The World Travel Agents Associations Alliance (WTAAA) has issued a global warning over a fraud scheme exploiting IATA accreditation numbers to obtain airline NDC access, urging travel agencies to monitor NDC registrations and ticketing activity closely.
Confirmed incidents reported across markets include regions in North and South America, and attempted activities noted elsewhere.
In one fraud case, more than US$$350,000 in fraudulent ticket issuance was recorded. However, there is currently no concrete evidence of a breach of any GDS system – suggesting the vulnerability could relate to onboarding and verification processes that rely primarily on IATA number validation alone.
“The agencies affected in these cases did nothing wrong; their credentials were used without their knowledge,” said Otto de Vries, executive director of WTAAA.
“This is a timely reminder that as our industry embraces new distribution technology, our security practices need to keep pace.”
Fraudster modus operandi
In these scams, fraudsters used spoofed or look-alike email domains designed to closely resemble those of legitimate travel agencies, to request NDC onboarding or airline agent portal access.
Armed with their new fraudulent identity and a valid IATA accreditation number, fraudsters have in some cases been granted ticketing authority without the knowledge or consent of the agency whose credentials were used.
With access granted, tickets can then be issued at volume using stolen credit cards.
Just like in personal scams, legitimate agencies typically only find out about the fraud when chargeback notifications arrive, by which point significant financial damage has already occurred.
Agencies should also note that IATA number validation alone is not a sufficient safeguard.
Vries has urged the global travel community to follow a list of precautionary steps, and for “airline and technology partners to strengthen their verification processes at the point of NDC onboarding”.
Travel agencies are advised to:
Review active NDC registrations. Check all airline portal connections and NDC agreements currently associated with your agency. If anything is unfamiliar, investigate and report it without delay.
Monitor BSP and ARC activity regularly. Do not wait for the billing cycle. Check for unfamiliar ticket issuance, particularly on carriers or through distribution channels you do not typically use.
Be alert to domain spoofing. Monitor for email domains that closely resemble your own and alert partners if you identify fraudulent use of your agency name or contact details.
Report suspicious activity promptly. Notify the relevant airline and GDS security teams, report to IATA, and inform your national travel agency association so that broader awareness can be maintained.
WTAAA is coordinating with member associations across multiple regions and will continue to share information as the situation develops.
Member associations that have identified similar activity in their markets are encouraged to contact WTAAA directly so that a clearer picture of the global scope of this issue can be established.