Use this handy boarding-pass generator to: 1) get through airport security without a ticket, 2) bypass the “extra screening” if you have “SSSS” printed on your ticket, or 3)—and this is harder—snag yourself a Business Class seat with a Coach ticket.
EDITED TO ADD (10/28): Lots of news on this item: the page is down, and he was visited by the FBI.
Skate • October 26, 2006 5:17 PM
As mentioned in Boing Boing, using the mentioned site could get you a free pass to a habeus corpus-free zone. Not worth it. I’m fascinated by the researchers tests but I wouldn’t want to be him in an era when habeus corpus has been suspended.
But it does bring up an interesting question. Is it illegal to alter the boarding pass you print out online? And are passengers under any obligation to print the “SSSS” code that guarantees extra screening? Or can you legally erase it before printing the boarding pass?
What’s the real point of not letting people without boarding passes into the gate area anyway? Supposedly if you go through the security checkpoint then you should be secure – does it actually matter if you’re going to get on a plane or not from that point?
Nick Lancaster • October 26, 2006 5:19 PM
And what are the penalties for using a fake boarding pass? This is an excellent illustration of what is wrong with the system, but it’s not something most people would be willing to attempt.
In the absence of QED, the flaw remains ‘theoretical’ and ‘ignorable’ by the administration, and our security is contingent on a ‘secret’ list that actually doesn’t include the most serious threats.
If we go back to the concept of something you have (boarding pass), something you know (flight #? … easily available), and something you are (a match to a photo ID … also not infallible), all the identity checking silliness is shown to be a rather shallow defense.
Steve Wildstrom • October 26, 2006 5:41 PM
The only real point to requiring boarding passes to go through security is to minimize the traffic through the checkpoints.
I have no idea why anyone would go through all this trouble to forege a boarding pass since it is ridiculously easy to get a legitimate online boarding pass in your own name and alter it as desired in the image-editing program of your choice. It won;t generate a valid boarding pass that will get you on a plane, but it will get you through the checkpoint.
As Bruce has pointed out on several occasions, the ability to print your own boarding passes would be a big security issue only if there were any real security gain in checking boarding passes at security.
(My pet peeve is the requirement that you show the pass while going through the mag. This would be reasonable only if people had three hands amd serves no imaginable purpose since they don;t check the passes against ID.)
Lisa • October 26, 2006 6:23 PM
“(My pet peeve is the requirement that you show the pass while going through the mag. This would be reasonable only if people had three hands amd serves no imaginable purpose since they don;t check the passes against ID.)”
I second that! What with all their other requirements (various levels of restrictions on liquids, taking all laptops out of their cases for scanning, taking off your shoes and jackets, etc.), I think our next evolutionary jump will be the growth of a second set of arms.
David in Chicago • October 26, 2006 6:51 PM
The boarding-pass requirement to get through security is a classic externality. The airlines used to have many more stow-aways than is commonly acknowledged. So instead of saying that stow-aways were a business problem, they called it a security problem, and voila, the cost of solving this business problem was borne by everyone but the airlines. In my own lifetime (I’m 36), people even used to be able to board the airplane–for example, to assist a disabled or juvenile passenger–without a pass. Go back and watch the early scenes in the movie Airport, in which airline security interviews an elderly, recidivist stow-away; that was the situation in the early 1970s.
David in Chicago • October 26, 2006 6:54 PM
Follow-up: As long as there is a class of people who have authorization to bring loaded weapons past security–local police, for example–concourse-level security is completely ineffective, unless all members of the class are totally trustworthy. Far better (and more expensive) to have security checkpoints at the gates instead, but U.S. airlines would never spend that kind of money. Nor, truth be told, would U.S. passengers.
Tim • October 26, 2006 8:20 PM
Steve – I think the purpose of printing a fake boarding pass is to allow one to get through security without buying a ticket.
