Agents are being warned of a new global fraud scheme which sees fraudsters using e-mail domains similar to legitimate travel agencies to request NDC onboarding or airline agent portal access.
The fraudsters then issue tickets at volume using stolen credit cards, with agencies not finding out about the situation until chargeback notifications arrive, at which point the financial damage is done.
The World Travel Agents Associations Alliance (WTAAA) says confirmed incidents have been reported across multiple markets globally, including in North and South America, with more than USD350,000 equivalent in fraudulent ticket issuance recorded in one case.
There is currently no evidence of a breach of any GDS system, the vulnerability appears to relate to verification processes that rely primarily on IATA number validation alone, with executive director of WTAAA Otto de Vries stressing that the agencies affected in these cases did nothing wrong.
. . . Advice
WTAAA recommends travel agencies review all active NDC registrations, monitor BSP and ARC activity regularly, and to be alert to domain spoofing by monitoring e-mail domains that closely resemble their own.
TAANZ ceo Julie White says it’s a good reminder to members to ensure they are monitoring their BSPs. It also pays to report any suspicious activity to the relevant airline and GDS security teams, as well as IATA and TAANZ.
. . . Airlines Too
De Vries says the association is also calling on airline and technology partners to strengthen their verification processes at the point of NDC onboarding, with IATA number validation alone not a sufficient safeguard. “We will be working with our partners across the industry to ensure that the right safeguards are put in place, not just for the agencies affected today, but for every agency operating in an increasingly digital distribution environment,” de Vries adds. See more on WTAAA HERE.
