The No-Fly List and Airport Security's Achilles Heel

A print-your-own boarding pass could be combined with credit card fraud to subvert the no-fly list. Are you concerned?

As a frequent flyer, I hesitate to write this article, but as an auditor of security and information systems, it’s the right thing to do. If you’ve ever wondered whether airport security has improved since 9/11, let me set you straight: It has not. There is a gaping hole in airport security, and the Transportation Security Administration (TSA) has done nothing despite being alerted to this vulnerability more than 11 months ago.

The TSA’s web site states there are four ways to obtain a boarding pass:

  • Go to your airline’s ticket counter at the airport
  • Use curbside check-in
  • Use your airline’s self-service ticket kiosk in the airport lobby (if available)
  • Print the boarding pass from your airline’s website (not all airlines provide this option).

Let’s be honest—there are really five ways. The fifth is to print your own boarding pass using your computer, and it’s amazingly simple to doctor the name, date, time, flight number and even the airline name and logo. The modification process is sometimes as simple as using an html editor or even Microsoft Word.

How can this be? Because, at most airports, TSA personnel do nothing more than visually review the boarding pass. It is not checked against airline records by scanning the barcode until boarding. Moreover, there are no standards for boarding passes—each airline has a different format. Can you actually get on an airplane using this approach? Probably not, but you can certainly make it past the security screening checkpoints.

Traveling to a family wedding made me think about security in airports. I had a direct connection and was to meet family in the airport. Since we were arriving on different airlines, that would likely mean different terminals. We would have to meet at the rental car counter. Unless… I printed a boarding pass to get into the other terminal. I’d printed boarding passes before, and co-workers consider me tech-savvy. Modifying them may be outside the realm of the average traveler. But terrorists aren’t average, are they?

The process to get the data I needed for the second boarding pass was amazingly simple: Google a map of the arrival airport to determine the terminal configuration (I needed to meet my party at a particular airline gate) and use Orbitz.com to find a flight number/date/time for around the time I needed. I saved my real boarding pass to a file, modified it using an html editor and printed the modified copy. I copied the file a third time, modified it to create a "return" boarding pass, and printed it for future test use.

At this point, you may be asking, "Why is the boarding pass used as a part of authentication in the security screen process anyway?"

The answer is that an additional manual review of the boarding pass was introduced with the misguided thought that it would improve security. The boarding pass was originally designed by the airline for seat assignment and revenue accounting. The problem is that if you print a boarding pass at home, it is out of the airline’s control. Without that control, an airline screener and TSA staff have fewer means to detect a counterfeit document. A potential terrorist who can obtain a counterfeit picture ID can probably print a counterfeit boarding pass.

Until 9/11, some airlines, such as Southwest, did not even use boarding passes. Southwest, one of the few airlines to make money consistently, had determined the process was inefficient. Their seat assignment process used plastic pre-marked cards numbered 1 to 137 for the 137 seats on their Boeing 737-300. The plastic cards varied in color and boarding was in groups of 30. The result was reusable cards controlled by the airline: Less paper, a simple routine and every Southwest passenger understood the cattle call.

First used by Alaska airlines in 1999, most airlines have had online check-in since 2003. Usage runs from about 5 percent of eligible passengers at Delta, to 9 percent at US Airways, 11 percent at Northwest and 15 percent at AirTran. Some airlines have touted the process on their websites: In May, US Airways offered 1,000 free miles to passengers who printed their own boarding pass. Continental even allows customers to print boarding passes for international destinations. Experts expect online check-in will continue to grow to over half of passengers.

If no luggage is checked, you can print a boarding pass, go to the airport and queue to begin the security screening process. There’s no need to talk with any airline staff at all. So when the airline screener inspects the document, he is simply comparing the boarding pass and your photo ID. As long as everything looks authentic, he will highlight or initial the boarding pass. A bonus of printing your own pass is that you avoid the airline printing the dreaded SSSS symbol on your pass, marking you for extra security screening.

Of course, the final question is, "Will a counterfeit boarding pass actually get past security?" The answer is: Yes. Printed, a modified boarding pass can pass security checkpoints easily. Security personnel look at the documents but have no system to check their veracity. The name on the pass can be matched to the government-issued photo ID. The date, time, airport from and perhaps gate can be evaluated. But the pass itself cannot be guaranteed to be authentic because the printing process is not controlled.

Print your own boarding pass can be combined with credit card fraud to subvert the "no-fly list". Senator Charles Schumer of New York laid out this scenario in a letter dated February 11, 2005, to TSA officials.

1. Joe Terrorist (whose name is on the no-fly list) buys a ticket online in the name of Joe Smith using a stolen credit card. Joe Smith is not listed on the terrorist watch list.

2. Joe Terrorist then prints his "Joe Smith" boarding pass at home, and then electronically alters it to create a second almost identical boarding pass under the name Joe Terrorist, his name.

3. Joe Terrorist then goes to the airport and goes through security with his real ID and the FAKE boarding pass. The name and face match his real driver’s license. The airport employee matches the name and face to the real ID.

4. The TSA guard at the magnetometer checks to make sure that the boarding pass looks legitimate as Joe Terrorist goes through. He or she does not scan it into the system, so there is still no hint that the name on the fake boarding pass is not the same as the name on the reservation.

5. Joe Terrorist then goes through the gate into his plane using the real Joe Smith boarding pass for the gate’s computer scanner. He is not asked for ID again to match the name on the scanner, so the fact that he does not have an ID with that name does not matter. (Since Joe Smith doesn’t actually exist it does not coincide with a name on the terrorist watch list) Joe Terrorist boards the plane, no questions asked.

So why has nothing been done to close this loophole? The root cause is probably harder to determine than the solution. It could be an aversion by both airlines and government to annoy travelers further with longer queues, especially since several airlines are experiencing financial difficulties. Perhaps neither the airlines nor the TSA want to make the hole more obvious (if that is possible) by acknowledging it.

Nico Mendelez, a TSA spokesperson, downplayed the threat of counterfeit boarding passes, saying that security doesn’t begin and end at the security checkpoints. "On the back side of security checkpoints, we have federal air marshals, hardened doors and other tools in place to reduce threats inside the aircraft."

This may be true, but doesn’t that mean the whole process needs to be re-evaluated? Perhaps the solution is to use risk management to assess the real risks and put appropriate controls in place. Rather than adding another checkpoint to scan boarding passes and access the airline records system (and the no-fly list), let’s look at the entire process. Rather than worrying about removing computers from bags and taking off our shoes and jackets prior to x-ray, let’s concentrate on where controls are needed. Because without proper controls, airline security is a disaster waiting to happen.

Copyright © 2006 IDG Communications, Inc.

The 10 most powerful cybersecurity companies