Fraudsters are creative in finding methods to access accounts and systems to conduct their criminal acts. ARC recently became aware of an incident in which an agency experienced unauthorized access to a GDS bridge into a second agency. Your agency’s systems — and, in particular, your GDS logins and access points — can be a target for fraudsters who want to issue tickets for their own customers.
Your GDS may allow you and another agent or independent contractor to link, connect or bridge your systems for the purposes of reviewing reservations and/or ticketing transactions. The following tips may help reduce your agency’s exposure to fraudulent activity.
Before allowing an independent contractor, another ARC agent or a third party to access your computer or GDS system, you should:
- Obtain references and conduct a due diligence or background check on each person
- Consider requiring that party to sign a hold harmless, indemnification agreement, making them liable to you for any transaction issued on their user login credentials
- Purchase errors and omissions insurance that provides liability coverage for cyber theft, unauthorized ticketing, and stolen tickets and credit cards
- Review your GDS systems, users and login credentials frequently to determine whether any such “bridges” or “links” exist and whether they are still required
- When an employee or contractor is terminated, immediately revoke that person’s access to your computer systems and the GDS
- Disconnect “bridges” and all other links or connections between accounts no longer in use
- Restrict each GDS user’s level of access to only necessary privilege. For example, cruise-only agents may only need access to view or book
- Review the level of access frequently (for example, “look and book access,” “book and ticket access,” etc. for each account and adjust or restrict as necessary)
- As a best practice, ensure strong passwords are used to log into your agency’s work stations or laptops, and apply a rule that requires a password change at least every 90 days
- Review ticketing queues every day, including weekends and holidays. Review bookings on a daily basis and validate that they are created for legitimate customers
- Look for particular tickets that are not typically issued by your agency, such as high-dollar, international cash (or, at times, credit) sales
If You Suspect Unauthorized Ticketing or Access
- Immediately void the ticket(s) through your GDS to obtain an ESAC code
- Notify affected carrier
- Cancel the PNR (or return segments if the outbound leg has been used)
- Contact your GDS to report compromised IDs, PCCs or passwords, and ask for immediate assistance to prevent additional unauthorized ticketing or access
NOTE: Each GDS has its own security and fraud guidelines. It is recommended that you familiarize yourself with those and apply them to safeguard your business.
At ARC, we are committed to reducing fraud against agents. Please report all fraud incidents to firstname.lastname@example.org or call us toll-free at 855-358-0393.