And jw is right–the “show your boarding pass” is ridiculus because it serves no purpose in increasing security, only to annoy passengers. The least the TSA could do is pretend to check boarding passes against the “no fly” joke–I mean, list.
Andrew • October 26, 2006 8:32 PM
Follow-up: As long as there is a class of people who have authorization to bring loaded weapons past security–local police, for example–concourse-level security is completely ineffective, unless all members of the class are totally trustworthy. Far better (and more expensive) to have security checkpoints at the gates instead, but U.S. airlines would never spend that kind of money. Nor, truth be told, would U.S. passengers.
It’s a little more complicated. Local police need an FAA clearance and travel orders from their agency.
Any officer who loses control of a weapon inside a sterile area is in deep donuts, and they know it . . . so I actually feel much safer about the firearms on officer belts than I do about the knives in the kitchen(s).
Plane Confused • October 26, 2006 8:57 PM
Steve Wildstrom said: “It won;t generate a valid boarding pass that will get you on a plane, but it will get you through the checkpoint.”
I have to wonder about that. I accidentally got on the wrong domestic flight this week due to an unrealized gate change. I presented my valid, print-at-home boarding pass for “flight A” at the gate for “flight B”, the computer gave an affirmative beep, and the gatekeeper handed back my boarding pass. I then boarded “flight B”. I realized my mistake because there was already someone in ‘my’ seat. You’d think that the computer would have flagged that my boarding pass was for the wrong flight. Or at least that two boarding passes were presented for the same seat.
Even more curious, I was then able to use the same boarding pass to board the correct “flight A” without question. You’d think the system would have flagged that the same boarding pass was used twice.
This set of events certainly made me question the value of the boarding pass and why I needed to present it so many times as I wound my way through the airport.
dave glasser • October 26, 2006 9:22 PM
I always assumed that “show your boarding pass” was just a way to make sure nobody forgot to check in before going through security and had to waste time going through it twice. (And the stowaway issue, of course.)
Several People Called Anonymous • October 26, 2006 9:50 PM
The show your pass at the magetometer is a last second check for a “SSSS” search code.
Not that this is useful, of course, since printing boarding passes is trivial — indeed, I once dodged the extra screening by simply grabbing the boarding pass from my last flight and showing that to the TSA when I was going through — they glanced, didn’t see “SSSS”, and all was fine.
Joe • October 26, 2006 9:51 PM
Plane Confused: Maybe the gizmos are really security theatre props. They just beep or flash a light randomly and actually rely on people to get on the proper plane by themselves.
Plane Confused • October 26, 2006 10:14 PM
Joe: “Maybe the gizmos are really security theatre props. They just beep or flash a light randomly and actually rely on people to get on the proper plane by themselves.”
No doubt, getting on the wrong plane was in large part my error. However, never did I expect that such a thing was possible. Props, indeed. It makes you wonder about just how reliably bags are matched to passengers actually being on a flight.
Traveller • October 27, 2006 12:11 AM
Re: ability to get on the wrong flight. A few days ago, after boarding, I overheard a conversation between a flight attendant and a young woman — the woman had also gotten on the wrong plane.
I witnessed more lax security at MKE recently, where I found two lines in front of the security check. I queued up on the one nearer the magnetometer, but then realized that the other one led to a lectern, where a TSA employee was performing the “pre-security boarding-pass stamping/checking”. The woman didn’t pay good attention to ensure that only people who had been in her line got into the magnetometer/x-ray line. In fact, several people walked, likely unintentionally, directly to the latter line, bypassing the preliminary boarding pass check. What a joke.
Chicago • October 27, 2006 2:13 AM
If I had to get into the boarding area, I could do so legitimately (i.e., not risking a trip to the “habeus corpus free zone”) by buying a full-fare refundable ticket to anywhere for 3 or 4 hours after the time I need to get in … printing out a boarding pass and using it to enter, and then calling the airline from my cell phone to cancel the reservation and get a refund.
Geoff Lane • October 27, 2006 2:38 AM
Why is there a ticket AND a boarding pass? What different purposes do they serve?
