Ask Slashdot: Is TSA's PreCheck System Easy To Game? 157
OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"
Re:Probably, but watch out for the Audit. (Score:5, Informative)
There is a very good DefCon talk on youtube about barcodes and how easy they are to scam. It's so trivial to encrypt the data in a barcode but of course TSA has spared every expense in the defence of america.
Here's the DefCon talk: http://www.youtube.com/watch?v=qT_gwl1drhc [youtube.com]
Re:Could be a honeypot (Score:5, Informative)
Yeah, and the "who".
Their thought: "hey, well catch the bad guys who are trying to get around security!"
Reality: they catch the nerds who know how to hack barcodes and want to save 10 minutes of waiting in a security line.
But this is giving them too much credit. They are not thinking that far ahead. They are still stuck on shoe bombs (22 Dec 2001).
Easy to Read, not sure easy to change (Score:5, Informative)
Look the code to determine pre-check is in the clear and easy to read. What's not obvious is if it's also easy to change. There is a base-64 message below all the normal data that seems to decode to a hash. I would expect that this hash is protecting the integrity of the data above. No one I have seen has modified their barcode and presented it to the TSA. So while there is speculation that it is easy to change, there is no proof and some mild evidence that says this may not be so.
Schneier (Score:5, Informative)
Re:Yes (Score:5, Informative)
" this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives."
DING DING DING DING DING!
Ladies and gentlemen, please lower your bids. We have a winner.
Re:Yes (Score:4, Informative)
Unless you want to give all your flight details to some random web server operator, you're better off installing something like http://sourceforge.net/projects/zbar/ [sourceforge.net] and decoding yourself.