Graduate student arrested for exposing boarding pass vulnerability
Student Web site allowed users to print out their own boarding passes; stunt showed how a terrorist could print up a dummy pass to evade detection by No Fly List; no procedures exist to check ID card, boarding pass, and traveller identity simultaneously
And the youth shall lead them. Federal investigators have arrested an Indiana graduate student who developed a Web site allowing users to print out their own airline boarding passes. Many airlines now provide such a service, but Christopher Soghoian was in no way associated with any commercial service. Rather, he was trying to point out a glaring vulnerability in the country’s airport sercurity complex: a terrorist armed with two boarding passes, one real and one fake, could easily evade DHS’s No Fly List. Earlier this year, Slate magazine explained how this would work.
Imagine a terrorist who steals a credit card belonging to John Smith and purchases a ticket under Smith’s name online, being sure to print out his boarding pass under that name. The terrorist then uses simple graphic design software to print out a second boarding pass, this time using either his real name or a name for which he has a reliable false identification. When he approaches the security gates, he hands his real identification and fake boarding pass to the guard, who merely examines whether the names match up. They do. Having breached this layer of security, the terrorist then hands the agent at the gate the real (that is, the stolen) boarding pass for the name to be checked against the flight manifest. It will. The terrorist is on board and the No Fly List has been evaded entirely.
When n asked a airline security expert about this, he immediately refused to be named for the article. “[The double boarding pass scam] would completely negate, for all intents and purposes, an identity check,” he said gravely. It is, he told Slate, “a potential loophole in the process.” The solution, however, is obvious, which is why it is so stunning that nothing has been done. He continued: All the TSA needs to do is to have at least one document check station that simultaneously compares all three elements: the boarding pass, a government-issued ID, and the No-Fly List in the airline’s computer. This could be at security or at the gate (where, after all, IDs used to be checked).
Yet the Transportation Security Administration says it has no plans to do this. We wonder why not. Yes, a simultaneous check would take up a little more time, but what is the point of having a No Fly List if it can be so easily evaded? As Slate writes, “We’ve already endured two wars and countless other disruptions in the name of safety. A few extra minutes at the airport isn’t going to kill anyone.” Now all we need is an enterprising company to show TSA how it is to be done.
-read more in Andy Bowers’ Slate report; for more on the recent arrest, read this Security Focus report