It suggests to me that there is a discontinuity in passenger processing between the airport and the carrier. The handover between the airport side security and the aircraft side security is an obvious potential target for blackhats.
It’s entirely possible that some or most of the security crazyness in airports is due to multiple sets of security run by different organisations and following different rules.
MathFox • October 27, 2006 4:10 AM
It definitely is possible to get on a plane without having your boarding pass checked. (The simple “accomplice distracts ground stewardess” trick.) In a wide body it is more often than not that passenger counts don’t match the collected boarding passes. Usually innocent passengers with a valid boading pass that are registered as “not boarded”.
Geoff: Ticket and boarding pass come from the time of paper tickets, “open” return tickets, etc. Tickets would not allways be issued by the airlines (and datacommunication didn’t work reliably enough).
The ticket is your proof of payment (which the airline can use as proof to get its money from the ticket issuer); the boarding pass is your “entry card” to the plane and it allows the airline to create a final passenger list (luggage checks, etc.)
Simon_c • October 27, 2006 5:36 AM
Well, if people are using it to get free business class travel, then there’s a chance the loophole will be fixed.
Now, if only there was a way of figuring out which business class seats were free before getting onto the plane….
obvious • October 27, 2006 6:05 AM
Two things that haven’t been said:
The original reasoning behind the boarding pass (which was issued at the airport) was that you received it when you checked in, and it was a confirmation to the airline that you had shown up for your flight, checked any luggage you were going to check, and were ready to get on the airplane. Then they could page you and delay the plane slightly if you weren’t on board. This has gradually morphed into what it is today, which is really another pointless piece of paper that has been “streamlined” out of its original purpose. It no longer says that you are really going to show up for the flight.
The thing that I am extremely surprised nobody has bothered to bring up yet is the gaping hole in the security system presented by the way the boarding pass system currently works. The problem is the following:
The luggage screeners are not infallible
They let a certain number of things through that they should not (anecdotally, a fairly large number)
If you have a reasonable number of accomplices, you can try to take your forbidden items through the checkpoint as many times as it takes till they get through.
Once inside the secure area, you can hand them off as your crew cycles through the area. People in airports are not rare things, and if one or two of your members are in the airport at all times, there is no reason you would have trouble retaining your materials indefinitely till you had whatever you needed inside the secure area to build your doomsday machine.
This “poke at it till it lets us through” problem is fairly important. If you get caught with something you shouldn’t have at the checkpoint, they take it away from you or send you back to the end of the line to try again. Assuming any failure rate at all, and a low cost per attempt for the attackers, there is no reason you can’t brute-force airport security.
This said, I think any terror group targeting air travel is thinking in the wrong places.
dlg • October 27, 2006 7:07 AM
@Simon_c:
Some airlines offer online seat assignment. On not too full planes, you could look that up shortly before boarding (if still available), and hope nobody is assigned “your” seat in the meantime. Business people often arrive late, so there’s a risk.
However, I’ve seen more than once that people had their seat assignments screwed up. So I guess even your fake boarding pass stub wouldn’t land you in trouble. It happens too often for that (or maybe, those cases were all people trying to hack the system… :).
Harald Hanche-Olsen • October 27, 2006 9:13 AM
Hmm, interesting. Things clearly work very differently in the UK. I visited Bristol last March, and found that the security screeners there really do have scanners. I had a boarding pass that I had printed myself, one of the fancy new KLM ones where the “bar code” is really a two-dimensional pattern. The security guard’s scanner could not read it, so he sent me back to the check-in counter to have them print me a standard boarding pass. Fortunately I had arrived with plenty of time, or I could have missed my flight because of the extra delay (the airport was really crowded).
frequent flyer • October 27, 2006 9:17 AM
Chicago wrote “If I had to get into the boarding area, I could do so legitimately […] by buying a full-fare refundable ticket […] using it to enter, and then calling the airline […] to cancel the reservation and get a refund.”
