Which?, a consumer advocacy group, has released an investigation highlighting significant security flaws in Booking.com, making it susceptible to fraud. The investigation reveals that Booking.com’s lax security measures, such as the lack of identity verification for property owners and an easily compromised messaging system, expose holidaymakers to scams.
Which? was able to list a property on Booking.com in under 15 minutes, without the rigorous identity checks required by competitors like Vrbo or Airbnb. This lack of verification has led to a surge of fraudulent listings, with numerous users reporting scams in the review sections, including paying for accommodations that do not exist. Despite Which? reporting these issues to Booking.com, many problematic listings remained active months later.
One illustrative case involves Peter Walsh and his wife, who booked an apartment in Normandy through Booking.com, only to find a dentist’s office at the listed address. Despite Booking.com’s initial investigation, Walsh did not receive a refund until Which? intervened. This incident underscores Booking.com’s inadequate customer service and failure to protect users from fraudulent listings.
The investigation also discovered that Booking.com’s security systems are easily penetrable, allowing scammers to list fake properties and hack genuine listings. While Booking.com restricts new hosts from accepting prepayments until they have established reviews, this measure is insufficient to deter determined fraudsters. Instances of properties with numerous complaints of being scams, coupled with a lack of refunds, further demonstrate the platform’s security vulnerabilities.
Moreover, Which? found loopholes in Booking.com’s two-factor authentication (2FA) system. An expert in 2FA contacted Booking.com to report that the 2FA on his guest account was ineffective, meaning anyone who hacked his email could access his messages without additional verification. This flaw, which Booking.com has yet to fix, leaves users vulnerable to having their accounts compromised.
The implications of these security lapses extend beyond monetary loss. Some users have had to cancel or postpone travel plans due to scams, highlighting the emotional and practical impact of Booking.com’s security failures.
As the Online Safety Act’s illegal harms codes come into effect on March 17, there will be increased pressure on platforms like Booking.com to proactively prevent user-generated fraud. Which? recommends that Booking.com implement mandatory identity checks for hosts, enforce two-factor authentication for all users, and ban external links in messages to prevent phishing scams. The organization also urges Booking.com to investigate and act on scam reports promptly.
Which? emphasizes the need for Ofcom, the UK’s communications regulator, to take decisive action against platforms that fail to comply with the Online Safety Act. Rocio Concha, Which? Director of Policy and Advocacy, stresses that simple changes by Booking.com could significantly reduce fraud and protect customers.
In response, Booking.com claims to be deeply committed to protecting customers from fraud and asserts that it has robust security measures in place. The company states that it takes the verification of accommodation listings seriously and has multiple controls to detect and block fraudulent activity. Booking.com advises customers to review property ratings and scores before booking and to contact their customer service team if they suspect their email account has been compromised.
Booking comparison other Travel Platforms
Booking.com’s security measures appear to lag behind those of competitors like Airbnb and Vrbo in several key areas. While all platforms face challenges in preventing fraud and ensuring user safety, Booking.com seems to have more significant vulnerabilities.
Booking.com’s identity verification process for property owners is notably less stringent than its competitors. Unlike Airbnb and Vrbo, Booking.com allows listings to be created without rigorous identity checks, such as providing a driver’s license or passport. This lax approach increases the risk of fraudulent listings and scams on the platform.
Airbnb and Vrbo have implemented more robust systems for verifying property listings. In contrast, Booking.com has been criticized for its slow response to removing fraudulent listings, even after receiving multiple complaints from users. This delay in addressing scam reports puts users at greater risk of falling victim to fraudulent schemes.
Booking.com’s messaging system has been identified as a potential weak point in its security infrastructure. Users have reported receiving phishing messages through the platform’s official app, indicating that the system may be vulnerable to exploitation by scammers. Airbnb and Vrbo appear to have more secure messaging systems in place.
While Booking.com has implemented two-factor authentication (2FA), there have been reports of vulnerabilities in its implementation. Some users have found that the 2FA system can be bypassed, potentially compromising account security. Airbnb and Vrbo seem to have more robust 2FA systems in place.
