Posts

Renting out your home might be the key to making big money, especially if you live in a sought-after location. While in the past you might have had to hire a property management company among other hurdles, technology has made it easier to take advantage of this opportunity. Companies, like Airbnb, let you post a listing for your home or property online, and people can rent the use of it at prices you determine and dates that fit your schedule. It might be your beautiful beach house in an exotic tropical location or just the spare bedroom in your house or apartment – some users have even posted their lawn space for camping.

While apps and technology make it easier to list and more affordable to rent properties, there is a downside. Criminals have flooded this innovative market place with scams. Scammers have used Airbnb to conduct rental scams, posting properties for rent they never managed. Now users are reporting fraudulent activity has taken place in the Airbnb platform. Account owners have noticed reservations being booked for non-refundable rentals that the users did not make themselves. Some have had their cards charged and money removed from PayPal accounts.

According to Airbnb, the platform has not been attacked or breached. In a statement from Airbnb they called these fraudulent charges “isolated incidents.” Airbnb’s investigation shows that these accounts were logged into with accurate login credentials and then the accounts were used to rent accommodations, charging the victims’ payment methods.

In short, that means someone got a hold of the victims’ login credentials. It’s quite likely that the information was gleaned from a previous data breach of a different company. This practice, known as credential stuffing, means if a users’ login information was breached in a previous attack their accounts using the same login are also in jeopardy. The Yahoo email breach, for example, would give criminals access to every single account you own if you are reusing that compromised username and password combination on other accounts.

While the damage appears to be rather limited, it is a good idea to change your Airbnb account password, even if you were not affected by these fraudulent charges. Monitoring your accounts regularly will also help you recognize suspicious activity as soon as it occurs.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: First American Financial Breach Exposes Millions of Complete Identities

 

There are two specifically related but not interchangeable threats to your identity, and the terms can often get confused. Credential cracking and credential stuffing both involve someone getting their hands on your personal data, especially your usernames and passwords, but how those two things take place are somewhat different.

Credential Cracking

Credential cracking happens when a hacker targets you or your company specifically. They spend a significant amount of time and tech resources on breaking into your accounts by undermining your password defenses. While victims of credential cracking can absolutely be random citizens caught up in a hacker’s trap, the effort behind it often means that the victim was targeted specifically. It might be a business account or a company’s social media accounts, financial accounts, or even the personal finances for someone within a company.

Credential Stuffing

Credential stuffing, on the other hand, usually occurs when a hacker casts a wider net. They either steal a database filled with information, buy it on the Dark Web, or even stumble upon it in an unsecured web-based storage server. Then, they use software that lets them attempt thousands of “matches” at a time, cross-referencing the stolen usernames and passwords that work on one website with many other websites. When they land on a match—meaning the victim’s username and password from PayPal, for example, are the same one they use on Amazon—they can use that information to steal money and even more identifying information.

Read next: TurboTax Security Breach Cause by Credential Stuffing

Who’s Targeted

Another major difference between these two forms of attack is in how the tech-using public can take action. Credential cracking is potentially in your own hands, unless a cybercriminal targets your place of employment; a lot of your preventive strategy will involve practicing good password hygiene. Credential stuffing, on the other hand, is a result of finding a treasure trove of information that someone else did not properly secure. You often have no way of knowing whether or not your information was included in such a database until you receive a notification letter from the company who allowed it to become compromised.

How to Protect Yourself

As always, one of the best defenses against either of these attacks is to use strong, unique, unguessable passwords that you change routinely. Changing your password can actually prevent credential stuffing since your old (and stolen) information would no longer be valid; by keeping your passwords unique—meaning they are valid on one account only—you can also work to avoid credential stuffing since they will not work on any other account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.