Airlines have become a magnet for online fraud, as criminals refined methods to tap channels with higher payoffs.
E-commerce fraud involving airline tickets surged 61% last year, the fastest growing category for fraud, while fraud around bus and rail tickets also surged 38%, according to Forter, which tracked $140 billion in global e-commerce transactions.
An obvious contributor to the uptick in air travel fraud were two major breaches last year at airlines. British Airways in mid-2018 reported a data breach exposing payment card details from an estimated 500,000 passengers who had purchased tickets through the airline’s website. Cathay Pacific in October 2018 disclosed a data breach exposing personal data and travel histories of 9.4 million consumers.
But there isn’t necessarily a clear link between a data breach in one industry and an uptick in fraud in that same industry.
Online fraud in the hotel industry declined 10% last year according to Forter, the same year Marriott disclosed a major breach exposing the records of up to 500 million consumers.
The difference could be the ease with criminals can use stolen payment credentials to buy and sell airline tickets online, whereas hotel stays are harder to monetize online.
“Airlines have long been an attractive target, and the surge is likely primarily due to the vast number of data breaches plus the rising tide of synthetic identity fraud as well,” said Julie Conroy, a senior analyst with Aite Group.
Airlines in the last few years also have seen a strong surge of theft of airline loyalty points with account takeover as the entry point, Conroy said.
“Credential compromise tends to be a key attack vector, in that a consumer’s credentials are compromised in a breach, and they use that same username and password at their airline, so fraudsters can log in and transfer out or redeem a victim’s loyalty points,” she said.
Despite the ongoing parade of data breaches, consumers continue to be sloppy with password security, Conroy noted.
“The majority of consumers use the same set of usernames and passwords across the majority of their online relationships,” she said.
Globally, more than half of consumers say they are using unique and strong passwords for each account, according to a recent survey by Ping Identity.
Fifty-seven percent of consumers said they use multifactor authentication and unique, strong passwords to access accounts that require security.
Nearly 40% of consumers log in to secure sites through social media networks like Facebook, while a third said they use biometric methods like a thumb scan or facial recognition. A quarter of consumers use a password manager for account-access security and only 14% use a secure hardware token, according to Ping Identity.