BTDT to help solo-parent sibling get all 3 kids to boarding gate. I bought the ticket at the airport, too. Easy as pie. Not, I think, a security violation as such – just a hole that allows us to circumvent the system.
bob • October 27, 2006 9:39 AM
@simon, dlg: I have had several instances where I and someone else have been issued a legitimate (I assume, since we are talking more than ten years ago for the first instance – before you could print them yourself) boarding pass for the same seat.
I have always wondered why the airline waits until I get on the aircraft and am sitting in “my” seat with someone standing next to me with a boarding pass for the same seat before they do anything about it – after all, the computer already knew it an hour or more beforehand when it printed the second boarding pass for the same seat. I guess that way the cabin crew can visually see who actually did not show up and put the extra person there?
I mean, we all know they overbook, so if everybody shows up they will be printing a lot of “overlapping” boarding passes seems like that would be better settled in the terminal than in the aircraft?
FP • October 27, 2006 10:15 AM
Chicago, frequent flyer: Re: “buying a full-fare refundable ticket”.
Yes, you could do that, but then you are subjected to all the security theater of being screened and profiled against secret government databases.
The point of the exercise is that people can pass airport security without the usual background check.
Todd Knarr • October 27, 2006 11:21 AM
Bob: one reason the computers don’t flag that “two boarding passes for the same seat” is probably overbooking. There’s always a certain percentage of people who don’t show up for the flight, and with thin margins the airlines need to fill every seat so they overbook flights by the percentage they figure won’t show up. A lot of boarding passes are printed before people arrive at the airport, and if the system didn’t allow duplicates they couldn’t book those extra people. Given that, it’s easier just to allow duplication of seat assignments and let the cabin crew sort it out.
Tim R • October 27, 2006 11:26 AM
@Frequent Flyer/Chicago:
My girls, aged 11 and 15 at the time, were flying to my father’s place out in New Mexico this past spring. I discovered that it’s trivial to get a pass from the airlines that allowed me to accompany them through the security checkpoint and right up to the gate.
From what I understand (with Southwest Airlines, anyway), they only issue them to parents of unaccompanied minors 10 or under, but the customer service rep on the phone told me that, regardless of the age of the passenger, it never hurts to inquire. It costs nothing, and all you have to do is ask. As a side note, I was not flagged for any extra or exclusionary treatment either way from the TSA.
Me, of course • October 27, 2006 11:48 AM
@Simon_c:
If you want to fly in business class, just print out one boarding pass for each business seat on the plane, and board last. Note that this is in no way suggested as theft is in general a bad idea.
Andrew2 • October 27, 2006 11:49 AM
Preventing people without boarding passes from going through the security checkpoint is not a security measure, per se. Before 9/11 people would routinely go through security and meet travelers at the gate. Now, security screening takes significantly more time and money. Requiring a boarding pass to go through security reduces the number of people who are not flying from wasting the resources available for security.
In relation to the habeas-corpus free zone, we find this in a “quaint and obsolete” document: “Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances.”
derf • October 27, 2006 1:20 PM
Just a suggestion for you ne’er-do-wells: Don’t try using a fake Northwest boarding pass at an airport that doesn’t service Northwest airlines.
