Assuming that Booking.com is telling the truth, i.e. only a number of property owners has been compromised, how come 2FA is still not mandatory for property owners?
How come their (optional) 2FA only offers SMS, which is known to be insecure, even though FIDO2/WebAuthn/TOTP has been a thing for years?
> even though FIDO2/WebAuthn/TOTP has been a thing for years?
The problem is, as always, users. When the EU recently adopted PSD2, banks were forced to implement 2FA for online banking... and there was a ton of backlash. Anything more complex than "enter one-time code from SMS/e-mail" will lead to a lot of customer support issues.
With SMS based 2FA, you as a service provider only have to deal with people who lost/damaged their phones and need access while they get their new phone set up or with 2FA token messages being stuck in spam filters. With anything else, you as a service provider will have a lot more scenarios to cover in support: people unable to set up TOTP apps, people travelling who need access but forgot their Yubikey, an employee took their yubikey home to work from there and fell sick but now no one can log in any more from the office (because the yubikey is with the sick employee), the yubikey got damaged, the computer is in service so no webauthn possible, the users originally had an iPhone compatible Yubikey but now have an Android device or vice versa and now need new keys... and you will have scammers acting like one of the aforementioned scenarios has just happened. Oh, and at least TOTP usually has some sort of backup codes, but people regularly lose the files or, in very random edge cases, a regular TOTP code is the same as a recovery code so the system strikes the recovery code as having been used and people get confused as a result...
The easiest of the bunch is TOTP because the setup code can be backed up, but not all employees want to add corporate credentials on a personal phone, and because it's completely stateless (similar to classic JWT bearer tokens) it's impossible to keep track of the 2FA credentials and who has them, meaning a ton of work when employees depart.
Hell even the really large players don't get 2FA right. The best example is Amazon AWS: as a root account you should have 2FA enabled. But if you want a yubikey, you can only add one, with no fallback for a TOTP device - lose your yubikey and you're at the mercy of AWS support.
Identity and access management is insanely hard.
That, however, doesn't mean booking.com isn't a shitshow in itself. I have an account with them that should have everything saved - my name, address, credit card information and the name of my s/o - and yet, for every booking I place I have to enter all the information from scratch. How they haven't managed to implement that in years is inexcusable.
> for every booking I place I have to enter all the information from scratch.
Sounds like an issue with you or your account. I never have to enter my information and bookings go usually pretty smoothly if you ignore the dozens of dark patterns. I just tried and it takes about 7 taps from list until Pay button (my CC is saved) on my iPhone app. Technically I didn’t even have to scroll.
> as a root account you should have 2FA enabled. But if you want a yubikey, you can only add one, with no fallback for a TOTP device - lose your yubikey and you're at the mercy of AWS support.
As a fallback for my spare Yubikeys, I have created a couple of dummy, web-only IAM users with root privileges.
Still an embarrassing UX failure on AWS’s side though.
The worst thing IMO is that the AWS API and the UI seems to be already designed with multiple 2FA devices in mind. I have absolutely zero idea what took them over the last years from implementing this absolutely basic feature.
For what it's worth, unless something's changed those accounts have admin privileges but _not_ root privileges.
Last I checked (and by that I mean found out the hard way) there are still places across AWS that you can lock everyone but root out of. Particularly it seems around a few of the places where you're configuring policies on specific resources rather than through IAM.
We ended up setting a policy on an S3 bucket that locked everyone out. The root account _always_ has permissions to edit/remove that policy, but the policy itself prevented the admin accounts from removing it.
I don’t know the particulars of Booking.com, but I can tell you that a very large part of property owners are small scale, largely tech-illiterate (and sometimes close to natural language illiterate) and would only recognize SMS from those abbreviations you just threw out. These are people who barely have enough time with managing the physical and admin parts of the business (dealing with staff, guest requests, repairs, cleaning, accounting and taxes, etc).
Same as most other small and medium businesses that don’t specialize in tech.
Guests are trusting property owners with their personal data. If these people are ignoring the risk entirely or willingly shifting the fallout onto their guests – because the owners are so busy and no one penalizes them for data breaches anyway! – then maybe it’s time that someone starts doing just that.
I understand that a hotel needs to know the name & booking reference of the guest. But surely Booking.com could operate an email relay so that the hotel never gets to see the user's real email address?
That way Booking.com would be able to see the contents of any messages and shut down spammers more easily. They could do the same with a phone / SMS relay as well.
If done, booking.com would be accused of hiding customer identities as a way to lock in customers to their platform. I don’t have a reference right away, but similar concerns were raised with the “Sign in with Apple” scheme.
People rarely realize that making a hotel booking at an OTA (mostly reduced to Expedia Brands and Priceline Brands these days) is a combination of their systems that then call the hotel systems to make the actual booking (or sometimes just a fax or email if the hotel has no IT). So information that Booking collects is mostly sent to the hotel system; there isn't any other way. Booking could add something to their side which is passed only to the customer (such as an ID of some kind) to ensure anything coming from them is legit since a leak of a hotel system would not have that. That would not help emails purporting to come from the hotel however and is likely doubtful to help much. I doubt most hotel brands would accept an email relay, they are already discounting the price to provide the OTA profit margin so not getting the actual email would be a sticking point.
