Recently, ARC became aware of an incident in which an agency experienced unauthorized access to a GDS bridge into a second agency. Fraudsters are creative in finding methods to access accounts and systems to conduct their criminal acts. Your agency systems, and in particular, your GDSs logins and access points can be the target for fraudsters who want to gain access to systems to issue tickets for their own customers.
Your GDS may allow you and another agent or independent contractor to link, connect, or bridge your systems for the purposes of reviewing reservations or ticketing transactions. The following tips may help reduce an agency’s exposure to fraudulent activity as set out below.
Before allowing an independent contractor, another ARC agent or third party to use these functionalities to link to your computer or GDS system, you should:
- Obtain references and conduct a due diligence or background check on each person.
- Consider requiring the third party to sign a hold harmless, indemnification agreement making them liable to you for any transaction issued on their user login credentials.
- Purchase errors and omissions insurance that provides liability coverage for cyber theft, unauthorized ticketing, and stolen tickets and credit cards, etc.
- Review your GDS systems, users and login credentials frequently to determine whether any such “bridges” or “links” exist and whether they are still required.
- When an employee or contractor is terminated, immediately revoke that person’s access to your computer systems and the GDS.
- Disconnect “bridges” and all other links or connections between accounts no longer in use.
- Restrict each GDS user’s level of access to only necessary privilege. For example, cruise only agents may only need access to view or book.
- Review the level of access frequently. For example, “look and book access,” “book and ticket access,” etc. for each account and adjust or restrict as necessary.
- As a best practice, ensure strong passwords are used to log in to your agency’s workstations or laptops, and apply a rule that requires a password change at least every 90 days.
- Review ticketing queues every day, including weekends and holidays. Review bookings on a daily basis and validate that they are created for legitimate customers.
- Look in particular for tickets that are not typically issued by your agency, such as high dollar and international cash (at times credit) sales.
If you suspect unauthorized ticketing or access:
- Immediately void the ticket(s) through your GDS to obtain an ESAC code.
- Notify affected Carrier.
- Cancel the PNR (or return segments if the outbound leg has been used).
- Contact your GDS to report compromised IDs, PCCs, or passwords and ask for immediate assistance to prevent additional unauthorized ticketing or access.
Note: Each GDS will have its own security and fraud guidelines and it is recommended that you familiarize yourself with those guidelines and apply them to safeguard your business.
At ARC, we are committed to reducing fraud against agents. Please report all fraud incidents to firstname.lastname@example.org or call 855-358-0393.