Anonymous Coward • October 27, 2006 3:19 PM
This kind of prank can get you in danger quickly in stupid times such as the ones we live in:
“Congressman Edward Markey (D-Mass.) wants the federal government to arrest security researcher Christopher Soghoian for creating the Northwest Airline Boarding Pass Generator, a site which lets anyone create a facsimile of a Northwest Airlines boarding pass. Soghoian hoped to spur Congress to look closely at the nation’s aviation security policies, which he calls “security theater.” Instead, Markey, a member of the House Homeland Security committee, wants the site shut down and Soghoian arrested. ”
Anonymous Coward • October 27, 2006 3:20 PM
This kind of prank can get you in danger quickly in stupid times such as the ones we live in:
“Congressman Edward Markey (D-Mass.) wants the federal government to arrest security researcher Christopher Soghoian for creating the Northwest Airline Boarding Pass Generator, a site which lets anyone create a facsimile of a Northwest Airlines boarding pass. Soghoian hoped to spur Congress to look closely at the nation’s aviation security policies, which he calls “security theater.” Instead, Markey, a member of the House Homeland Security committee, wants the site shut down and Soghoian arrested. ”
“IT: Congressman Calls for Arrest of Security Researcher” now on Slashdot: http://it.slashdot.org/it/06/10/27/2124231.shtml
Chuck Charbeneau • October 27, 2006 9:58 PM
I hope you are continuing to follow the story, as apparently agents from the FBI were at his door earlier today and he has been incommunicado since.
Chris’ Blog: http://slightparanoia.blogspot.com/
Wired: http://blog.wired.com/27bstroke6/2006/10/fbi_says_no_arr.html
BoinBoing: http://www.boingboing.net/2006/10/27/fake_boarding_pass_g.html
Roger • October 27, 2006 11:07 PM
The boarding pass site now 404’s.
Incidentally, the system in the US seems to wrk quite differently to here in Australia.
Here, you do not require a boarding pass to go through the security gate. Anyone can get in, provided they pass the security screening. People do it all the time in order to farewell friends. This seems perfectly reasonable to me; even if boarding passes really confirmed identity, I see nothing wrong with having an unarmed person of uncertain identity partaking of the concourse concessionaires’ awful, overpriced “fast food” or limited selection of mediocre ales. Or at least, nothing insecure.
However, you definitely need a pass to board a plane! The boarding gates are arranged so that it is not possible to slip past with the “accomplice distracts ground stewardess” trick; you would have to physically shove her aside.
And they really do check that the correct persons (or at least, correct boarding passes) board the correct plane; at any rate, it seems to take them only a second or so to check if a particular passenger has boarded yet, and whether or not he/she has checked luggage on board. (Although I’ve never seen what happens if someone tries to board the wrong flight; it’s almost impossible to make the mistake, as they have so many signs and make so many announcements — usually in several languages.)
P-Air • October 27, 2006 11:59 PM
Oh-oh, looks like the referred to site (http://www.dubfire.net/boarding_pass/) is no longer operational…doh!
Davi Ottenheimer • October 28, 2006 12:55 AM
Hmmm, at 7PM ET the AP reported the following:
http://news.yahoo.com/s/ap_travel/20061027/ap_tr_ge/travel_brief_fake_boarding_pass
“He said no one from the government had complained to him about the site, yet.
‘If I get a letter from the government telling me to take it down, then I’ll take it down straightaway,’ Soghoian said.”
Intersting quote from the TSA spokesman in that article as well:
“He condemned the Web site. ‘The Web site really has the potential to promote illegal activity.'”
Potential to promote illegal activity? With vague standards like that, just about anyone could be in trouble for anything…
What is the temperature at which web-pages catch fire, and burn?
Anonymous • October 28, 2006 2:23 AM
It seems that the FBI have visited (blog authenticity not verified).
http://slightparanoia.blogspot.com/2006/10/fbi-at-door.html
The FBI denies the arrest but he seems to have disappeared anyway
http://blog.wired.com/27bstroke6/2006/10/fbi_says_no_arr.html
Possibly caused by
http://it.slashdot.org/it/06/10/27/2124231.shtml
a Democrat congressman called Markey
http://markey.house.gov/index.php?option=com_content&task=view&id=43&Itemid=6#
(also posted to wrong story.. moderator deletion would be appreciated)
Clark Cox • October 28, 2006 4:22 AM
Roger: That’s how it worked, pre-9/11, here in the US as well.
dda • October 28, 2006 7:26 AM
12+ years ago, during my last visit to the US, I saw a friend off – on Northwest of all airlines 🙂 – at Newark, up to the gate. I never had to show ID or boarding pass, and as a European, it felt scary that I was allowed this far inside the airport. Whether this feeling was justified or not is irrelevant, I think, as different customs and habits spawn different reactions.
