Q: Over a single weekend, fraudsters used the GDS login credentials of travel advisors at dozens of agencies to issue hundreds of cash tickets for travel from Africa to Europe. At our own agency, over $70,000 in tickets were issued, and most were used before we discovered the problem on Monday morning. The airlines are requiring that we pay for these tickets. I know that this has been a problem for U.S. agencies for a long time but it seems to be getting worse. Are our GDS vendor, the airlines, or ARC doing anything about it?
A: I agree that the problem is getting worse. Fortunately, there is a way to prevent such ticketing at every Sabre agency (as far as I know, only Sabre agencies have been hacked).
After my most recent column on the subject, "Meeting the 'reasonable care' threshold" (Aug. 15), a knowledgeable agency owner told me that there is a setting in Sabre that enables you to prohibit cash (i.e., noncredit card) tickets and that there is another setting that turns off ticketing ability on weekends.
I would strongly urge all Sabre agencies to toggle those settings to "on." I don't know whether Travelport and Amadeus have such settings, but if they do, then you should turn them on, as well.
The airlines claim that they try to stop travelers with fraudulent tickets from boarding, but they must not be trying very hard. After all, they have a guarantor called the travel agency.
ARC has just come out with an amendment to the standard Agent Reporting Agreement that addresses the problem, but it really helps no one but ARC. The purpose of the amendment is to specify that agencies must promptly notify ARC, the affected carriers and their GDS vendor to "request their support" -- presumably by voiding tickets and stopping passengers from boarding.
The amendment also requires that you forward to ARC any email fraud notifications received from the GDS vendors. Finally, you must provide to ARC, within five business days, all supporting documentation requested by that company to conduct a review and reach a determination regarding the incident.
In my experience, agencies already provide all these notifications and documentation, hoping that ARC will help. In most cases, ARC just issues a letter stating that it cannot determine that the agency was exercising "reasonable care," so the agency cannot be relieved of liability. Then, the carriers issue debit memos.
Finally, the amendment clarifies that even if you were exercising reasonable care, ARC will still not relieve you of liability if the hacking was done by "current or former third-party vendors, service providers or employees whose access to the agent's systems was improperly maintained or not properly terminated."
ARC is not the adversarial, quasi-G-man bureau that it once was, and it is genuinely interested in helping agencies that become victims of ticketing scams. It runs many fraud-prevention webinars and publishes lots of relevant tips. Just don't count on much real help if you are victimized.