On Tuesday, August 27 I logged into my online bank account to transfer some money, and saw an odd entry. It was so fresh, it hadn’t cleared my checking account yet, leading me to believe that the charge had just been made in the previous hour or two. The entry was a pre-authorized debit to AirBnB for $787.20. The entry included a confirmation code.
I knew I hadn’t made a reservation on AirBnB, so I contacted my bank to inform them of the fraudulent charge. My hope was, that if I notified them right away, they could decline the charge. As I said, the charge had been pre-authorized, but it hadn’t been funded yet.
I admit, I don’t know what rules the bank has to follow once a charge has been pre-authorized, but I still don’t understand why they couldn’t have declined payment once they were aware that the charge was fraudulent. In any case, they didn’t decline the charge.
Next, I contacted AirBnB. The representative referred my issue to the AirBnB Trust and Safety Department. This is where things began to fall apart. Someone named Julia from the Trust and Safety Department sent me an email telling me that I should work with my bank to do a chargeback. The email went on to explain that, due to privacy concerns, AirBnB could not provide me with any information about who made the reservation (with my debit card) or what they reserved.
That kind of irritated me. My card was used fraudulently, but AirBnB was more concerned with protecting the privacy of the scum bag who stole my debit card info than with helping me. That just didn’t seem right.
Even so, I did as I was instructed and contacted my bank so they could do a charge back. I sent the person I was dealing with at the bank a copy of the email from AirBnB, and assumed the charge back process would be quick and easy. Boy, was I wrong.
The bank contacted me two days later to let me know that AirBnB wouldn’t deal with them. Initially, AirBnB told the bank that they weren’t entitled to a charge back because they weren’t an AirBnB member. {See Update #3 below. I initially misunderstood the explanation that the bank shared with me. Update #3 contains a detailed explanation.} The bank tried again to explain the process, but their email was blocked. The woman I was working with at the bank asked if I could contact AirBnB to let them know that my bank was trying to do a charge back for me.
I did as I was asked, and the process started all over again. This time, Conn from the AirBnB Trust and Safety Department sent me an email telling me to work with my bank to do a chargeback, and telling me that I had no right to know anything about the reservation that was made with my card.
I immediately sent another email asking Conn to please read my entire email and reach out to my bank to handle the charge back. Instead of doing that, Conn sent me another email telling me to contact my bank. He went on to say that if I had any questions, I should ask my bank. In other words, we’ve done all we’re going to do. Don’t bother us again.
Despite his effort to get rid of me, I reached out again (via email) to Conn and repeated my concerns. Conn gave up, but his partner, Joaquin, added insult to injury by sending me yet another form email just like the first two. I sent a strongly worded (READ: Angry) response to Joaquin letting him know that their charge back process had broken down and asking him to please reach out to my bank.
Joaquin couldn’t be bothered to reply to me, nor did he reach out to my bank, as requested.
A few days went by without any further contact from AirBnB, so I called them again. I spoke to Trish and explained everything that had happened to date. She had all of the information, including all of my emails asking AirBnB to return my $787.20 via chargeback to the bank. Trish seemed concerned about how things had been handled to that point and agreed not to send my case back to the Trust and Safety Department. At my request, Trish agreed to escalate my situation to someone in management at AirBnB. She advised that she would have Marion call me back “within the day.” She said she wasn’t sure when Marion would call, but she encouraged me to make myself available throughout the day. I agreed.
To my surprise (Although, at this point, I probably shouldn’t have been surprised), instead of a phone call from Marion, I received a slightly edited form email from Alfonse in the AirBnB Trust and Safety Department. The letter starts out like this:
“We’ve received your email and understand your concerns with the unauthorized and/or unrecognized charges you’ve reported. Unfortunately, it appears this charge has already been investigated and further reports of the same charge will not result in a different outcome.”
Really, AirBnB? Do you understand my concerns? If you do, you’ve never responded to them. I’ve told you several times that my bank has attempted to do a chargeback, but you wouldn’t deal with them. As things stand, a month after I notified you of this situation, you still have nearly $800 of mine that you received fraudulently, and you refuse to return it. You won’t even respond to my emails. And by respond, I mean engage with me. Read my emails and do what is necessary to remedy this situation.
AirBnB, I’d really like my money back. You received it through an act of fraud. You didn’t earn it. Please return it. At least six of your employees are aware of the situation, but none of them has lifted a finger to help me.
Please read my emails, reach out to my bank, and return my money. I really don’t think it’s too much to ask.
Update #1 — About 30 minutes after I posted a link to this post on Twitter, @AirBnBHelp reached out to me and offered to help. We corresponded a couple of times over the weekend, but ultimately, their response was no different than what I’ve been told all along. Here’s what they said:
“Thank you for that information Lou, we have reviewed your account and can see that our Trust team followed up with you on September 25th via email with information regarding your case. We encourage you to review that email for the complete details.”
The email that AirBnB refers to is the same email I quoted above where AirBnB told me to contact my bank and leave them alone. Talk about adding insult to injury.
Update #2 — Yesterday, I posted Update #1, and tweeted out the update on Twitter. A few hours later, I received the following note from AirBnB Help:
“We’re really sorry for the frustration, Lou. We’ve asked our specialized team to follow up with you as soon as possible. Thank you for your continued patience.”