In Europe, you not only need a boarding pass, but an ID, to get through security – or a badge, as an employee, of course. You need to present your ID three times, at least: at check-in, at customs control [if on an international flight], at luggage inspection where they compare the name on ID and boarding pass, and at the gate, while boarding. I’ve even had my ID and borading pass checked another time on the jetway before entering the plane. Dunno whether this is overkill or not, but it sure looks like it’d be harder to slip in unwanted…
On the other hand, a security employee at a French regional airport told me once that they had no way to check the validity of e-tickets issued by Air France – which you basically print out at home and show at luggage inspection, and it is not scanned to check validity, as is the case for other e-tickets I have seen. Of course, once you’re inside, you still can’t get access to the plane, as the e-tickets are scanned then, but it is indeed preoccupying that one could get access to the gates so easily.
Vance • October 28, 2006 1:39 PM
@Davi
What is the temperature at which web-pages catch fire, and burn?
“Fahrenheit 404” perhaps?
libertynews • October 28, 2006 5:38 PM
He’s still got an image up http://photos1.blogger.com/blogger/6601/1598/1600/osama-boarding-pass.jpg
After reading the rest of his blog I think that all the php code did was fill in/cover up the name, etc. It didn’t actually generate the boarding pass, it was image editing a boarding pass template.
Which is trivial for someone to do themselves with an image editing program and a copy of their own pass, as described in his post on October 18th – http://slightparanoia.blogspot.com/2006/10/paging-osama-please-meet-your-party-at.html
It looks like another case of techno-idiots in the FBI/government bureaucracy overreacting to something that that do not understand. And what’s with the 2AM kick down the door and take all the computers tactics? At least they didn’t burn the place down.
David Molnar • October 28, 2006 6:21 PM
Libertynews, you alluded to this, but I didn’t see the link. Here’s his blog entry with scans of a search warrant:
http://slightparanoia.blogspot.com/2006/10/fbi-visit-2.html
As for why it was executed in the early AM, who knows. If I were to speculate, they might have been worried that he would erase or destroy evidence had he known they were coming. In any case, this is looking more serious than just a simple request to take the script down.
php coder • October 28, 2006 6:31 PM
Here is a very quick PHP hack to edit a boarding pass template. Edit the boarding pass above to white out the areas to change and save it as nwa_pass.png. This code can be called with:
bp.php?name=Tom%20Tuttle&date=29OCT2006&flight=US17B
There should be enough fields here that even non-PHP programmers get the idea.
A web server with PHP and GD are required. Wrap this in standard php opening and closing brackets.
ATTN: FBI Agents — this took about 15 minutes. Anyone with any amount of PHP experience can do this.
$pass = “nwa_pass.png”;
$name_loc = array( 202, 138 );
$date_loc = array( 55, 230 );
$flight_loc = array( 55, 250 );
$name = $_GET[‘name’];
$date = $_GET[‘date’];
$flight = $_GET[‘flight’];
header(“Content-type: image/png”);
$im = imagecreatefrompng(“./” . $pass);
$black = imagecolorallocate( $im, 0, 0, 0 );
imagestring( $im, 4, $name_loc[0], $name_loc[1], $name, $black );
imagestring( $im, 4, $date_loc[0], $date_loc[1], $date, $black );
imagestring( $im, 4, $flight_loc[0], $flight_loc[1], $flight, $black );
/* Output the image */
imagepng($im);
imagedestroy($im);
sec_theater_in_THX • October 28, 2006 8:56 PM
@libertynews
At least they didn’t burn the place down.
You’re confusing three letter agencies…
To burn it down requires the ATF.
@php coder
ATTN: FBI Agents — this took about 15 minutes.
You might want to direct your comments to the procecutor and judge. They’re the ones issuing the warrent.
