Fraud, Identity Theft & the Dark Side of the Sharing Economy
Fraud, Identity Theft & the Dark Side of the Sharing Economy
or
How I invited a thief into my home with an app
Guest post by Johnathan Crawford
We put a lot of trust into the services & apps we use. When you think about it, we let strangers into our homes all the time using services like Handy (cleaning), Zeel (massage therapy), Taskrabbit (handyman tasks) and Urbansitter (babysitting) — sometimes even when we’re not home. There’s an implied social contract with these services that encourages you to treat the people coming into your home like someone you already know and trust. We assume these services have done the work of vetting the people that they send into your home. We trust that we’ll be kept safe — especially with the reputation of the company on the line. I’ve personally had dozens of these interactions and experiences in my home with no issues whatsoever. That’s why it was so surprising that I experienced a major identity theft & fraud incident the very first time I rented out my apartment using a home-sharing service.
At the end of 2016, I was traveling for the entire month of December. I currently rent a 2-bedroom apartment in San Francisco, and I feel an extreme sense of guilt when I’m traveling about that expensive apartment sitting empty. So I decided that I would l try listing my home on a new home-sharing service. This service is similar to Airbnb with a few differences. The purpose of this article is not to trash the startup, so we’ll just call it “Book-a-Spot”.
While visiting family in Oklahoma City for Christmas, I received a request to book my apartment for two nights. Since I was already out of town, I had to ask my very generous neighbor to pop over to my apartment for a few minutes to prepare the place. I messaged back & forth with the renter from inside the Book-a-Spot app’s chat feature instructing him on where to find the key and to disable my security camera to protect his privacy. An hour later, he confirmed he was successfully checked in. At this point, my only concern was that I’d be landing in San Francisco late at night on the day he checks out and would have to stay up later washing sheets before I could go to sleep after a long flight. I had complete confidence in the renter and the Book-a-Spot experience.
Fast forward 24 hours. While playing with my daughter, I noticed a voicemail on my phone. Briefly scanning iOS’s voicemail transcription, it was a message from Apple asking me about a purchase on my account. I just assumed there was some billing issue for some App Store purchase or something and that they’d call back if they really needed to talk to me.
Another day passes. I woke up to three notifications on my phone — one was an automated message from Book-a-Spot indicating that the renter had checked out of my apartment (at 6am PST — early!) and two from Chase asking me to confirm some suspicious purchases. In fact, no, I hadn’t attempted to spend over $3,800 on BevMo.com or nearly $2,000 at a Best Buy in San Mateo. I wasn’t even in the state of California. Shortly after, I got similar notifications from American Express and Discover. Someone was using my cards in-person all over the Bay Area at places ranging from Target and Home Depot to Jack-in-the-Box. Then it clicked. Holy shit! The person who rented my apartment had gone through all my things and found some old emergency or work credit cards that I’d forgotten about and had gone on a little shopping spree! And since I wasn’t actually in San Francisco to check on my apartment, I assumed the worst — I’ve probably been robbed blind by this asshole.
I immediately spend all morning on the phone with all the credit card companies to let them know all of the transactions are fraudulent and to cancel my cards. I also reach out to Book-a-Spot to let them know the situation. Shortly after, one of the founders sent me a text message and told me to call him. We spoke on the phone for several minutes. He honestly was just as shocked as I was since this had apparently never happened to any of their listings before. (They’re a new service.) To be honest, at this point I wasn’t even 100% sure that it was definitely the renter who had done all of this. Maybe it was just a coincidence or bad timing? So I nervously awaited my boarding time and flew back to San Francisco to assess the potential damage awaiting me in my apartment.
A few seconds of Nest camera footage of the Book-a-Spot thief.
I texted the founder of Book-a-Spot that I was now 100% confident that their customer had stolen my credit cards and committed fraud. They began to examine the individual’s account information. Here’s where it gets interesting. When signing up for Book-a-Spot, renters are required to confirm their identify through a few methods — you must send a photo of your ID, confirm your telephone number, and add a valid credit card number. For bonus points, you can link your Facebook account. It would appear that the individual easily got around all of this. Upon close inspection, the photo on his profile didn’t appear to match the person in the photo on his ID. He was wearing sunglasses in one of the photos. And his Facebook account had been newly created. In fact, I’m guessing that the ID he used was from an individual he had previously scammed.
At this point, I knew I needed to file a police report to be on the safe side, but I waited a few days to see if any other issues popped up. They did. A week later, $1,700 was withdrawn from my checking account from Chase Bank’s gift card services. Did you know that, if you have a person’s bank account # and routing number, you can withdraw money from their bank account? Yep. In fact, that’s how checks work. So he found a voided check and used the numbers on it to purchase Chase Bank visa gift cards online.
