Ask Slashdot: Is TSA's PreCheck System Easy To Game? 157
OverTheGeicoE writes "TSA has had a preferred traveler program, PreCheck, for a while now. Frequent fliers and other individuals with prior approval from DHS can avoid some minor annoyances of airport security, like removing shoes and light jackets, but not all of the time. TSA likes to be random and unpredictable, so PreCheck participants don't always get the full benefits of PreCheck. Apparently the decision about PreCheck is made when the boarding pass is printed, and a traveler's PreCheck authorization is encoded, unencrypted, on the boarding pass barcode. In theory, one could use a barcode-reading Web site (like this one, perhaps) to translate a barcode into text to determine your screening level before a flight. One might even be able to modify the boarding pass using PhotoShop or the GIMP to, for example, get the screening level of your choice. I haven't been able to verify this information, but I bet Slashdot can. Is TSA's PreCheck system really that easy to game? If you have an old boarding pass lying around, can you read the barcode and verify that the information in TFA is correct?"
dupe (Score:3, Insightful)
Re:Yes (Score:5, Insightful)
Yes it is.
Wrong question is being asked
A better question is -- Would it matter if TSA PreCheck System were easy to game?
Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"
Re:Could be a honeypot (Score:4, Insightful)
Re:Barcode reading website? (Score:5, Insightful)
> What century is this?
It's the 21st century. You know, that century where not every Slashdot reader has a smartphone, and the majority of smartphones don't come with a built-in barcode reader, and reading barcodes is mostly pointless enough that the majority of users haven't installed a barcode reader.
Re:looked into it (Score:5, Insightful)
Copying and/or modifying is fairly safe, trying to pass it off as the original is when it gets dangerous.
Re:Yes (Score:5, Insightful)
Wrong question is being asked
A better question is -- Would it matter if TSA PreCheck System were easy to game?
Seeing how TSA has no record of ever catching or thwarting a terrorist, I would say "no"
No, neither question is really relevant. It doesn't matter if the system is easy to game for someone with technical aptitude because this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.
Re:Easy to Read, not sure easy to change (Score:5, Insightful)
Re:Probably, but watch out for the Audit. (Score:5, Insightful)
Actually, if they have any common sense, they'd verify the barcode read from the ticket to the barcode stored in the airline DB when the ticket was printed. Modifying it would be a huge red flag.
But as we all know, the TSA has no common sense. I've considered it mind numbingly stupid that every time I've gone through an airport since 9/11, the super-duper-secure TSA checkpoint (ha!) doesn't check that my boarding pass actually corresponds to a real ticket issued. We're not talking about anything amazingly high tech, except a barcode reader, and network connection to verify against the airline(s) systems.
The only place that it's cross referenced is boarding, and even that is only most of the airlines I fly. I've been on a few that still just tear the paper boarding pass, and let you on. No verification or anything. At least not before the plane departs. I've been early (just like they ask you to), so I've watched them scanning used boarding passes minutes to hours after the flight leaves. I'm sure we're not suppose to observe procedure, even though it's done right in front of us.
Begin at the beginning... (Score:2, Insightful)
An excellent point is made above - with the TSA's wholehearted embodiment of the everything-looks-like-a-nail-if-all-you've-got-is-a-hammer ethos, defrauding the system (e.g. modifying your boarding card) is probably not something you want to get in to. Being sent home instead of to Hawaii once is worth a lifetime of taking off your shoes at the airport if you ask me.
I suppose the first question would really be... can you cause the system to change your TSA barcode through "normal" behaviour? Is the TSA code to check you tied to the traveler or the boarding pass? Given the TSA's track record, I'd say it's equally likely that a reprinted boarding pass would have a different barcode. If that happens to be the case, then you've basically got a free pass to print - scan - assess - reprint until you find a TSA code you like - and all without obviously defrauding the system.
If that doesn't work, I'd be totally shocked if asking to have your seat changed and getting a new pass didn't generate a new code.
