The American
Society of Travel Advisors (ASTA) is raising awareness of a significant
fraud incident reported by ACTA in Canada involving the unauthorized use of
legitimate travel agency’s IATA accreditation number and attempted exploitation
of airline NDC boarding processes.
To date, the activity has only been identified outside the U.S.,
however it raises concern for broader industry vulnerability that could potentially
impact U.S. agencies as well.
Operating from Brazil and other international locations, a fraudster spoofed an agency’s e-mail domain to impersonate a legitimate travel
business. Using the agency’s valid IATA accreditation number and GDS
PCC—without authorization—the individual attempted to gain access to airline
NDC connections.
Fraudulent ticketing occurred through an airline’s NDC
channel, despite the legitimate agency not being registered for that NDC
connection. The tickets were issued using stolen credit cards, with subsequent
chargebacks exposing the scheme. Similar attempts were identified across
multiple airlines and connectivity providers in what appears to be coordinated
activity rather than an isolated incident.
Though there is no evidence of a breach within GDS or NDC
systems, the vulnerability appears to stem from insufficient verification
controls during certain airline NDC onboarding processes. In cases where
validation relied primarily on confirming an IATA accreditation number—without
additional authentication measures—those credentials were susceptible to
misuse. Fraudulent activity involved spoofed domains, exploitation of
legitimate accreditation credentials, stolen payment methods, and cross-border
coordination.
Mark Meader, Executive Vice President, ASTA Corporate and
Industry Affairs said in a statement, “This case shows how easily legitimate
credentials can be misused when verification processes rely too heavily on a
single data point like an IATA accreditation number. Although the fraud
occurred outside the United States, the underlying risk isn’t limited by
geography. We’re encouraging agencies to keep a close eye on their reporting,
carefully manage who can request or approve NDC access and confirm that airline
partners are using strong authentication.
This incident underscores systemic risk for the travel
industry. If verification controls are weak, legitimate agency credentials
can be leveraged by fraudsters to obtain unauthorized ticketing access. As NDC
adoption continues to expand, onboarding and credential validation processes
may create new exposure points for both agencies and airlines.
ASTA encourages members to remain vigilant. Agencies should
regularly review BSP and ARC reports for unfamiliar ticketing activity and
promptly investigate any irregular chargebacks or airline inquiries. It is also
critical to centrally track and strictly control airline NDC registrations
within your organization. Agencies should limit who has authority to request or
approve NDC access and actively monitor for spoofed or look-alike email
domains. Additionally, confirm that airlines and technology providers use
executive-level validation and/or multi-factor authentication before granting
new NDC or portal access. IATA accreditation alone should not be treated as
sufficient proof of authorization.
Agencies identifying suspicious activity should immediately
notify the relevant airline partners and GDS or technology security teams.
Incidents should also be reported to IATA BSP/Agency Services or ARC. ASTA also
encourages members to inform them as well to support broader industry awareness
and risk mitigation efforts.
“At ASTA, protecting our members and the integrity of their
businesses is central to everything we do,” said Michael Schottey, Vice
President of Membership, Marketing and Communications.
He added, “When incidents like this surface, our role is to
quickly raise awareness, work with industry partners to understand the scope of
the threat and ensure advisors have the information they need to safeguard
their businesses. Travel advisors shouldn’t have to worry that their
hard-earned credibility could be misused by bad actors, and ASTA will continue
leading efforts to close gaps, strengthen protections and defend our members
against evolving fraud risks.”
For the latest travel news, updates and deals, subscribe to the daily TravelPulse newsletter.
Topics From This Article to Explore
