With the holidays approaching, a new program providing greater access to airport concourses is underway. At select airports throughout the country, non-travelers can now enter and meet arriving loved ones, as was routine just a few years ago.
Everyone entering the concourse will still be subject to physical security checks, but the program permits travelers to pass through security and board planes without showing ID to transportation authorities or by using a false/pseudonymous ID.
Has the Transportation Security Administration seen fit to restore convenience, privacy, and freedom to air travelers? Seen the light on identification-based security and relented on ID/boarding card checks? Well, no.
A PhD student in the Security Informatics program at Indiana University has created a generator that anyone can use to mock up their own boarding pass. He notes a number of different uses for it – among them, meeting your elderly grandparents at the gate, or evading the TSA’s no-fly list. So far, it’s only good for Northwest Airlines, but others would be equally easy to design.
Checking the ID and boarding pass is intended to communicate to personnel at the concourse checkpoint that a person has been run past the watch list and “no-fly” list. It provides a sort of second credential, linked by name to the ID of the person who has been reviewed. This spoof easily breaks that link. Fake a credential matching any ID you have, and you are in the concourse.
I wouldn’t recommend using this system without a careful check of the law – if you are allowed to see it. It’s probably illegal to access an airport concourse this way and the TSA would bring the full weight of its enforcement powers down on you if you were caught. Needless to say, making it illegal to evade security is what keeps the terrorists in line.
Hmm. Or maybe security procedures actually need to work.
And that’s the researcher’s point: Comparing a boarding pass to an identification document at the airport does little to prevent a watch-listed or no-fly-listed person from passing (except perhaps to inconvenience him a little more than everyone else). Indeed, identification-based security is swiss-cheesed with flaws.
The first problem is that you have to know who the bad guys are. If you don’t know who is bad, your ID-based security system can’t catch them. If you do know who is bad, you have to make sure that they aren’t using an alias. The cost of doing so may vary, but defrauding or corrupting identity systems is an option that will never be closed to wrongdoers. Making an identity system costly for bad guys to defeat also makes it costly for good people to use. Witness the REAL ID Act.
The linear response to the exposure of this flaw could be to “tighten up” the system – perhaps by discontinuing the use of self-printed boarding passes. The right response is to abandon the folly of identity-based security and use security methods that address tools and methods of attack directly.
There’s plenty on identity and identity-based security in my book Identity Crisis.