That sounded promising, but rather than hearing from a specialized team, I heard from Marco in the Trust and Safety Department. And what did Marco say? He sent me the exact same form email I’ve received four times before telling me to contact my bank. I’ve made it clear to everyone I’ve communicated with that I’ve contacted my bank, but AirBnB refuses to engage with them. In fact, I have some additional information about AirBnB’s response to the bank that I’ll be posting a little later. The saga continues…
Update #3 – This update gets a little technical, but I think it will help explain why AirBnB is refusing to deal with my bank.
When my bank contacted AirBnB and requested a chargeback (as requested over and over again by AirBnB in emails to me), my bank received a memo indicating that the bank did not have dispute rights for the charge. The memo stated:
“According to the network dispute resolution rules, there are no dispute rights for this transaction. This is due to the merchant participating in the ‘3D Secure’ program, and the transaction obtaining an authorization message.”
Let’s break this down a little. The merchant referred to in this paragraph is AirBnB. They subscribe to “3D Secure,” which, according to Wikipedia, is:
“…an XML-based protocol designed to be an additional security layer for online credit and debit card transactions. It was originally developed by Arcot Systems (now CA Technologies) and first deployed by Visa with the intention of improving the security of internet payments, and is offered to customers under the Verified by Visa/Visa Secure brands…EMV 3-D Three Domain Secure (3DS) is a messaging protocol developed by EMVCo to enable consumers to authenticate themselves with their card issuer when making card not present (CNP) transactions. The additional security layer helps prevent unauthorized CNP transactions and protects the merchant from CNP exposure to fraud. The three domains Secure consist of the merchant/acquirer domain, issuer domain, and the interoperability domain (e.g. Payment Systems).”
Okay, that’s long and boring, but in a nutshell, 3D Secure is a security system designed to be used when the credit or debit card is not present, as with internet purchases. According to my bank, the way 3D Secure works in practice is the purchaser enters their card number, and then a box pops-up asking the purchaser to provide an authorization code that the merchant provides via text.
In order for this particular purchase with AirBnB to have been approved (assuming it was), AirBnB would have had to send an authorization code to the purchaser. Since it was my debit card that was used, I assume I’m considered the purchaser, but I never received a text containing an authorization code. Somehow, assuming AirBnB used 3D Secure properly and required an authorization code (I have no way of knowing if the transaction was handled properly since I wasn’t involved), they would have had to send an authorization code to a cell phone other than mine.
There are a couple of things to consider. First, assuming you didn’t nod off while reading the Wikipedia explanation of 3D Secure, you probably noticed that it said 3D Secure adds an additional layer of security that “helps prevent unauthorized CNP transactions and protects the merchant from CNP exposure to fraud.” In other words, 3D Secure primarily protects the merchant, not the consumer.
In this same vein, the Wikipedia article goes on to say:
“Analysis of the first version of protocol by academia has shown it to have many security issues that effect the consumer, including a greater surface area for phishing and a shift of liability in the case of fraudulent payments.”
So, here’s the bottom line: AirBnB subscribes to a cyber-security system that has been shown to be flawed, and was obviously flawed in this case. Even so, they are standing behind the 3D Secure rules that state that they don’t have to return payments to consumers, even if those payments were received through fraudulent means. Seems pretty sweet for AirBnB, but it really sucks for the consumer.
As I think this through, there are only two ways that AirBnB could have charged by card without my permission. The first is that they didn’t follow the 3D Secure protocols and did not require an authorization code before charging my card. If this happened, AirBnB is obviously negligent in their actions and should not be able to hide behind the 3D Secure rules.
The second way is if the person who stole my debit card info created an AirBnB member profile, and connected their own cell phone number and my card number to their profile. Then, when AirBnB sent the authorization code, the scammer entered it and the transaction was complete. But can it really be this easy to scam AirBnB? If this is all it takes, the 3D Secure protocol is useless. If anyone can set up an AirBnB profile and can attach a stolen debit card to it without AirBnB requiring verification, the 3D Secure protocols are meaningless and serve to protect no one other than the merchant.
Certainly, AirBnB understands this. Their system is easily usurped, yet they continue to rely on it to the detriment of their customers. This is obviously wrong and shouldn’t be allowed.
So, what’s next? I don’t know. Various people have suggested I sue in small claims court. I really don’t want to deal with that headache, but I hate seeing someone in power (AirBnB) take advantage of someone who has no power (me). So, it’s a possibility. I’ll keep you posted.
Update #4 — I hate how this is all playing out with AirBnB. I used to like the company and thought they had a terrific, useful product. I enjoyed my experience with them, and had planned on using them again. Unfortunately, the way they have handled my situation leads me to believe they are an untrustworthy company that deals with customer issues in bad faith. I’m not the only one who feels this way. Check out this article on Vice.com by Allie Conti about her experience with AirBnB. Our issues are different, but AirBnB’s response to our issues is very similar.
I’ve had £303 stolen, very similar circumstance exactly one year later. August 2020. did you get your money back? I am still making so many calls!!!
Exact same situation. Same robo emails. $799.45 Airbnb has their money. It is gone from my account. I don’t know what to do. They will not help me.
Hi Lou, I happened to read your article while doing some research,so sorry if I’m really late.
So, when you make a payment through 3D secure, the merchant will ask your bank for the money. Then it’s up to the bank to send the authorisation code fot second factor authentication to the legit cardholder.
Assuming that your phone number was correct at your bank, the only way I can think someone would get your authorisation code is by cloning or swapping your SIM card, again assuming that they also had your card details. This is actually easier than you think.
So technically, because the transaction was authorised, they don’t have to return the money and the liability falls on you unfortunately.
Did you ever get your money back?
Why not sue them in small claims court? They will be FORCED to show up in court with all the information about the reservation that was made using your credit card.