Re:Could be a honeypot (Score:5, Insightful)
Actually, nothing.
If it's a bad guy doing it, they'll have a number trying to go through. The ones with flagged boarding passes will turn around and go home. The ones with clean boarding passes will continue through, smile, and say "thank you" to the TSA people (s)he encounters.
Anyone with any remotely planned mission will have such things in place, and already be ready for them. Send 5 guys in with tickets. A few will get caught. Some won't. Remember the recent tests where only 25% of the weapons passed through x-ray were caught. 5 people means 1 or 2 will get caught. Those odds can be improved if they synchronize someone who *will* get caught. It will draw attention away from the others who they want to make it.
I've observed that happening more than once. Someone gets stopped for having something "nefarious", like a bottle of water, or knitting needles. They make noise, more TSA employees go to guard, and now the rest of the lines are understaffed, and more will be waved through unmolested.
Re:Yes (Score:4, Insightful)
this whole system isn't really about making travel more secure, but conditioning people to be more complacent about government intrusion and restriction on their daily lives.
Parallel to that, army and police have been having Zombie Apocalypse training lately. Training them to fight crowds of unarmed human-shaped figures. Considering the lack of real zombies, I wonder what that's supposed to condition the army and police for...
Re:Yes (Score:5, Insightful)
I am not a fan of the TSA, but let's be fair here: the purpose of doing security checks is not to catch terrorists with bombs in their shoes, but rather to eliminate shoe-bombing as a viable form of attack.
The problem is, there are a large (but not technically infinite) number of such attacks. With the TSA only re-acting to the threat as it is used, that means there are (largeNum -1) attacks remaining. So, with such a large number of attacks to choose from, any terrorist would have no problem with the TSA.
In other words, the TSA only started checking shoes after someone tried to hide a bomb in one. The TSA only started their asinine 3-1-1 liquid rules after a liquid bomb plot was uncovered. And no doubt, the TSA will start rectal exams after a terrorist shoves a bomb up their ass.
Responding to the PREVIOUS threat is not security.
Re:Easy to Read, not sure easy to change (Score:2, Insightful)
Or you could just get a job as a TSA agent and wheel a huge suitcase sized bomb right past security and onto the plane.
Re:Yes (Score:5, Insightful)
What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.
Not everybody is screaming for increased authority being given to the TSA to declare martial law in airports. Too far? I think it was too far on September 10th, 2001, as the security procedures in pace prior to the 9/11 attacks should have stopped those terrorists from getting on board those planes in the first place as well as stopping even the shoe bomber.
These guys are simply being lousy rent-a-cops that really don't know the first thing about how to act as a law enforcement agency in a once free representative democracy. It is sad that they can't simply act like almost every other police agency acting outside of those airports and *gasp* actually investigate crimes when they happen, to do gum shoe detective work, and root out would be criminals who might be causing problems. I also think this "zero tolerance" for terrorist actions is maddening as well.
The real issue here is that stupid people do stupid things. We can't afford to have TSA level security in malls, public schools, banks, or elsewhere. Certainly not in bus stations or on freeways. In reality we can't afford to have this in airports either, but some stupid congressmen had a knee jerk reaction to a non-problem and didn't really address the issues involved either... trading one form of corruption for another.
What the TSA should be doing is real security and police work in airports. There may even be a need to keep it a federal agency, so far as threats to airport security typically do cross state borders and even become international problems. There are even national security issues involved so far as there are foreign governments who are using "terrorist groups" as surrogates to cause chaos and disorder deliberately in an attempt to further their own national goals. Yes, I'm saying that Al-Queida and other similar groups are not merely spontaneous but rather are supported, financed by, and encouraged by many countries (almost all of whom have seats at the United Nations along with national capitals and recognizable leaders) and this is a real war going on.
