To think Booking.com should have better security than this?

[EnjoythemoneyJane]

I know I’m not BU, but posting here for traffic to maximise the chances of people seeing this.

We’ve just been phished through Booking.com - not through a random email or text, but inside the actual app itself.

In a correspondence thread DH had established with our hotel via the Booking.com app, he received a new message asking him to click a link from the hotel to reconfirm his CC details. Appeared perfectly legit so he complied.

Turns out it wasn’t the hotel at all, who suddenly joined the thread apologising and saying they hoped we hadn’t clicked on the link as they’re having problems with their guests being phished through Booking.com.

He’s just had to cancel our CC (which is a colossal fucking PITA as we’re about to go away and have booked everything on that card) and then spent an hour trying to get some assistance and reassurance from Booking.com, who have been worse than useless.

Given the nature of the information disclosed inside this app - names, addresses, CC numbers, phone numbers, potentially even passport details - we naturally assumed that their security would be bulletproof and their response to breaches would be slightly less vague and unhelpful.

If you’ve sorted your holiday through them, be very careful indeed.

Fuck. Thanks for the heads up.

The more I hear about Booking.com the more I vow never to use them. Thank you for the warning. What a hassle and headache for your family, sounds dreadful.

They are an awful company and I’ll never use them ever again.

Oh no. We’ve booked loads and have loads over the next few months. Thanks for the warning.

It just seems impossible to book some things directly with various hotels or sites, it’s almost by default going to B.com.

Just be really careful not to click on links until you’ve established they’re definitely coming from your bookings.

We’ve used them in the past and had no issues, but I have to say I was pretty shocked at how clueless they were with something as serious as this - it’s clearly an ongoing problem but they don’t seem to have any idea how to deal with it, or even any coordinated response for people and businesses who’ve been affected. Never again.

I got 2 emails these past couple of days from a hotel I’ll be staying in in a couple of days. With “click on here to personalise your stay with extra requests” etc. I haven’t clicked as I have modest tastes and I couldn’t think of anything more I needed, but good to have the warning to always double check. (I think the hotel is just that kind of super friendly and nothing dodgy going on, it’s just the first time I’ve been emailed about this.)

Wow, we've booked an entire holiday through them, starting next week. I'll be careful about clicking on any links.

Posted late last night but bumping in case it prevents this happening to someone else. We’re having an absolute nightmare today, btw.

It sounds like the hotel itself was probably hacked - so it's booking.com login was compromised and it sent a message asking for details with a link to click on?

Does that sound like what could have happened?

Always be careful with links asking for credit card details.

Yes, it did occur to me that it might be at the hotel’s end rather than across the site in general. However the fact that the phishing message is sitting inside the Booking.com app is the main thing I was trying to draw attention to as its the first time I’ve come across this.

We definitely should have been more cautious, but when a message comes up as part of a pre-existing conversation within an app you believe to be secure (and where you’ve already uploaded credit card details multiple times) you’re much less likely to question it.

There are ways of increasing login security such as MFA.
I guess there might be ways of screening messages that are sent between clients and the hotels for dodgy links.

Message is always - be careful what you click on and especially when you enter card details.

Booking.com are currently having issues with dodgy bookings being sent to hotels that are made using stolen/fraudulent credit cards. They have no authorisation check in their booking system, and the hotels have to make the booking when it comes through to them even if it appears possibly dodgy as some might be genuine.

It is a nightmare for hotels as well as the poor people who have their card details used. If you Google booking.com and fraud you can see what a huge problem it is for all involved, except the scammers who seem to do it again and again.

It’s a huge mess. How insane is it that they take credit card details from tens of thousands of people with no secondary authorisation?!

Part of the reason we trusted the phishing link in the first place is that Booking.com automatically generates an official wrapper message to nudge you to respond when you’re contacted by your hotel, so the link gave every appearance of having been endorsed by the site.

We now have a ton of stuff booked on a cancelled CC in a country where English is not widely spoken, which is going to be massively time consuming and stressful to sort out (if we even can).

I think this website and Amazon are the only ones where I have my card details as I use them so often. Otherwise I always add them every time I make a purchase. Time to re-think. The criminals are those who do the phishing but big companies like these should have watertight processes.

I hope you manage to sort things out, OP. What an absolute pain. You’ll need an extended holiday after all this hassle. Thanks for raising awareness.

Booking . Con are having problems with their IT systems.
I have our holiday cottage on their platform (amongst others) they are a nightmare to deal with. They charge owners a lot of commission (more than the other platforms) and it you have a problem are very difficult to get hold of.
Owners have now received this email- hanging on to money for even longer. Owners do not get paid until after the guests have left, unlike Air and others where the payout is 2 days after arrival.

This is unsettling me. I’ve just received a third email from a hotel I’m staying in for one single night this week (in the Uk), again asking if I need to add any services. I think I’ll ring them to confirm arrival and that I don’t need anything, just a bed!

Crap, also just booked a holiday, had trouble with cc payment, went through paypal linked to cc in the end yet it seems payment has come out of our current account not the credit card. Don't even know how.
I really hope this isn't fraudulent as its a lot of money.

I’m usually very careful with this sort of thing but if the notification came via the app I probably wouldn’t be so thank you OP

The scammers are more and more sophisticated. Friend of mine had bank hacked when she rang the number in a message that came through on an existing thread.
I've got a holiday coming up using booking com nothing so far so I'll keep a close eye on it and contact the property if there are any messages!

Put an explanation into Google translate and screen shot it