Conversation

Notices

1. Embed this notice
   tech? no! man, see... (technomancy@icosahedron.website)'s status on Saturday, 23-Dec-2023 04:13:35 JST tech? no! man, see...

   I realize "airbnb is a terrible company" is not exactly a newsworthy take, but holy shit yall

   my wife was trying to get a reservation, and right at the last step they asked her for her *username* and *password* for her BANK

   I'm glad I was in the room at the time, because if I hadn't seen it for myself I would not have believe it; I would have assumed it was another site pretending to be airbnb to scam her but nope, this was the real deal and the scamming was coming from inside the house

   (needless to say she closed the tab and found another way to book a room for that trip that did not involve airbnb nor giving sensitive login credentials to an untrusted party)

   • Embed this notice
     tech? no! man, see... (technomancy@icosahedron.website)'s status on Saturday, 23-Dec-2023 04:22:24 JST tech? no! man, see...

     in reply to

     • Anders Eknert

     @anderseknert I read a thread about this (we didn't fall for it and give them the login info so this is second-hand info) but they said if MFA is enabled they actually tell you to pass the confirmation code on to them so they can use it, which every decent security guide will tell you is a red flag meaning you're 100% getting scammed and stop immediately

     can't confirm this myself, but that's what I've heard; I hope they get sued into a smoldering crater for this behavior

   • Embed this notice
     Anders Eknert (anderseknert@hachyderm.io)'s status on Saturday, 23-Dec-2023 04:22:25 JST Anders Eknert

     in reply to

     @technomancy that’s wild. Any banks still rely on username + password as the only mean of authentication though? 😱Around here (nordics) banking has required device based MFA for the last decade or so.

   • Embed this notice
     tech? no! man, see... (technomancy@icosahedron.website)'s status on Saturday, 23-Dec-2023 04:26:07 JST tech? no! man, see...

     in reply to

     • Boosty Collins

     @ieure yes, plaid was the site that was being used for the scam

     apparently they've already been sued for major privacy breaches but somehow the company continues to exist: https://www.reuters.com/legal/litigation/fintech-firm-plaid-agrees-58-mln-deal-end-privacy-case-2021-08-06/

     I hope this continues and they get sued into a smoldering crater

   • Embed this notice
     Boosty Collins (ieure@retro.social)'s status on Saturday, 23-Dec-2023 04:26:08 JST Boosty Collins

     in reply to

     @technomancy They're probably verifying account ownership by using Plaid to authenticate against her bank, this is a pretty standard thing.

     Definitely doesn't feel good, and definitely *can* be abused (the highest level of access lets you access transaction detail for the account), but it's also.... normal. Which is not at all to say "good."