Boing Boing: Schneier: Forge Your Own Boarding Pass

Thursday, November 2, 2006

Schneier: Forge Your Own Boarding Pass

Author and tech security expert Bruce Schneier weighs in on the Fake Boarding Pass Generator debacle, in an opinion piece for Wired News:

As I wrote in 2005: "The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler's identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record -- the third leg of the triangle -- it's possible to create two different boarding passes and have no one notice. That's why the attack works."

The way to fix it is equally obvious: Verify the accuracy of the boarding passes at the security checkpoints. If passengers had to scan their boarding passes as they went through screening, the computer could verify that the boarding pass already matched to the photo ID also matched the data in the computer. Close the authentication triangle and the vulnerability disappears.

But before we start spending time and money and Transportation Security Administration agents, let's be honest with ourselves: The photo ID requirement is no more than security theater. Its only security purpose is to check names against the no-fly list, which would still be a joke even if it weren't so easy to circumvent. Identification is not a useful security measure here.

Link to full text.

PREVIOUSLY:
* Fake Boarding Pass Generator mirror site
* NPR "Xeni Tech": update on FBI raids fake boarding pass website
* Ceci n'est pas un fake boarding pass (10-29-06)
* Congressman on Boarding Pass Generator guy: Uh... oops? (10-29-06)
* Fake Boarding Pass Generator guy and FBI: what about the law? (10-28-06)
* FBI returns to "Fake Boarding Pass" guy's home, seizes computers (10-28-06)
* Fake boarding pass guy reports he was visited by FBI (10-27-06)
* Congressman wants fake boarding pass guy arrested (10-27-06)
* Website generates fake boarding passes (10-26-06)
* Slate's Andy Bowers on airline security loopholes (02-07-05)

posted by Xeni Jardin at 08:54:14 PM permalink | Other blogs' comments

suggest a link \| defeat censorware \| rss \| archives \| t-shirts \| digital emporium \| podcast feed \| mark \| cory \| david \| xeni \| john
Support Bloggers' Rights! HOWTO: Get a link posted to Boing Boing Boing Boing Mobile powered by Winksite Fark rules! This work is licensed under a Creative Commons License permitting non-commercial sharing with attribution. Boing Boing is a trademark of Happy Mutants LLC in the United States [and other countries]. Stats (About our stats) defeat censorware Policies Our first five years' worth of posts in one file	Thursday, November 2, 2006 Schneier: Forge Your Own Boarding Pass Author and tech security expert Bruce Schneier weighs in on the Fake Boarding Pass Generator debacle, in an opinion piece for Wired News: As I wrote in 2005: "The vulnerability is obvious, but the general concepts are subtle. There are three things to authenticate: the identity of the traveler, the boarding pass and the computer record. Think of them as three points on the triangle. Under the current system, the boarding pass is compared to the traveler's identity document, and then the boarding pass is compared with the computer record. But because the identity document is never compared with the computer record -- the third leg of the triangle -- it's possible to create two different boarding passes and have no one notice. That's why the attack works." The way to fix it is equally obvious: Verify the accuracy of the boarding passes at the security checkpoints. If passengers had to scan their boarding passes as they went through screening, the computer could verify that the boarding pass already matched to the photo ID also matched the data in the computer. Close the authentication triangle and the vulnerability disappears. But before we start spending time and money and Transportation Security Administration agents, let's be honest with ourselves: The photo ID requirement is no more than security theater. Its only security purpose is to check names against the no-fly list, which would still be a joke even if it weren't so easy to circumvent. Identification is not a useful security measure here. Link to full text. PREVIOUSLY: * Fake Boarding Pass Generator mirror site * NPR "Xeni Tech": update on FBI raids fake boarding pass website * Ceci n'est pas un fake boarding pass (10-29-06) * Congressman on Boarding Pass Generator guy: Uh... oops? (10-29-06) * Fake Boarding Pass Generator guy and FBI: what about the law? (10-28-06) * FBI returns to "Fake Boarding Pass" guy's home, seizes computers (10-28-06) * Fake boarding pass guy reports he was visited by FBI (10-27-06) * Congressman wants fake boarding pass guy arrested (10-27-06) * Website generates fake boarding passes (10-26-06) * Slate's Andy Bowers on airline security loopholes (02-07-05) posted by Xeni Jardin at 08:54:14 PM permalink \| Other blogs' comments Email this entry to: Your email address: Message (optional):	Boing Boing Sponsored by: Your Text Ad Here Get BB by email: