Confirmed incidents have been reported across multiple
markets, including regions in North and South America, with attempted activity
noted elsewhere. WTAAA stated that the advisory is intended to ensure agencies
worldwide are aware of the threat and take precautionary steps.
According to WTAAA, fraudsters have used spoofed or look-alike email domains
resembling legitimate travel agencies to request NDC onboarding or airline
agent portal access. By presenting a valid IATA accreditation number alongside
a fraudulent identity, ticketing authority has in some cases been granted
without the knowledge or consent of the affected agency.
Once access was established, tickets were issued in volume using stolen credit cards. Agencies typically became aware of the fraud only after chargeback notifications were received. In one confirmed case, more than USD 350,000 equivalent in fraudulent ticket issuance was recorded.
WTAAA indicated that there is currently no evidence of
a breach of any GDS system. The vulnerability appears to relate to onboarding
and verification processes that rely primarily on IATA number validation.
“This is a timely
reminder that as our industry embraces new distribution technology, our
security practices need to keep pace. The agencies affected in these cases did
nothing wrong; their credentials were used without their knowledge. We are
urging all agencies to take a few straightforward steps to protect themselves,
and we are calling on airline and technology partners to strengthen their
verification processes at the point of NDC onboarding.” said Otto de Vries, Executive
Director of WTAAA.
WTAAA has called on travel agencies to review active
NDC registrations, check all airline portal connections and NDC agreements
associated with their agency, and investigate unfamiliar activity. Agencies are
also advised to monitor BSP and ARC activity regularly, rather than waiting for
billing cycles, and to check for unfamiliar ticket issuance.
The organisation further urged agencies to remain
alert to domain spoofing, monitor for email domains resembling their own and
notify partners if fraudulent use of agency names or contact details is
identified. Suspicious activity should be reported promptly to relevant
airlines, GDS security teams, IATA and national travel agency associations.
WTAAA confirmed that it is coordinating with member
associations across multiple regions and will continue to share updates as the
situation develops. The organisation has called on airline and distribution
partners to review NDC onboarding and verification processes, noting that IATA
number validation alone is not sufficient.
“WTAAA exists to give travel agents a unified global voice, and that is exactly
what we intend to use here. We will be working with our partners across the
industry to ensure that the right safeguards are put in place, not just for the
agencies affected today, but for every agency operating in an increasingly
digital distribution environment,” de Vries added.
Member associations that have identified similar
activity are encouraged to contact WTAAA to assist in establishing the global
scope of the issue
Tags: Otto de Vries, WTAAA