It seems there's a lot of speculation here. Everyone seems to be assuming the fraud is due to account theft. Two-factor could help here, but if the account is not initially configured for two-factor, the thief could easily add it post-theft without the account holder being none the wiser if it was close to booking time. Also, the fraud could primarily be due to people selling miles through mileage brokers rather than account theft. Two-factor is unlikely to make much difference to broker sales.