Where travel agents earn, learn and save!
No data found
News / ASTA sounds the alarm as agency’s email domain spoofed in fraud incident
This incident underscores a systemic risk for the travel industry
The American Society of Travel Advisors (ASTA) says it want to raise awareness of a significant fraud incident reported by ACTA here in Canada, involving the unauthorized use of a legitimate travel agency’s IATA accreditation number and attempted exploitation of airline NDC onboarding processes.
According to ASTA, a bad actor operating from Brazil and other international locations spoofed an agency’s email domain in order to impersonate a legitimate travel business.
Using the agency’s valid IATA accreditation number and GDS PCC – without authorization – the individual attempted to gain access to airline NDC connections. Fraudulent ticketing ultimately occurred through an airline’s NDC channel, despite the legitimate agency not being registered for that NDC connection. The tickets were issued using stolen credit cards, and subsequent chargebacks exposed the scheme. Similar attempts were identified across multiple airlines and connectivity providers, indicating what appears to be coordinated activity rather than an isolated incident.
As ASTA notes, there was no evidence of a breach within GDS or NDC systems. Instead, the vulnerability appears to stem from insufficient verification controls during certain airline NDC onboarding processes. In cases where validation relied primarily on confirming an IATA accreditation number – without additional authentication measures – those credentials were susceptible to misuse, says ASTA. The fraudulent activity involved spoofed domains, exploitation of legitimate accreditation credentials, stolen payment methods, and cross-border coordination.
ASTA says its encoring its members to regularly review BSP and (and in the U.S., ARC) reports for unfamiliar ticketing activity and promptly investigate any irregular chargebacks or airline inquiries.
ASTA adds that agencies that identify suspicious activity should immediately notify the relevant airline partners and GDS or technology security teams. Incidents should also be reported to IATA BSP/Agency Services (or in the U.S., ARC).
Source: Travelweek
