Boarding Pass Failure

Closing an airport security loophole.

The FBI raided the home of Indiana University grad student Christopher Soghoian, who created a Web site that lets users forge their own airline boarding passes. Soghoian said he intended to call attention to an airport security loophole. In a “Hey, Wait a Minute” article published in 2005 and reprinted below, Andy Bowers identified the loophole, created his own fake documents, and proposed a simple fix.

The Homeland Security Department’s No-Fly List has always seemed a bit absurd to me. Only the stupidest terrorist would try booking a flight under his own name (or his known aliases) three years after the 9/11 attacks, and one thing I hope we’ve all learned is that our most dangerous enemies aren’t stupid.

But even if you assume the No-Fly List serves an important purpose, the system as it presently operates contains a gaping, dangerous loophole that makes the list nearly useless. It’s a loophole so obvious, it occurred to me the first time I held it in my hand. And believe me, if I can figure it out, any terrorist worth his AK-47 realized it a long time ago.

The loophole is “Internet check-in,” a convenience most airlines now offer. (It was first used by Alaska Airlines in 1999, but expanded rapidly after 9/11, as air carriers looked for ways to ease wait times for grumpy passengers.)

Here’s how Internet check-in works: On the day of your flight, you can now go online, check in as though you were standing at a kiosk in the airport, and—this is the important part—print out your own boarding pass at home. You then bring your boarding pass, which includes a unique barcode, with you to the airport and go straight through the security line (in many cases, you can check bags at the curb).

It’s a terrific timesaver, and there’s actually nothing inherently wrong with allowing people to print their own traveling documents at home or the office. The problem is what the airlines and the Transportation Security Administrationdo with those documents at the airport. (In the last year, I’ve used Internet check-in on three different major airlines and at airports both large and small across the country. In every case, I could have exploited the loophole with ease, and in exactly the same way.)

A home-printed boarding pass is generally checked only twice at the airport:

1) Right before you go through security, a security guard checks your boarding pass against your government-issued ID, making sure the names match. This check does not include a scan of the barcode, in part because the same security checkpoints process passengers for multiple airlines with different computer systems. Occasionally a second security guard at the metal detector will double-check the boarding pass, but again, not by scanning it.

2) Once you get to your boarding gate, the barcode on the printed pass is finally scanned just before you enter the Jetway. However, as the boarding agents remind you over and over, you no longer need to show your ID at the gate. (The TSA estimates 80 percent of U.S. airports have done away with ID checks at the boarding gate.)I’ve noticed that many passengers still have their driver’s licenses or passports in hand as they approach, remembering post-9/11 enhanced security. But the agents cheerily tell them to put their IDs away—they’re no longer necessary.

Do you see the big flaw? At no point do you have to prove that the person in whose name the ticket was bought is the same person standing at the airport.

At stop 1), the name on a home-printed boarding pass is checked against an ID, but not against the name stored in the airline’s computer. At stop 2), the name on the printed pass is checked against the name in the computer, but not against an ID.

So all a terrorist needs to breeze through this loophole are two different boarding passes, both printed at home, that are identical except for the name. Check out the mock-up I made on Microsoft Publisher in about 10 minutes, using a real boarding pass I was issued last month. On the first one, you see my real name. On the second, the name has been replaced by that of Mr. Serious Threat, who we will pretend is on the No-Fly List.

Say Mr. Threat and his nefarious associates buy a ticket in someone else’s name (perhaps by stealing a credit card number—something criminals do without immediate detection all the time). In this case, the name of the card-theft victim (me) will be printed on the boarding pass. Mr. Threat can be pretty sure a common name like mine won’t trigger the No-Fly List as his would. Then he prints out the two boarding passes: the original in my name and an altered duplicate in his name.

At the first security checkpoint (the one where no scan takes place), he can breeze through using any name he wishes—even his own—just so long as his photo ID matches the altered boarding pass. Unless the security guard has the entire No-Fly List memorized, she isn’t going to stop Mr. Threat. On the way to his gate he does the old switcheroo, and produces the pass with my name, which will match the computer record. Child’s play. His real identity has never set off the computer’s alarm bells.

Just to check my theory, I ran it by a noted airport security expert. When he heard my scenario, he immediately asked not to be named, because he didn’t want to be on the record saying a method of foiling security might work. But he’s pretty sure it would. “[The double boarding pass scam] would completely negate, for all intents and purposes, an identity check,” he said gravely. It is, he agreed, “a potential loophole in the process.”

I also spoke with Nico Melendez, a field communications director for the TSA. “We recognize that something like that could happen,” he said. But he noted that even if someone passed through on a fake name, they are still subject to metal detectors, baggage scans, air marshals, and all the other physical safeguards (both seen and unseen) at airports and on planes. And he pointed to the high-tech biometric scanning systems now being tested, among them facial recognition cameras and eye scans.

All of that is comforting. But why, if we’re spending so much on new technologies and personnel, are we allowing such an obvious procedural flaw to undermine our very first line of defense—the No-Fly List?

I know some readers may be seething at this point: Some will be saying, why is this jackass giving the terrorists a blueprint? Others will worry that I’m endangering their beloved online check-in. But I ask you to think it through a little. …

First, document fakery is all around us these days, from sophisticated efforts like this shot of Jane Fonda and John Kerry side-by-side at an anti-Vietnam War rally, to the ham-handed Rathergate memos. And we know modern terrorists are very computer-savvy—remember their online beheading videos. Do you really think they can’t figure out how to change a few letters on a boarding pass without my help? If we’re going to allow documents printed outside the airport to serve official purposes, we need to give them more scrutiny, not less.

Second, this problem is simple to fix, and in a way that won’t scuttle online check-in. All the TSA needs to do is to have at least one document check station that simultaneously compares all three elements: the boarding pass, a government-issued ID, and the No-Fly List in the airline’s computer. This could be at security or at the gate (where, after all, IDs used to be checked). TSA spokesman Melendez says there are no plans for such simultaneous checks.

Could an extra ID check slow us down a little? Yes, it probably would. Tough luck. We’ve already endured two wars and countless other disruptions in the name of safety. A few extra minutes at the airport isn’t going to kill anyone.