Experts Warn About Security Flaws In Airline Boarding Passes 199
concealment writes in with a story about a newly found security issue with the bar codes on boarding passes. "Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive.
Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers.
Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process."
Link to the actual blog (Score:5, Informative)
Re:Photoshop? (Score:3, Informative)
Probably not a good idea. From TFA: "it is illegal to tamper with a boarding card under U.S. law."
Re:Same security for all (Score:5, Informative)
Once you pass passport checks the 'security' on entering Australia [daff.gov.au] is to do with biological security. A US national entering from a US flight is low risk for carrying biological hazards like viable seeds, eggs, infested timber products etc. Had you entered on a flight you joined in Africa or Asia, or been a Chinese national (think suitcase full of traditional remedies), they would likely have X-rayed everything for biological matter. We have stiff penalties for failing to declare prohibited biological items.
Security on leaving Australia bound for the US is largely dictated by US policy.
Re:Profiling (Score:5, Informative)
Bingo. http://en.wikipedia.org/wiki/Secondary_Security_Screening_Selection [wikipedia.org]
I got into an argument with a customer service representative (and flew standby -- not sure which was responsible) and received this.
Re:Profiling (Score:4, Informative)
Ah, for all values of random where random = any flag in a DHS database anywhere.
Just so thrilled that we have discrimination down to a science.
Profiling is awesome. It surpasses all other screening methods in efficiency and effectiveness.
Not only is it fast (it can be done entirely before the passenger even arrives at the airport), and those not flagged can be sent through with a minimum of screening (all this equals much less waiting), it is also efficient as it would have caught all the 9/11 hijackers as well as the 'shoe bomber' and the 'underwear bomber', while none of the scanners would have caught anything, and even the grope search is likely to have missed almost everything.
Another backside to the current scanner-fixated system is that it creates some awfully attractive long queues filled with people outside the secure area where even a small nail bomb easily could kill hundreds. If you are going to assemble a lot of people in a confined space at the airport it should be inside the secured areas where they are less of a target.
And of course there's plenty of other places with lots of people assembled and little or no security - like malls, concerts, amusement parks, train- and bus stations or so on. There's a lot of potential targets so the only efficient means to secure them it to take out any potential terrorists way before they can get near such places or even get their hands on bomb materials and explosives.
TSA only = US focused (Score:5, Informative)
this only applies to the TSA who actually scan and pass people around the security scanning solution based on the results of what is in the barcode. in europe, you always have to go through scanning process, regardless of what your 2D barcode has encoded within in. all the TSA is doing here, is opening up a chance for terrorists based on local soil to get through the security scanning process simpler. the challenge is that the USA has the most number of travelers through the airline system than anywhere else in the world; doing extensive security checks does choke the system - so, they need to try and filter out the more frequent/trusted flyers, the net result is they are wasting time screening some since they done screen everyone.
Re:How long till John Butler gets arrested? (Score:5, Informative)
On October 26, 2006, Soghoian created a website that allowed visitors to generate fake boarding passes for Northwest Airlines. While users could change the boarding document to have any name, flight number or city that they wished, the generator defaulted to creating a document for Osama Bin Laden.
Soghoian claimed that his motivation for the website was to focus national attention on the ease with which a passenger could evade the no-fly lists.[3] Information describing the security vulnerabilities associated with boarding pass modification had been widely publicized by others before, including Senator Charles Schumer (D-NY)[4][5] and security expert Bruce Schneier.[6] Soghoian received media attention for posting a program on his website to enable the automatic production of modified boarding passes. Democrat Edward Markey, House of Representatives committee (telecommunications and the internet) stated Soghoian should be arrested.[2]
At 2 AM on October 28, 2006, his home was raided by agents of the FBI to seize computers and other materials.[7] Soghoian's Internet Service Provider voluntarily shut down the website, after it received a letter from the FBI claiming that the site posed a national security threat.[8] The FBI closed the criminal investigation in November 2006 without filing any charges.[9] The TSA also initiated a civil investigation in December 2006,[10][11] which was closed without any charges being filed in June 2007.[12][13]
Re:Same security for all (Score:5, Informative)
When I entered Australia as a U.S. citizen studying abroad I was waved through security. I'm still not sure why, but I don't think it had anything do with my boarding pass showing me as definitely not a terrorist.
You mean you were treated like a human being? In the rest of the world that's what we call "normal".
Re:Photoshop? (Score:5, Informative)
quite possible [schneier.com], as Bruce Schneier explains in detail.
Re:The truth... (Score:4, Informative)
we all know that it is bleeding the taxpayers dry
All your arguments except that one are valid. Some math will tell you why.
TSA budget: $8.1 billion
US federal budget: $3.7 trillion
So the TSA makes up approximately 0.2% of the federal budget. You could cut it to $0 and still make no significant dent in the deficit. The big ticket items are, and have been for decades: Social Security, Medicare, Medicaid, and Defense. After the crash in 2008, unemployment insurance, food stamps, WIC, and housing assistance jumped up because more people are unemployed, hungry, or homeless. But the TSA just isn't even remotely close to what's bleeding the taxpayers dry.