Meet Grandma at the Gate This Thanksgiving!

by on October 26, 2006 · 6 comments

With the holidays approaching, a new program providing greater access to airport concourses is underway. At select airports throughout the country, non-travelers can now enter and meet arriving loved ones, as was routine just a few years ago.

Everyone entering the concourse will still be subject to physical security checks, but the program permits travelers to pass through security and board planes without showing ID to transportation authorities or by using a false/pseudonymous ID.

Has the Transportation Security Administration seen fit to restore convenience, privacy, and freedom to air travelers? Seen the light on identification-based security and relented on ID/boarding card checks? Well, no.

A PhD student in the Security Informatics program at Indiana University has created a generator that anyone can use to mock up their own boarding pass. He notes a number of different uses for it – among them, meeting your elderly grandparents at the gate, or evading the TSA’s no-fly list. So far, it’s only good for Northwest Airlines, but others would be equally easy to design.

Checking the ID and boarding pass is intended to communicate to personnel at the concourse checkpoint that a person has been run past the watch list and “no-fly” list. It provides a sort of second credential, linked by name to the ID of the person who has been reviewed. This spoof easily breaks that link. Fake a credential matching any ID you have, and you are in the concourse.

I wouldn’t recommend using this system without a careful check of the law – if you are allowed to see it. It’s probably illegal to access an airport concourse this way and the TSA would bring the full weight of its enforcement powers down on you if you were caught. Needless to say, making it illegal to evade security is what keeps the terrorists in line.

Hmm. Or maybe security procedures actually need to work.

And that’s the researcher’s point: Comparing a boarding pass to an identification document at the airport does little to prevent a watch-listed or no-fly-listed person from passing (except perhaps to inconvenience him a little more than everyone else). Indeed, identification-based security is swiss-cheesed with flaws.

The first problem is that you have to know who the bad guys are. If you don’t know who is bad, your ID-based security system can’t catch them. If you do know who is bad, you have to make sure that they aren’t using an alias. The cost of doing so may vary, but defrauding or corrupting identity systems is an option that will never be closed to wrongdoers. Making an identity system costly for bad guys to defeat also makes it costly for good people to use. Witness the REAL ID Act.

The linear response to the exposure of this flaw could be to “tighten up” the system – perhaps by discontinuing the use of self-printed boarding passes. The right response is to abandon the folly of identity-based security and use security methods that address tools and methods of attack directly.

There’s plenty on identity and identity-based security in my book Identity Crisis.

  • http://www.blogger.com/profile/14019452 Steve R.

    Security is an illusion. First, I wouldn’t know a valid “badge” from a forged one. There are simply too too many government agencies, each with their own unique form of ID. So how could anyone hope recognize all the possible valid badges?????

    Next, even as a casual observer, I see many lapses of security by our so-called security professionals. Several years, ago during lunch, I used to walk by a Federal building that had no-parking signs plastered around it plus the vehicle barriers. What did I see? An unoccupied GSA police car parked in front for several hours at a time. An enterprising terrorist could easily fake such a car.

    Periodically, I have to enter a military base and I have to show my ID, not a problem. However, if you have one of those special vehicle stickers on your car you don’t have to even stop to demonstrate who you are. Again an enterprising terrorist could simply copy a sticker or hijack one of those cars with a vehicle sticker and get on base.

    In conclusion, I must add this gratuitous politically correct statement that we must still attempt to improve our security. After all, there is not such thing as “to much security”.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    Security is an illusion. First, I wouldn’t know a valid “badge” from a forged one. There are simply too too many government agencies, each with their own unique form of ID. So how could anyone hope recognize all the possible valid badges?????

    Next, even as a casual observer, I see many lapses of security by our so-called security professionals. Several years, ago during lunch, I used to walk by a Federal building that had no-parking signs plastered around it plus the vehicle barriers. What did I see? An unoccupied GSA police car parked in front for several hours at a time. An enterprising terrorist could easily fake such a car.

    Periodically, I have to enter a military base and I have to show my ID, not a problem. However, if you have one of those special vehicle stickers on your car you don’t have to even stop to demonstrate who you are. Again an enterprising terrorist could simply copy a sticker or hijack one of those cars with a vehicle sticker and get on base.

    In conclusion, I must add this gratuitous politically correct statement that we must still attempt to improve our security. After all, there is not such thing as “to much security”.

  • http://enigmafoundry.wordpress.com/ enigma_foundry

    Periodically, I have to enter a military base and I have to show my ID, not a problem. However, if you have one of those special vehicle stickers on your car you don’t have to even stop to demonstrate who you are. Again an enterprising terrorist could simply copy a sticker or hijack one of those cars with a vehicle sticker and get on base.

    In the base that my brother had occasion to work on, the stickers were optically scanned, and checked that the plate matched that which was on record. That still wouldn’t do away with the stolen car, although those who have cars with the stickers are told to report the theft of their car immediately, and are given a number to call and report this. Police in areas such as Ridgecrest CA, which have very high percentage of military base stickers on cars will ask if you report your car stolen, also.

    In conclusion, I must add this gratuitous politically correct statement that we must still attempt to improve our security. After all, there is not such thing as “to much security”.

    Yes, actually there is, because in a world of finite resources, spending too much on a certain type of security deprives you of the ability to spend those resources on other more effective types of security. Think, for example of the billions of dollars spent on mail security (x-rays, sensors, handling precautions) that has not yet caught a single piece of terrorist items in the mail..

  • http://enigmafoundry.wordpress.com eee_eff

    Periodically, I have to enter a military base and I have to show my ID, not a problem. However, if you have one of those special vehicle stickers on your car you don’t have to even stop to demonstrate who you are. Again an enterprising terrorist could simply copy a sticker or hijack one of those cars with a vehicle sticker and get on base.

    In the base that my brother had occasion to work on, the stickers were optically scanned, and checked that the plate matched that which was on record. That still wouldn’t do away with the stolen car, although those who have cars with the stickers are told to report the theft of their car immediately, and are given a number to call and report this. Police in areas such as Ridgecrest CA, which have very high percentage of military base stickers on cars will ask if you report your car stolen, also.

    In conclusion, I must add this gratuitous politically correct statement that we must still attempt to improve our security. After all, there is not such thing as “to much security”.

    Yes, actually there is, because in a world of finite resources, spending too much on a certain type of security deprives you of the ability to spend those resources on other more effective types of security. Think, for example of the billions of dollars spent on mail security (x-rays, sensors, handling precautions) that has not yet caught a single piece of terrorist items in the mail..

  • http://www.blogger.com/profile/14019452 Steve R.

    You are correct, I was attempting to be funny.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    You are correct, I was attempting to be funny.

Previous post:

Next post: