Experts Warn About Security Flaws In Airline Boarding Passes 199
concealment writes in with a story about a newly found security issue with the bar codes on boarding passes. "Flight enthusiasts, however, recently discovered that the bar codes printed on all boarding passes — which travelers can obtain up to 24 hours before arriving at the airport — contain information on which security screening a passenger is set to receive.
Details about the vulnerability spread after John Butler, an aviation blogger, drew attention to it in a post late last week. Butler said he had discovered that information stored within the bar codes of boarding passes is unencrypted, and so can be read in advance by technically minded travelers.
Simply by using a smartphone or similar device to check the bar code, travelers could determine whether they would pass through full security screening, or the expedited process."
Same security for all (Score:5, Interesting)
Photoshop? (Score:5, Interesting)
Re:Same security for all (Score:2, Interesting)
Re:Same security for all (Score:3, Interesting)
Most countries don't check entering the country other than customs. I suspect the TSA does it for more funding. It is a department with the largest scope creep I have ever seen.
Re:Profiling (Score:2, Interesting)
It could be determined randomly before people are able to print their boarding passes.
In fact that would probably be the best way to ensure a random search, since a person at the gate might be influenced by your appearance.
It doesn't make much sense from a security standpoint to roll the random dice in advance, since a terrorist could book a number of flights under different aliases and then miss the flights where he/she is pre-selected for screening.
I'm not ruling out the authorities actually reasoned the way you're describing, though. "Enhanced security" at airports seems to have very little to do with actual security, and more to do with reassuring the public the situation is under control.
Plus, if you have legitimate reason to believe someone is higher than average risk, you could just specify what's needed on the boarding pass, and not have to rely on the staff to spot you based on a picture.
Having the information on the boarding pass itself introduces an even higher security risk. The information doesn't need to be on the boarding pass at all; it could just contain a unique serial number, which is then looked up in a database by the barcode scanner.
You think the barcode is bad... (Score:5, Interesting)
Not only could you photoshop the barcode, but hell, you could photoshop the name, the destination, the flight number, pretty much anything you wanted... The brainless goons at the security checkpoint wouldn't know the difference. (They don't scan tickets or anything).
In my experience (working for a contractor for a major US airline), you could even use a photoshopped (printed at home) boarding pass to get on the plane. When they scan it at the gate and the computer beeps saying "no such thing", generally the non-english-speaking gate agent will just scan it a few more times, give up, and let the person on the plane. When the passenger count from the computer later doesn't match up to the number of people on the plane, they'll just "go with what's on the plane" in the interest of getting the plane out on time. This happens on a DAILY BASIS. "Security" is a joke.
Re:Profiling (Score:5, Interesting)
Re:Photoshop? (Score:4, Interesting)
I usually print my own boarding pass these days. Check-in online and print a web page with barcode image on it. Altering that barcode before printing would be trivial.
Fortunately I don't really need to because last time I travelled it appeared that the nude scanners and shoe removal queue had all gone and just the metal detector was left.
You can still get cheap thrills by putting on a metal belt buckle if you are into that sort of thing. I noticed that a lot of guys wait until they can see how is doing the checks, and if she looks hot they keep their belt on, otherwise it comes off and goes in the tray.
Re:Photoshop? (Score:5, Interesting)
That is the scary thing about all that. There is no real screening on site or behaviour analysis, or you know, normal police work. No the level of scrutiny you get is dictated in advance by some random algorithm and independent of what you do there.
Security theater indeed !
Re:Same security for all (Score:5, Interesting)
It is a department with the largest scope creep I have ever seen.
You mean aside from the CIA, NSA, IRS, DOD, FBI, the executive branch of the government, the entire government itself? It's pretty hard to quantify 'scope creep' when everybody is guilty.
Re:Photoshop? (Score:5, Interesting)
the level of scrutiny you get is dictated in advance by some random algorithm and independent of what you do there.
Which is actually the safest method, short of checking 100% of passengers. It's easy to game any system that predictably targets specific groups, you just makes sure your agents aren't in those groups and you're safe. If the chances of being searched are random, you can't reduce the risk of getting caught.
Of course, you'd ideally also want to have some smart guys to do additional searches based on observation. But they seem in short supply.
The real security theatre is the immense effort devoted to imaginary threats, liquids and shoes, for instance, which were never a real threat to begin with.
Re:Profiling (Score:5, Interesting)
Airline employees can manually mark any boarding pass as SSSS.
How do I know? When it was possible to fly by purposely refusing to present ID, I once flew on a ticket that was paid for by another family member. When I went to check in and check my bags, they asked for ID. I told nicely told them that I prefer not to be identified and will be flying as a selectee. Person at ticket counter gives me a dirty look and responds (expectedly) that the SSSS is required if you don't present ID, but everything flowed smoothly after that. It's a shame that you can't refuse to identify yourself anymore these days.
After that, I think I was flagged as all my boarding passes for the next couple years had SSSS on it.
The Joys Of Flying (Score:5, Interesting)
including the inability to get non-stop flights for most routes, having to pay to park in a lot that is still a 10 minute ride to the terminal, having to arrive 2 hours early to ensure getting thru security on time to board, having small innocuous items in my pockets stolen by TSA, risking having large innocuous items in my bags stolen by TSA, getting severely overcharged for food at airport terminals, getting X-rayed by someone who is not my doctor or dentist, having to do mini-marathons thru airports to make connecting flights, getting my bags lost, etc. etc. have all combined to cause me to decide to drive everywhere I go. Eventually, the Alcan Highway is going to get photographed up the wazoo, by me, 'cuz I'll drive up and ferry back. But the X-rays were the last straw, that shall not stand. I quit. You can find me on I-10 to Tucson next year, I-74 from Indy to La Crosse, I-64 to St. Louis, etc. etc. Until the unconstitutional TSA activity is removed, I will not choose to fly anywhere I can drive, or boat, or travel by train.
Re:Same security for all (Score:2, Interesting)
You mean aside from the CIA, NSA, IRS, DOD, FBI, the executive branch of the government, the entire government itself?
Oh, no no, assuming scope creep is computed as "total size/useful size", TSA can leave everyone in the dust. With CIA/NSA/IRS/DOD/FBI, there is some fraction (we can argue how big) that provides useful service. With TSA there is no such thing.
To my knowledge, TSA hasn't actually caught any terrorists in 11 years of its existence. Every time some other organization (or fellow passengers) apprehend a terrorist wanna be (rare, but it happens), TSA expands it's funding. So by my definition "total size/useful size", TSA scope creep is a glorious infinity.
Re:You think the barcode is bad... (Score:5, Interesting)
I've actually had this happen to me. Connecting flight, they gave me a new boarding pass at the gate (one with a boarding group number), and I neglected to check that it was the right one. The ticket scanner beeped weirdly when I tried to board but the agent waved me on anyway, and only when I found someone else in my seat did I realize that I had been given someone else's boarding pass, and that person had already boarded.
I believe it was Washington Dulles, westbound.