[dewey]

If people don't realize they are on a different domain, have to sign up for a new account, wire some random person money instead of going through the normal AirBnb process with their credit card on file I doubt they'd use 2FA if it's not forced for everyone.

[mcintyre1994]

They don't make you sign up for a new account. If they ask you to log in it's to harvest email/password, but they're faking it's your Airbnb login - they'll just accept whatever you give, say you're logged in and let you give payment, if they even bother to ask you to log in.