And then over the weekend there was this Washington Post story, about how people can make fake boarding passes to get through security. You can purchase a boarding pass under someone else's name to avoid the no-fly list, print out a copy, then digitally alter it to have your real name, then print out another copy. You use the altered version to get through ID checkpoints (since the pass has your real name, which will match your real ID) and the real pass to get on the airplane.
The vulnerability was figured out, we're guessing, about 90 seconds after the no-fly list was invented. We wrote about it in 2008 and 2009 and 2011, and then later 2012. There was an additional post in 2011 where we outlined it in not a little bit of detail.
TSA was supposed to fix the problem with new "CAT-BPSS" machines, which check bar codes to confirm that you haven't altered your pass (our 2012 and 2011 posts were actually about those very machines). Apparently someone figured out a way to alter the bar code too. So now American travelers are exactly as unsafe as they were 6 months ago. Forgive our lack of hysteria upon discovering that another expensive TSA technological quick-fix has failed.
But here's WaPo describing the loophole, the details of which they're keeping super-secret because it "basically negates the no-fly list". Shhh!
The Washington Post was alerted to the vulnerabilities by concerned passengers and verified them through independent security experts. At the request of U.S. officials, The Post is withholding details that would make it easier for the vulnerabilities to be exploited... Information about reading and altering boarding pass bar codes has circulated on online forums for several months, and has recently been picked up by security researchers... "It’s alarming — this basically negates the no-fly list," said Chris Soghoian... principal technologist at the American Civil Liberties Union.
Now in fairness, there are insinuations in the story that you can manipulate the bar code to get routed through PreCheck. But for that to matter you'd have to believe that non-PreCheck security is actually effective. Anyone?
See what we mean about phoning it in?
[Photo: kalleboo / Flickr]