Fake boarding passes clear airport security

“This is your final boarding call for Al Kyder and Terry Wrist.”

If you really are an Al-Qaeda terrorist, a satirical television series, or Robert Johnson, getting past the no-fly list and the security checkpoint could be as simple as, well, making up a name and printing your own boarding pass.

Christopher Soghoian, a graduate researcher at the Center for Applied Cybersecurity Research at Indiana University, said he wanted to get the attention of Congress when he put online a Web application which generates fake boarding passes that are good enough to get you past the Transportation Security Administration checkpoint.

The fake boarding pass generator exposes long-standing flaws in airport security as implemented by the federal government which would allow people on the no-fly list to buy tickets and board flights, possibly without even going through the somewhat invasive secondary screening that everyone whose boarding pass shows “SSSS” finds themselves subjected to.

And he sure got the attention of Congress, all right. Rep. Ed Markey (D-Mass.) denounced the web site and called for the executive branch to shut down the site and have Soghoian arrested.

“The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane,” Markey said in a statement. “There are enough loopholes at the backdoor of our passenger airplanes from not scanning cargo for bombs; we should not tolerate any new loopholes making it easier for terrorists to get into the front door of a plane.” — 27B Stroke 6

But, this isn’t a new loophole at all. It’s a very old one.

The fake boarding pass generator does not create a new security weakness. It reveals an existing one. Though some people may want to, it’s important not to kill the messenger (who, in this case, is a Ph.D. student in security infomatics at Indiana University who created the pass generator to call attention to the problem). As I’ve said before, identity-based security is terribly weak. Its costs — in dollars, inconvenience, economic loss, and lost privacy — are greater than its security benefit. — Jim Harper, Director of Information Policy Studies, Cato Institute

Of course, when you can order tickets in any name you like, even those as silly as Al Kyder and Terry Wrist, watchlists are completely pointless.

For its part, Northwest Airlines says it is “cooperating with law enforcement and government,” and that the company verifies boarding passes using bar scanners as passengers board planes. The company says it alerts the Transportation Security Administration and the police when it catches anyone using a fraudulent boarding pass.

Now Soghoian says he’s scared, and that Indiana University’s lawyers told him that “the flip side of academic freedom is that the university won’t defend me if there are problems.”

Even if Soghoian’s site is shut down, any boarding pass purchased over the web can still be easily edited in any browser. That means fliers can buy a legitimate ticket through an airline’s website under a false name — evading the TSA’s no-fly list — then use a fake boarding pass under their real name to get past airport metal detectors, the only spot where IDs are checked. Fliers prone to selection for additional screening could also create boarding passes without the “SSSS” mark that tells TSA to search them more thoroughly.

“The website in question has the potential to promote illegal activity,” said TSA spokesman Christopher White. “Submitting fraudulent documents to airline security is illegal. But the site will not aid anyone in circumventing security, since a boarding pass offers entry into a TSA security checkpoint and TSA ensures that every person and their property is fully screened.” — Wired News

Shutting down the fake boarding pass generator would be completely useless; it’s so simple that it would immediately be reproduced at hundreds of sites all over the Internet.

One thought on “Fake boarding passes clear airport security

  • November 1, 2006 at 6:59 pm
    Permalink

    Why not compare the ticket with the database entry for that ticket?

    No database entry for a ticket should be a big flag that something
    is wrong with the ticket. Also, update the database record with a
    unique key sequence printed on the ticket. That way the printed
    ticket would have to match the database entry.

    Even harder, encode the unique code on the ticket (and database
    record) with the ticket ID, name and destination. Anything that does
    not match, sets of a warning for more investigation.

    Using a single printed piece of bar coded paper for security is
    stupid.

Comments are closed.