The No-Fly List and Airport Security's Achilles Heel
A print-your-own boarding pass could be combined with credit card fraud to subvert the no-fly list. Are you concerned?
February 17, 2006 — CSO —
As a frequent flyer, I hesitate to write this article, but as an auditor of security and information systems, it’s the right thing to do. If you’ve ever wondered whether airport security has improved since 9/11, let me set you straight: It has not. There is a gaping hole in airport security, and the Transportation Security Administration (TSA) has done nothing despite being alerted to this vulnerability more than 11 months ago.
The TSA’s web site states there are four ways to obtain a boarding pass:
- Go to your airline’s ticket counter at the airport
- Use curbside check-in
- Use your airline’s self-service ticket kiosk in the airport lobby (if available)
- Print the boarding pass from your airline’s website (not all airlines provide this option).
Let’s be honest—there are really five ways. The fifth is to print your own boarding pass using your computer, and it’s amazingly simple to doctor the name, date, time, flight number and even the airline name and logo. The modification process is sometimes as simple as using an html editor or even Microsoft Word.
How can this be? Because, at most airports, TSA personnel do nothing more than visually review the boarding pass. It is not checked against airline records by scanning the barcode until boarding. Moreover, there are no standards for boarding passes—each airline has a different format. Can you actually get on an airplane using this approach? Probably not, but you can certainly make it past the security screening checkpoints.
Traveling to a family wedding made me think about security in airports. I had a direct connection and was to meet family in the airport. Since we were arriving on different airlines, that would likely mean different terminals. We would have to meet at the rental car counter. Unless… I printed a boarding pass to get into the other terminal. I’d printed boarding passes before, and co-workers consider me tech-savvy. Modifying them may be outside the realm of the average traveler. But terrorists aren’t average, are they?
The process to get the data I needed for the second boarding pass was amazingly simple: Google a map of the arrival airport to determine the terminal configuration (I needed to meet my party at a particular airline gate) and use Orbitz.com to find a flight number/date/time for around the time I needed. I saved my real boarding pass to a file, modified it using an html editor and printed the modified copy. I copied the file a third time, modified it to create a "return" boarding pass, and printed it for future test use.