2-factor authentication is an extra layer of security used to further protect your account by making sure that the person trying to gain access to your account is actually you. First, you enter your username and password. Then, instead of immediately gaining access, you are required to provide another piece of information. This additional credential check can come in a variety of ways.
As a Booking.com partner, it comes in the form of a PIN (personal identification number) which is sent to your authenticated device. A good example of this is how bank cards typically work - The card alone is not sufficient to gain access to your funds despite it being in your possession - a PIN code is required as well.
How can my account still be compromised?
Authentication works in several ways - First, your username is an indicator that you have an account on Booking.com. Once this is checked, your password is then checked to match the username you have provided. Does it match? All good!
This is where 2FA comes in - You are sent an additional PIN code to your already authenticated device as an additional security layer since you hold very sensitive data (guest personal & payment details) in the Extranet.
2-factor authentication is as secure as you allow it to be - If you share your username & password, along with your 2FA PIN, this means anyone you provided this to will have access to your property, as well as guest details.
I think my account has been maliciously accessed. What can I do now?
If you believe that you may have inadvertently provided your login details & 2FA PIN to an unauthorised 3rd party, it is crucial that you notify Booking.com immediately - your contract with Booking.com requires you to notify an actual or suspected account take-over within 24 hours.
Good to remember:
Booking.com will never ask you for your username, password, or 2-factor authentication (2FA) pin code for any reason.
If anybody - whether they claim to work for Booking.com or at the property, is asking for your username, password, or 2FA PIN - please hang up and contact us via https://partner.booking.com/help/legal-security/report-security-issue.
Share this information with your staff and encourage them to take the same precautions - fraudsters prefer to call at night when support staff is minimal.
If you’re unsure, always contact us via the below link before taking any action:
If you receive messages or phone calls asking you to make changes within your account (i.e. changing contact details, adding email addresses, confirming personal information, etc), always verify the request is coming from a legitimate source. If it supposedly came from Booking.com, call us to verify with customer service. If the caller claims to be an employee of your property, call the colleague and verify the request.
I think my account has been taken over. What can I do now?
Follow these steps to secure your account:
Reset your Booking.com account password. You can do so by typing admin.booking.com into your browser, then clicking on ‘Forgot your password?’
Check all the information within your Extranet to see if anything was changed (contacts, rates, availability, content, etc.).
Report it! As you have information which is considered personal (and therefore sensitive), we ask that you contact Booking.com immediately to let us know that your account may have been compromised. In order to help you and your guests as quickly as possible, your contract with Booking.com requires you to notify an actual or suspected account take-over within 24 hours. You can do this by contacting our security team https://partner.booking.com/help/legal-security/report-security-issue.
Don’t forget to include any and all information that might be useful, such as who the caller or sender identified themselves as (original email with headers if via email) and what was discussed.