Booking.com’s response to security incidents and user complaints has been criticized as slow and inadequate. Users have reported difficulties in obtaining refunds or assistance when falling victim to scams on the platform. In comparison, Airbnb and Vrbo appear to have more responsive customer support and security teams.
Unlike hotels, which typically have standardized safety measures, Booking.com, Airbnb, and Vrbo all face challenges in ensuring consistent safety standards across their listings. However, Airbnb and Vrbo have implemented more stringent policies regarding the use of security cameras and other monitoring devices in their properties.
While all online travel platforms face security challenges, Booking.com appears to have more significant vulnerabilities compared to Airbnb and Vrbo.
The platform’s less stringent identity verification process, slower response to fraudulent listings, and potential weaknesses in its messaging and authentication systems suggest that users should exercise additional caution when using Booking.com.
Improvements in these areas would be necessary for Booking.com to match the security standards set by its competitors.
Identity Checks
Booking.com’s current identity verification measures for hosts and properties are widely regarded as insufficient, leaving the platform vulnerable to fraud and scams. Several key issues highlight the ineffectiveness of these checks:
Unlike competitors such as Airbnb or Vrbo, Booking.com does not consistently require hosts to provide government-issued identification (e.g., passports or driver’s licenses) before listing properties. This lack of stringent identity checks allows fraudsters to create fake listings with minimal effort, exposing users to scams.
Booking.com does not physically inspect or verify the accuracy of property details provided by hosts. This enables fraudulent or misleading listings, where users may book accommodations that do not exist or fail to meet advertised standards. Instances of fake reviews further exacerbate this issue, making it difficult for travelers to discern legitimate properties.
The platform’s messaging system has been exploited by scammers who send phishing messages directly through Booking.com’s interface. These messages often impersonate hotels or hosts, requesting sensitive information such as credit card details. The ability for scammers to operate within the platform’s official communication channels underscores a significant security gap.
While Booking.com offers two-factor authentication as an added security layer, reports indicate that its implementation is flawed. Some users have experienced situations where 2FA could be bypassed, leaving accounts and personal information vulnerable to unauthorized access.
Even when fraudulent listings are reported, Booking.com has been criticized for its slow response in removing them. This delay allows scams to persist, further eroding user trust in the platform’s safety measures.
Booking.com’s current identity checks are inadequate for effectively preventing fraud. Strengthening host verification processes, implementing stricter property validation protocols, and addressing vulnerabilities in its messaging system and 2FA are essential steps the platform must take to improve user safety and restore trust.
Consumer Protection
Booking.com users face sophisticated phishing attempts that exploit the platform’s messaging system and user trust. Scammers often gain unauthorized access to hotel systems, allowing them to send convincing messages directly through Booking.com’s official channels.
Be wary of unexpected messages requesting payment information or claiming issues with your booking. Scammers often create a sense of urgency, threatening to cancel reservations within a short timeframe if you don’t comply.
Always double-check the authenticity of messages by contacting the hotel or Booking.com directly through official channels, not those provided in the suspicious message.
Stick to Booking.com’s approved payment methods. Be extremely cautious of requests for alternative payment forms like gift cards or cryptocurrency.
While Booking.com’s two-factor authentication system may have limitations, enabling it can provide an additional layer of security for your account.
Regularly update your devices and software to protect against the latest malware and security vulnerabilities.
Frequently check your Booking.com account for any unauthorized activity or changes to your bookings or personal information.
Avoid clicking on links in emails or messages, especially those asking you to re-enter payment details. Instead, log in to your account directly through the official Booking.com website or app.
If you encounter a suspected phishing attempt, report it immediately to Booking.com’s security team. This helps protect both you and other users.
Stay informed about the latest phishing tactics and scams targeting Booking.com users. Knowledge is a powerful defense against evolving threats.
If a message or request seems unusual or too good to be true, it probably is. Don’t hesitate to verify information or cancel a booking if you feel uncomfortable.
By implementing these protective measures, you can significantly reduce your risk of falling victim to phishing attempts on Booking.com. Remember, vigilance and caution are your best defenses against online scams.