Having worked at an OTA (before Expedia got us) I refuse to book at anything other than a legit hotel system. OTA's are fine for price discovery but you often get a better deal (and better service) from the hotel/brand directly. The front desk knows you booked via an OTA instead of the hotel directly.
Do the OTAs also transmit the credit card number (and CVC?) in plain text to the hotels?
One time I had a not so nice experience with a hotel. They promised a partial refund, but also a threat that they'll re-charge my CC the full amount if I wrote a bad review. No such refund came, I wrote a bad review, then they talked to me and did actually refund me. But how could they re-charge my CC without the CC info? I smell a violation of PCI DSS there.
> OTA's are fine for price discovery but you often get a better deal (and better service) from the hotel/brand directly. The front desk knows you booked via an OTA instead of the hotel directly.
That used to be more true in the past, but recently OTA's are beginning to offer better rewards programs, as well as making your trip more 'interconnected' (having one place to get flight, hotel, cars, events, activities, etc.), so now I'd say "it depends". Lately though, the bigger hotel chains themselves are also starting to introduce their own rewards, so we'll see what happens
My experience is from when I worked at the now defunct (but still a brand) OTA. Likely the two remaining OTA systems have evolved to stay relevant. Hotel chains will then evolve again themselves, it's like a war.
They are not even necessarily connecting to the hotel-systems themselves. Often they connect to a middleman, which connects to the global middleman, which connects to the hotel (or maybe has a middleman on this side too). OTA-Business is a whole nest of snakes biting snakes, sometimes you are the first in the line, sometimes, you are the last in the line.
The biggest reason for me to use an OTA is the free cancellation policy, I've never found any hotel site that has the kind of flexibility I'm looking for.
For some reason my experience has been the opposite: higher prices when going through the hotels directly. My thoughts were that clients booking directly are not really comparing so less price sensitive and thus the hotel charges them more. The difference has often been around 10%.
The UI of hotels website is also often terrible and I absolutely do not trust them with my credit card info (nor do I wish to send them a SEPA deposit which I have seen at more than one place).
For flights on the other hand I take the airline website any day.
Currently travelling in India. Tried booking hotels and domestic flights with mastercard/visa, but nothing worked. Called my bank and they said their system show no rejected transactions so the block must be on Indian side.
So had to book on booking.com and other multinational sites.
> OTA's are fine for price discovery but you often get a better deal (and better service) from the hotel/brand directly. The front desk knows you booked via an OTA instead of the hotel directly.
I know anecdotes aren't data, but I've had the opposite experience.
Front Desk: "Hey, I see you booked with Expedia. You know if you booked directly with us, you'd get a better rate!"
Me: "Oh really? Thanks! Can I book tomorrow night at the same rate as tonight?"
Front Desk: "No, sorry, tomorrow night's rate is twice as the rate you have from Expedia."
Me: "Ok, I guess I'll book at Expedia for tomorrow night as well, since they have the same rate that's half of what you're offering me."
It's absurd - the flexibility to even match Expedia's rates is a slog and they act like you're asking for the world when they readily accept Expedia giving even less. Really don't understand why hotels don't bake in the flexibility to actually compete with the OTAs.
Contract from OTA (at least did when I worked) does not allow the chain/brand to undercut the OTA, in exchange for traffic. Given its mostly a duopoly (Expedia/Priceline), I guess they feel they have to give in or get cut out of business.
Reminds me of my travels in Iceland.. arrive around 10PM (it was still daylight in summer), ask if they have a room with a discount; they'd rather have a guest paying less rather than an empty room. At one place the guy configuring the room for me told his colleague he's giving me the room with the OTA rate, i.e. what they would've earned if I had booked with an OTA..
A slightly related super annoying thing that's beginning to happen more and more often, is that after the booking is confirmed, the 'host' will send a link to a third party service that asks you to upload your passport/ID and enter other personal information, for them to perform a pre-screening of you, whether you're a pedophile, a well-behaving person in general, all under the pretence of making your stay easier and more comfortable for you.
After making a lot of fuss, they'll eventually waive the no free cancellation policy, but then I still have to go over the whole process of finding another place to stay.
34 comments
[ 0.20 ms ] story [ 71.5 ms ] threadHow come their (optional) 2FA only offers SMS, which is known to be insecure, even though FIDO2/WebAuthn/TOTP has been a thing for years?
The problem is, as always, users. When the EU recently adopted PSD2, banks were forced to implement 2FA for online banking... and there was a ton of backlash. Anything more complex than "enter one-time code from SMS/e-mail" will lead to a lot of customer support issues.
