ASTA is warning U.S. agencies to be vigilant following a fraud incident in Canada that could be replicated here.
In Wednesday's Travel Advisor Daily newsletter, ASTA highlighted the incident, which was reported by the Association of Canadian Travel Agencies and Travel Advisors.
According to ASTA, a bad actor working from international locations, including Brazil, "spoofed an agency's email domain in order to impersonate a legitimate travel business."
Without authorization, the bad actor attempted to get access to airline NDC connections. Fraudulent ticketing did happen via an airline's NDC channel. The legitimate agency, ASTA noted, was not actually registered for that NDC connection.
Tickets were issued with stolen credit cards. The scheme was identified via subsequent chargebacks.
Multiple fraud attempts were made, ASTA said, making it likely the attack was coordinated and not an isolated incident.
"Although the activity has so far been identified outside the United States, its nature suggests a broader industry vulnerability that could potentially impact U.S. agencies as well," the society said.
According to ASTA, no breaches were identified within GDS or NDC systems.
"Instead, the vulnerability appears to stem from insufficient verification controls during certain airline NDC onboarding processes," the society said.
ASTA encouraged its members to remain vigilant in the wake of the incident. Regular reviews of IATA Billing and Settlement Plan and ARC reports should be conducted.
"It is also critical to centrally track and strictly control airline NDC registrations within your organization," ASTA said. "Agencies should limit who has authority to request or approve NDC access and actively monitor for spoofed or look-alike email domains."
Airlines and technology providers should use multi-factor authentication and/or require executive-level validation before giving an agency new NDC access, ASTA said, and agencies are advised to check that they do.
Any suspicious activity should be reported to airlines, GDSs or technology providers, as well as IATA BSP or ARC. ASTA also asked to be notified to monitor and support risk-mitigation efforts.