Sky-Ho • October 28, 2006 10:03 PM
Roger,
We have a tremendous amount of citizens in the US who void their bladders at the slightest hint of something unusual, so we have what some of us call, security theatre.
It placates the fruit-cakes while irritating those with double digit IQ or higher. It does not work. Many of us know that. A friend of mine smuggled a blackboard eraser sized box into the “secure zone”, twice, three months ago. This was after two armed dudes managed to access the secure area, sans authorization. This was all done at a major airport.
The joke goes on, and more than a few of us are waiting for the next bang, yet another failure from our present administration.
SamIain't • October 29, 2006 2:15 AM
“You might want to direct your comments to the procecutor and judge. They’re the ones issuing the warrent.”
According to his bio, the judge is an ex-FBI Special Agent.
Globetrotter • October 29, 2006 7:14 AM
This is bound to happen. In Europe now we are encouraged to check-in online (perhaps the day before) and print our own boarding passes. So they will be printed on normal paper, and we can easily mess about with them on our PCs, store them for future reference, or publish on the Internet. The boarding pass is not a security document, and if they want it to be so, then they need to retain control of printing them so that they can be watermarked etc.
Chris • October 29, 2006 9:04 AM
In Canada, third-tier carriers and corporate flights don’t require all of the ridiculous security checks found at the main terminals. Of course, those of us with graying hair, white skin, and business clothes don’t have to deal with “security” for most first-tier flights either. The only time I’ve ever been searched was at a very small airport on a flight with 5 passengers right after the Canadian Air Transport Security Authority increased inspection quotas. No matter how high the quota of-the-day, however, only my first of two laptops ever gets tested for explosives.
Risk assessments and samples are significant parts of security. However, when the sampling methodology is so obvious, threat profiles so artificially restricted, and even those with the SSSS flag can move themselves into the perceived low risk class, does the whole exercise provide any benefit other than a very expensive, inconvenient deterrent to children and “terrorists??? with no planning time?
Roger • October 29, 2006 5:43 PM
OK, I think I understand the issue here.
The “problem” which the “authorities” are trying to address is that purchasing travel documents in an identity does not verify that identity (or not very strongly). This is bad because you might travel under the ID “A. D. Baker” when actually you are the wanted fugitive [1] “Donald Eugene Webb” [2]. So they want you to show some sort of government issued photographic ID before boarding, as well as the travel documents.
Properly speaking, this should be done at the boarding gate: show your boarding pass (to prove you have bought a ticket), and your ID (to prove you are the person shown on the boarding pass), as you file onto the plane. However checking ID against boarding passes at the gate slows down boarding, costing the airlines money, so they wanted it done elsewhere.
In the US, it is now done by TSA personnel at the security scan. This is pointless. The system as it exists has no way for the TSA personnel to tell if they are looking at a valid boarding pass, no way to tell if the boarding pass with which you pass the scan is the same as the one you board with, and no way for the TSA personnel at the scanners to tell if the ID they confirm is on a “No Fly List” or not. Thus, it achieves absolutely nothing: a perfect example of “security theatre”. Additionally, it creates big queues at the scanners, which are obnoxious and arguably dangerous [3].
In Australia, comparing boarding pass, ID documents (usually a photographic driver’s license) and passenger’s face, is all done at the check-in desk. Everyone has to validate their boarding pass at the check-in desk, regardless of the 3 possible methods of printing it (at home via the internet, at printing kiosks near the check-in which are validated against your credit card, or at the check-in desk itself), and regardless of whether you actually have check-in luggage. You then go through the security scan (without them looking at boarding passes or IDs), and — if travelling — later are allowed on the plane based on examining your boarding pass.
This is a much better system; it still has one obvious hole, although a much smaller one. The advantages are:
* boarding passes are only inspected at those (two) points where their validity is easily assessed;
* binding a personal identity, an identity document, and a boarding pass all occur at a point where the validity of all them can be assessed simultaneously [4]; and
* the most time-intensive part of the process occurs at a location where it doesn’t impact other airline or security operations, so there is no pressure to skimp.
