Sunday, October 29, 2006

I'm still beating this horse

Saskatoon Airport Security
Originally uploaded by blamar.
Yes, I'm still on this Christopher Soghoian thing...

I found an article in CSO that goes over the same ground as Mr. Soghoian, albeit without the actual boarding pass generator:
As a frequent flyer, I hesitate to write this article, but as an auditor of security and information systems, it's the right thing to do. If you've ever wondered whether airport security has improved since 9/11, let me set you straight: It has not. There is a gaping hole in airport security, and the Transportation Security Administration (TSA) has done nothing despite being alerted to this vulnerability more than 11 months ago.

The TSA's website states there are four ways to obtain a boarding pass:

* Go to your airline's ticket counter at the airport.
* Use curbside check-in.
* Use your airline's self-service ticket kiosk in the airport lobby (if available).
* Print the boarding pass from your airline's website (not all airlines provide this option).

Let's be honest—there are really five ways. The fifth is to print your own boarding pass using your computer, and it's amazingly simple to doctor the name, date, time, flight number and even the airline name and logo. The modification process is sometimes as simple as using an html editor or even Microsoft Word.

How can this be? Because, at most airports, TSA personnel do nothing more than visually review the boarding pass. It is not checked against airline records by scanning the barcode until boarding. Moreover, there are no standards for boarding passes—each airline has a different format. Can you actually get on an airplane using this approach? Probably not, but you can certainly make it past the security screening checkpoints.
I don't know when this was posted (perhaps back in February), but you can be sure it was before Mr. Soghoian.

I say we fix the flaw... and give Mr. Soghoian back his computer equipment... and maybe pay for a maid to help him clean up his grad student apartment.

No comments:

Post a Comment