from Hacker News

Mysterious leak of Booking.com reservation data is being used to scam customers

by cjg on 2/13/23, 9:55 AM with 32 comments

  • by coldcode on 2/13/23, 3:16 PM

    People rarely realize that making a hotel booking at an OTA (mostly reduced to Expedia Brands and Priceline Brands these days) is a combination of their systems that then call the hotel systems to make the actual booking (or sometimes just a fax or email if the hotel has no IT). So information that Booking collects is mostly sent to the hotel system; there isn't any other way. Booking could add something to their side which is passed only to the customer (such as an ID of some kind) to ensure anything coming from them is legit since a leak of a hotel system would not have that. That would not help emails purporting to come from the hotel however and is likely doubtful to help much. I doubt most hotel brands would accept an email relay, they are already discounting the price to provide the OTA profit margin so not getting the actual email would be a sticking point.

    Having worked at an OTA (before Expedia got us) I refuse to book at anything other than a legit hotel system. OTA's are fine for price discovery but you often get a better deal (and better service) from the hotel/brand directly. The front desk knows you booked via an OTA instead of the hotel directly.

  • by edent on 2/13/23, 2:50 PM

    I understand that a hotel needs to know the name & booking reference of the guest. But surely Booking.com could operate an email relay so that the hotel never gets to see the user's real email address?

    That way Booking.com would be able to see the contents of any messages and shut down spammers more easily. They could do the same with a phone / SMS relay as well.

  • by Hackbraten on 2/13/23, 2:09 PM

    Assuming that Booking.com is telling the truth, i.e. only a number of property owners has been compromised, how come 2FA is still not mandatory for property owners?

    How come their (optional) 2FA only offers SMS, which is known to be insecure, even though FIDO2/WebAuthn/TOTP has been a thing for years?

  • by flemhans on 2/13/23, 11:24 PM

    A slightly related super annoying thing that's beginning to happen more and more often, is that after the booking is confirmed, the 'host' will send a link to a third party service that asks you to upload your passport/ID and enter other personal information, for them to perform a pre-screening of you, whether you're a pedophile, a well-behaving person in general, all under the pretence of making your stay easier and more comfortable for you.

    After making a lot of fuss, they'll eventually waive the no free cancellation policy, but then I still have to go over the whole process of finding another place to stay.

  • by sorokod on 2/13/23, 9:45 PM

    Russian shortening service nah.uy

    For Russian speakers there is a joke in there.