The main hole is that there is still no proof that a person boarding an aircraft with a valid boarding pass is the same person as the one to whom it was issued. Thus a boarding pass can be issued to a confederate, validated at check-in, and then passed off to a fugitive who can easily board the aircraft. This is still better than the US system, because the fugitive requires a confederate who is not on any wanted list, is prepared to commit a crime to assist the fugitive, and is quite likely to be quickly identified if an investigation into the incident ever occurs. In contrast defeating the US system requires no confederate, no special skills, and the only identity that gets recorded anywhere is totally bogus.
gfujimori • October 30, 2006 11:19 AM
Now the FBI has raided his home. This is what you call abuse of executive power. They’re merely trying to cow him into submission by making his life very unpleasant.
Xellos • October 30, 2006 2:14 PM
So has anyone thought of any other fun experiments you could do with a thing like this?
If you’ve got a lot of spare time, it’d be fun to see what the TSA reaction to a boarding pass reading SSSSSS would be.
Roger • October 30, 2006 6:07 PM
@Xellos:
If you’ve got a lot of spare time, it’d be fun to see what the TSA reaction to a boarding pass reading SSSSSS would be.
They’d take you aside for additional screening. I’m afraid it is not much fun, actually.
Kelly • October 31, 2006 9:53 AM
There seems to be a misconception, here. At the airports I’ve been through, the person that checks the boarding pass against your ID is not a TSA employee. They were not wearing TSA uniforms and I’ve even asked them to confirm this.
As mentioned, TSA now asks to see (only) your boarding pass as you go through the portal, but has anyone actually seen a TSA employee checking boarding passes against IDs? I believe this is still for the airlines, as Bruce has discussed before, and not for security.
FP • October 31, 2006 11:08 AM
Another comment on the story by The Register:
http://www.theregister.co.uk/2006/10/31/the_fake_boarding_pass_merit_badge/
“In the five years since 9/11, the TSA has failed to catch a single terrorist, and it isn’t because they’re printing boarding passes. It’s because the entire idea of setting up checkpoints at widely-publicised locations and waiting for terrorists to turn up and get caught is idiotic.”
bob • October 31, 2006 12:37 PM
@FP: They’ve got the solution now; its called “registered traveller”, and every terrorist in the US will be signing up shortly…
bob • October 31, 2006 12:47 PM
@Todd Knarr: Stipulated, but my point is that a computer scans the boarding passes at the actual gate/jetway. At THAT point it knows there are two people (or more?) who ACTUALLY SHOWED up with the same seat assignment; one is already on the plane and the other one is about to walk down the ramp.
At this location, there are (usually 2) gate agents who could find a not already issued seat to send the second person to rather than wait until they are inside the airliner while people are trying to file past in order to find a bin to stuff their hand-carried pianos into. Plus the gate agents are waay less busy than the cabin crew. And the plane might not have any empty seats, in which case that person is going to need to come off the plane anyway, I think they would be less PO’d if they dont have to fight their way back up the jetway in order to miss their flight.
plane_guy • January 27, 2008 3:54 PM
Wow, this guy sure is stupid. He should’ve known (being a PhD in computer sciences and all) that he would get busted by the FBI sooner or later.
Sputnikman • January 3, 2009 6:14 PM
That is sooooooo bad! Why would you even make such a thing! Mr. Schneier, I really don’t think that was a great thing to post on your web page.
caribou • January 18, 2009 6:40 PM
Mr. Schneier,
Is there a way to get through security checkpoint without a boarding pass being bought? What if you just want to meet a friend that has a short lay-over?
I heard this was possible. I want to meet someone on Friday. What ideas do you have.. without breaking laws 😉
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Zwack • October 26, 2006 5:15 PM
This justs proves once again that we only have security theatre at US airports.
Z.