopping most account takeovers, but unfortunately there have been some incidents where hosts and guests have suffered. This is not acceptable to us, therefore we’re working around the clock to do everything we can to improve our detection and prevention methods. While the machine learning approach is common for online platforms, the nature of Airbnb’s product and the critical importance of trust within and among our community requires an even higher bar for security.

Effective today, we have launched new defenses to further prevent bad actors from taking over an Airbnb account, including:

  1. Multi-factor authentication. We’re requiring additional verification whenever a user logs in from a new device, such as a computer, phone, or tablet — as is often the case for other services such as online banking. When you sign up for Airbnb, we’ll remember the device you used and allow you to log in from that device, as long as you have the password. Any new device you use, however, will require an additional verification even if you have the password. This defense is typically referred to as multi-factor authentication. We’ll confirm that you are the true account owner by sending a one-time unique confirmation code to your account phone number or email. Once you’ve entered that code on our site through your new device, you won’t have to do it again on that machine.
  2. Improving account alerts. We’ve added SMS in addition to email to the ways in which we alert you, as well as expanded the range of changes we’ll proactively notify you about. We do this in order to let you know these changes have taken place and so that you can take action to recover your account in the event you were not the one who made those changes.

Fortunately, the vast majority of our hosts and guests never have to deal with account takeovers or any other scam. While the enhancements we’re announcing today will add yet another layer of security to our users’ accounts, we always want our community to continue to be vigilant and exercise good security practices. We outline some recommended practices around strong passwords, safe payments and other measures on our site here.

Nate Blecharczyk
Chief Strategy Officer / co-founder