The World Travel Agents Associations Alliance is alerting the global travel agency community to a sophisticated fraud scheme involving the unauthorized use of agency IATA accreditation numbers to obtain airline NDC access and issue fraudulent tickets. The world body (of which ACTA is a member) says travel agencies should review NDC registrations and closely monitor accreditation activity following confirmed incidents across multiple markets, including North America.
WTAAA says it is issuing the advisory to ensure that travel agencies worldwide are aware of the threat and are taking appropriate precautionary steps.
In the incidents reported, fraudsters have used spoofed or look-alike email domains designed to closely resemble those of legitimate travel agencies, to request NDC onboarding or airline agent portal access. By presenting a valid IATA accreditation number alongside a convincing but fraudulent identity, they have in some cases been granted ticketing authority without the knowledge or consent of the agency whose credentials were used.
Once access is established, tickets are issued at volume using stolen credit cards. The legitimate agency typically only becomes aware of the fraud when chargeback notifications arrive, by which point significant financial damage has already occurred. In one confirmed case, with more than US$350,000 equivalent in fraudulent ticket issuance was recorded.
There is currently no evidence of a breach of any GDS system. The vulnerability appears to relate to onboarding and verification processes that rely primarily on IATA number validation alone.
Call to action
“This is a timely reminder that as our industry embraces new distribution technology, our security practices need to keep pace,” says Otto de Vries, Executive Director of WTAAA. The agencies affected in these cases did nothing wrong; their credentials were used without their knowledge. We are urging all agencies to take a few straightforward steps to protect themselves, and we are calling on airline and technology partners to strengthen their verification processes at the point of NDC onboarding.”
WTAAA is asking all travel agencies to take the following precautionary steps immediately:
- Review active NDC registrations. Check all airline portal connections and NDC agreements currently associated with your agency. If anything is unfamiliar, investigate and report it without delay.
- Monitor BSP and ARC activity regularly. Do not wait for the billing cycle. Check for unfamiliar ticket issuance, particularly on carriers or through distribution channels you do not typically use.
- Be alert to domain spoofing. Monitor for email domains that closely resemble your own and alert partners if you identify fraudulent use of your agency name or contact details.
- Report suspicious activity promptly. Notify the relevant airline and GDS security teams, report to IATA, and inform your national travel agency association so that broader awareness can be maintained.
Industry coordination
WTAAA says it is coordinating with member associations across multiple regions and will continue to share information as the situation develops.
It is further calling on airline and distribution partners to review their NDC onboarding and verification processes “as a matter of urgency; IATA number validation alone is not a sufficient safeguard, and stronger identity verification needs to be part of how access is granted going forward.”
“WTAAA exists to give travel agents a unified global voice, and that is exactly what we intend to use here. We will be working with our partners across the industry to ensure that the right safeguards are put in place, not just for the agencies affected today, but for every agency operating in an increasingly digital distribution environment,” de Vries added.
If you enjoyed or found this story useful, we’d appreciate if you would forward it to a colleague or friend who may also enjoy it. If, on the other hand, a friend shared it with you, welcome! You can get all the latest travel news and reviews from Travel Industry by simply clicking HERE.