The boarding pass switcheroo

At Slate, Andy Bowers discovers a pretty basic hack of the airline check-in system.

The attack works like this: Before you can board a plane in the U.S., you need a boarding pass with your name and an airline-issued bar code, as well as a government-issued ID, with a name matching the pass. The ID and the name on the pass are matched at the TSA security gate, while the airline gate attendant matches the name on the pass with the name in the airline computer corresponding to the bar code. An attacker could fly under an assumed name by buying a ticket using a stolen credit card, printing out both his actual boarding pass (with the assumed name), and another boarding pass modified to contain a name matching his government-issued ID. It won't match the bar code, but that's OK, because at the TSA gate, they don't check the bar code. At the airline gate, they don't check the government-issued ID.

By flying under an assumed name, the attacker has rendered useless the "no-fly" list designed to limit the travel and opportunities for airplane-based terrorism of known or suspected terrorists.

This scheme had occurred to me as well. It's such an obvious flaw that the TSA must be aware of it, and if they wanted to fix it, they could order the airlines to stop issuing home-printable boarding passes, or to check ID's at the gate.

I think, though, that the TSA rationally concludes that while printing out a fake boarding pass isn't hard, buying yourself a fake ID to go along with your stolen credit card isn't that much harder.

So why have a no-fly list at all? I think the no-fly list is targeted not at the hard-core, professional operative terrorist: they're smart enough to beat any system the government is likely to deploy. Rather, it's targeted at the second-tier of known or suspected supporters (financially or otherwise) of terrorism. These folks are unlikely to try to travel under assumed names, and they're unlikely to pose an actual threat to the airplane. Instead, the no-fly list serves to keep the government notified of their attempts to travel, prevents them from easily moving into or out of the United States, and generally makes it easier for law enforcement and intelligence agencies to keep tabs on them.

Some of the second-tier no-fliers might graduate to first-tier status without being smart enough to try to fly under a stolen or otherwise disguised identity, as some of the 9-11 hijackers did. If the no-fly list catches them, terrific. But I suspect the chief utility of the no-fly list lies not in actual air travel security, but in aiding connect-the-dots style surveillance.