With SMS based 2FA, you as a service provider only have to deal with people who lost/damaged their phones and need access while they get their new phone set up or with 2FA token messages being stuck in spam filters. With anything else, you as a service provider will have a lot more scenarios to cover in support: people unable to set up TOTP apps, people travelling who need access but forgot their Yubikey, an employee took their yubikey home to work from there and fell sick but now no one can log in any more from the office (because the yubikey is with the sick employee), the yubikey got damaged, the computer is in service so no webauthn possible, the users originally had an iPhone compatible Yubikey but now have an Android device or vice versa and now need new keys... and you will have scammers acting like one of the aforementioned scenarios has just happened. Oh, and at least TOTP usually has some sort of backup codes, but people regularly lose the files or, in very random edge cases, a regular TOTP code is the same as a recovery code so the system strikes the recovery code as having been used and people get confused as a result...
The easiest of the bunch is TOTP because the setup code can be backed up, but not all employees want to add corporate credentials on a personal phone, and because it's completely stateless (similar to classic JWT bearer tokens) it's impossible to keep track of the 2FA credentials and who has them, meaning a ton of work when employees depart.
Hell even the really large players don't get 2FA right. The best example is Amazon AWS: as a root account you should have 2FA enabled. But if you want a yubikey, you can only add one, with no fallback for a TOTP device - lose your yubikey and you're at the mercy of AWS support.
Identity and access management is insanely hard.
That, however, doesn't mean booking.com isn't a shitshow in itself. I have an account with them that should have everything saved - my name, address, credit card information and the name of my s/o - and yet, for every booking I place I have to enter all the information from scratch. How they haven't managed to implement that in years is inexcusable.
Sounds like an issue with you or your account. I never have to enter my information and bookings go usually pretty smoothly if you ignore the dozens of dark patterns. I just tried and it takes about 7 taps from list until Pay button (my CC is saved) on my iPhone app. Technically I didn’t even have to scroll.
> as a root account you should have 2FA enabled. But if you want a yubikey, you can only add one, with no fallback for a TOTP device - lose your yubikey and you're at the mercy of AWS support.
As a fallback for my spare Yubikeys, I have created a couple of dummy, web-only IAM users with root privileges.
Still an embarrassing UX failure on AWS’s side though.
Last I checked (and by that I mean found out the hard way) there are still places across AWS that you can lock everyone but root out of. Particularly it seems around a few of the places where you're configuring policies on specific resources rather than through IAM.
We ended up setting a policy on an S3 bucket that locked everyone out. The root account _always_ has permissions to edit/remove that policy, but the policy itself prevented the admin accounts from removing it.
You’re correct, those have the AdministratorAccess policy, not root. It’s been a while since I set those up.
For practical purposes, wouldn’t AdministratorAccess be sufficient to recover from a lost (root user’s) YubiKey?
Same as most other small and medium businesses that don’t specialize in tech.
I think this is even a stretch. They likely don't know the difference between SMS and whatsapp/iMessage, it's all just a "message" or a "text".
That way Booking.com would be able to see the contents of any messages and shut down spammers more easily. They could do the same with a phone / SMS relay as well.
To put that into perspective, has Amazon managed to reliably detect and shut down compromised Marketplace shops yet?
Having worked at an OTA (before Expedia got us) I refuse to book at anything other than a legit hotel system. OTA's are fine for price discovery but you often get a better deal (and better service) from the hotel/brand directly. The front desk knows you booked via an OTA instead of the hotel directly.
One time I had a not so nice experience with a hotel. They promised a partial refund, but also a threat that they'll re-charge my CC the full amount if I wrote a bad review. No such refund came, I wrote a bad review, then they talked to me and did actually refund me. But how could they re-charge my CC without the CC info? I smell a violation of PCI DSS there.
That used to be more true in the past, but recently OTA's are beginning to offer better rewards programs, as well as making your trip more 'interconnected' (having one place to get flight, hotel, cars, events, activities, etc.), so now I'd say "it depends". Lately though, the bigger hotel chains themselves are also starting to introduce their own rewards, so we'll see what happens
The UI of hotels website is also often terrible and I absolutely do not trust them with my credit card info (nor do I wish to send them a SEPA deposit which I have seen at more than one place).
For flights on the other hand I take the airline website any day.
Sometimes identifying “the airline” isn’t straightforward.
Found a great routing+price: Toronto-Philadelphia-Paris on an OTA, all on AA metal.
But the fare wasn’t available on AA.com, you had to find it on Iberian’s website which booked some of the legs through a Finnair codeshare.
So had to book on booking.com and other multinational sites.
I know anecdotes aren't data, but I've had the opposite experience.
Front Desk: "Hey, I see you booked with Expedia. You know if you booked directly with us, you'd get a better rate!"
Me: "Oh really? Thanks! Can I book tomorrow night at the same rate as tonight?"
Front Desk: "No, sorry, tomorrow night's rate is twice as the rate you have from Expedia."
Me: "Ok, I guess I'll book at Expedia for tomorrow night as well, since they have the same rate that's half of what you're offering me."
I've had this happen so many times!
When asked directly, they just tell me to book on Booking.com.
For Russian speakers there is a joke in there.
After making a lot of fuss, they'll eventually waive the no free cancellation policy, but then I still have to go over the whole process of finding another place to stay.