I let Book-a-Spot know that the situation was continuing. They were surprised and honestly didn’t know how to handle it, so they did nothing. Already exhausted from updating my debit and credit card numbers on every single service, browser and device I use, I contact my bank to dispute the charge. They tell me they’ll need to start a dispute process that can take several weeks and that I’ll need to get a copy of the police report, fill out an affidavit, get it notarized and mail it into the bank in order to initiate the process. Good grief! So I spend an entire afternoon waiting at the police station in order to fill out a police report that ended up taking 5 minutes. Then I have to wait a week before I can request a copy of the report. They failed to tell me it had to be done only at the downtown location or by mail. I mail it in. Apparently I left the suite # off, so it was returned to me. OMG! Then a week later, I finally get the report in the mail. In summary, it took a helluva a lot of work to get that $1,700 back. I felt like I should send someone an invoice.
Eventually the bank returned the money to my account. I’m not sure whether Chase or Ally Bank (my bank) ate the loss. But I do know the police weren’t the least bit interested in this. In total, the crook attempted to make at least $15,000 in purchases and withdrawals. It doesn’t even make the police blink until someone steals upwards of $200k. So honestly, if you’re looking for a new criminal endeavor, stealing credit cards seems like something people can get away with pretty easily.
Book-a-Spot never did anything to make the situation right and didn’t pursue the individual (to my knowledge). They did refund the card the individual had used to book my apartment because they assumed that card could be stolen as well. In total, I probably spent about 20 hours dealing with this incident. It took forever. I won’t be using Book-a-Spot again. If you run a peer-to-peer service, don’t do this to your customers.
The mistakes Book-a-Spot made were obvious in hindsight. They didn’t think like a criminal when designing their identity verification system. Presumably, they were also thinking like all early companies who want to grow and tried to keep the friction as low as possible. This is a losing strategy when identity, security and trust are concerned. Friction is a good thing when you’re trying to weed out the shady characters. They also didn’t do any host education about protecting yourself and your personal property. I went into the experience with the naive trust of someone who had hosted other strangers in his home for other purposes and didn’t even consider that I might become victimized by the experience.
Who is at fault here? Should I have been more careful? Should Book-a-Spot have been more diligent in their vetting process? Or does shit just happen? It doesn’t really matter. The ultimate loser here is Book-a-Spot because I’ll never use the service again (either as a host or a guest). All it takes is one story like this to begin to destroy your reputation. If you’re building a peer-to-peer service, put Trust, Security, and Identity at the very top of your priority list.
Onboarding friction is a good thing because it eliminates the bad actors.
Easy Fixes
- Don’t prioritize Growth over Trust & Safety. It’s tempting to avoid onboarding friction in the name of Growth, but this is a mistake. Onboarding friction is a good thing because it eliminates the bad actors. This includes people who are half-assing their participation and those people who don’t intend to play by the rules. Ultimately you’re building something you want to last, so put strong Trust & Safetey policies in place early in order to ensure the first users of your product have an epic experience.
- Communicate the risk. Book-a-Spot didn’t make it clear to me that the user was brand new. Let your users decide if the risk is worth it by providing very noticeable cautionary information about the customer. This will make the user aware about the risk and more likely to take the necessary steps to protect themselves or decline the offer.
- Use intelligent social qualifiers to validate identity. Book-a-Spot simply required a Facebook account and a picture of an ID. To my knowledge, they didn’t check the number of Facebook friends connected to the account or the Facebook account creation date. For starters, I would suggest a minimum of 50 Facebook friends and an account that is over 6 months old.
- Have a crisis plan. Instead of waiting for a crisis, outline a policy for handling bad actors in the network before it happens. Look, shit happens. But if your team responds rapidly and impresses the injured party with the care and efficiency of the response, you can actually gain a loyal community member. Book-a-Spot hoped this problem would go away and insisted “nothing like this has happened before”. But they had the opportunity to blow me away with their response, send someone to clean my house a few times (or something similar) and genuinely demonstrate their care for someone who took a risk on their service. Instead of hiding out from crisis, take extra care to restore trust, own the issue as a company and execute the pre-determined crisis plan. For bonus points, communicate your company’s crisis plan up front. Airbnb offers hosts a $1,000,000 Host Guarantee that covers damage and theft. This all but eliminates risk hosts would feel inviting strangers into their house.
Update: As I understand it, the company has since built some new trust tools to better vet their hosts and guests. In fact, I think they’ve entirely pivoted away from anonymous bookings to just your personal network. Unfortunately, some lessons have to be learned the hard way.