If these doughnut loving idiots would get off their behinds, turn off their scanning machines, and actually do some real police work to find those people who are causing problems... then I might be encouraged by the work that the TSA is doing. For now, I consider them to be lazy asses that are wasting billions of tax dollars on a futile exercise that won't stop a real terrorist attack in America by somebody determined to cause problems. This security theater is utter bullshit and needs to stop. If there is a real threat that soliders or mercenaries from foreign governments are coming into America... they should also be stopped. But it should be painfully obvious who they are as well and stopping those foreign soldiers from committing acts of war inside of America can be done without infringing on the rights of ordinary citizens or molesting toddlers.
Re:Yes (Score:4, Insightful)
The TSA is still doing it completely wrong. You don't try to find weapons or dangerous items, you try to find dangerous people.
Re:Yes (Score:4, Insightful)
What would be your response if a liquid bomb threat was discovered and then the TSA did nothing to screen for it? Everyone would be screaming their heads off that the TSA should be checking for known threats. It is absurd to try to claim that the TSA airport checks are not security.
The checks are security... security theater that is. They don't work. They don't catch terrorists. They don't prevent terrorists from trying something else.
You mention the liquid bomb incident. First of all, the liquids were not even meant to be taken aboard an airplane. They could have been though and that started the scare. Now, the sensible rules would be such, that it would be impossible to bring enough liquid aboard to create a bomb that could do any worthwhile damage. But no. The rules allow for one liter of liquid to be brought aboard and any half-decent explosives expert could tell you that it takes less than 200 ml of some liquid explosives to create a bomb that could bring down the aircraft. So we've ended up with a worthless rule that doesn't work, but which cause lots of inconvenience and hassle for the traveler. That's security theater - if it's REALLY annoying it must be REALLY effective...
Sure, you can't bring enough liquid explosive to blow a hole in the universe but you can still drop the plane on a major city, and that's usually enough for most terrorists.
Re:Yes (Score:2, Insightful)
[...] conditioning people to be more complacent about government intrusion and restriction on their daily lives.
Is that *really* what you think is happening? I'm a Brit and haven't been to the US for a while now so may well be talking out of my 'bum' ... but for that to be the case it suggests that someone, somewhere in the upper echelons of your government has taken an explicit decision that that is what they are trying to do.
I accept that the results make it feel more and more like a police state when you fly, but don't think the cause can be attributed to anything more than incompetence and laziness. As in: 'Hey, we need to make people feel more secure after a few hijackings. Screw it, we'll just hire a bunch of drop-outs in uniform to grope them every time they fly.'
The difference is important, because the way that you deal with an incompetent politician will probably be very different to the way that you deal with an 'evil' one, the latter being what I suspect you are alluding to. We may well be sleepwalking into a police state (the UK certainly has been over the past two decades) but my argument would be that the problem is the political apathy that allows it.
TL;DR: don't portray government as an evil genius when what's much more likely is a lazy idiot.
Re:Yes (Score:4, Insightful)
I'm not a fan of TSA either, but this seems like an unfair standard. How many criminals has the lock on your home door stopped?
The role of a lock on a front door or for that matter an automobile is to keep "the honest people honest". In other words, it is there to stop a 70 year old partially senile old woman from driving off with your car or walking into your house at odd hours because they got lost or confused. It reminds an otherwise honest person that they have gone too far and should likely turn back.
A uniformed officer walking around an airport with a radio and a gun works just fine to do that kind of security to protect passengers, staff, and crew from ordinary civil disorder, where they may have to call in some backup if some guys are getting a bit too rowdy at a restaurant bar or some group of people being too pushy trying to board an airplane. "Ordinary" crimes like assault, murder, and perhaps pickpockets and purse snatchers are legitimate things for a security force to try and keep under control.
Trying to keep some group of idiots who are determined to go postal and start killing random people in some manner is much harder to stop... assuming they can even be identified. Soldiers or mercenaries (however you define those terms) who are acting in the interest of a foreign government and trying to disguise as civilians in an attempt to perform acts of war (this is my own definition of terrorism) seems to be a larger problem... but there are ways to deal with such nations as well. Curtailing civil liberties and molesting grandmothers or toddlers is not a way to get that to happen.