/ / / /

Washington Post Discovers Decade-Old TSA Loophole, Freaks Out

November 7, 2012 at 4:21 PM | by | ()

We expected someone somewhere to make TSA incompetence an issue during the election. The airport security agency is disliked across the political spectrum - from the civil rights left and the libertarian right - and since that's pretty much everyone we kind of figured it would come up.

And yet we can't shake the feeling that journalists have just been phoning it in on TSA. The stories from the last two months have not only been old but, with due respect, a little bit lazy. For instance ABC News used the Freedom of Information Act to get a ranked breakdown of airports where TSA employees have been fired for theft. That led to a week of stories where local reporters in every single list city published stories about how their particular airport was filled with TSA pickpockets.

OK. Entertaining. But on the list of things that count as news, TSA theft is what you write about when you don't have anything else to write about.

And then over the weekend there was this Washington Post story, about how people can make fake boarding passes to get through security. You can purchase a boarding pass under someone else's name to avoid the no-fly list, print out a copy, then digitally alter it to have your real name, then print out another copy. You use the altered version to get through ID checkpoints (since the pass has your real name, which will match your real ID) and the real pass to get on the airplane.

The vulnerability was figured out, we're guessing, about 90 seconds after the no-fly list was invented. We wrote about it in 2008 and 2009 and 2011, and then later 2012. There was an additional post in 2011 where we outlined it in not a little bit of detail.

TSA was supposed to fix the problem with new "CAT-BPSS" machines, which check bar codes to confirm that you haven't altered your pass (our 2012 and 2011 posts were actually about those very machines). Apparently someone figured out a way to alter the bar code too. So now American travelers are exactly as unsafe as they were 6 months ago. Forgive our lack of hysteria upon discovering that another expensive TSA technological quick-fix has failed.

But here's WaPo describing the loophole, the details of which they're keeping super-secret because it "basically negates the no-fly list". Shhh!

The Washington Post was alerted to the vulnerabilities by concerned passengers and verified them through independent security experts. At the request of U.S. officials, The Post is withholding details that would make it easier for the vulnerabilities to be exploited... Information about reading and altering boarding pass bar codes has circulated on online forums for several months, and has recently been picked up by security researchers... "It’s alarming — this basically negates the no-fly list," said Chris Soghoian... principal technologist at the American Civil Liberties Union.

Now in fairness, there are insinuations in the story that you can manipulate the bar code to get routed through PreCheck. But for that to matter you'd have to believe that non-PreCheck security is actually effective. Anyone?

See what we mean about phoning it in?

[Photo: kalleboo / Flickr]

Archived Comments: