At stop 1), the name on a home-printed boarding pass is checked against an ID, but not against the name stored in the airline's computer. At stop 2), the name on the printed pass is checked against the name in the computer, but not against an ID.
So all a terrorist needs to breeze through this loophole are two different boarding passes, both printed at home, that are identical except for the name. Check out the mock-up I made on Microsoft Publisher in about 10 minutes, using a real boarding pass I was issued last month. On the first one, you see my real name. On the second, the name has been replaced by that of Mr. Serious Threat, who we will pretend is on the No-Fly List.
Say Mr. Threat and his nefarious associates buy a ticket in someone else's name (perhaps by stealing a credit card number—something criminals do without immediate detection all the time). In this case, the name of the card-theft victim (me) will be printed on the boarding pass. Mr. Threat can be pretty sure a common name like mine won't trigger the No-Fly List as his would. Then he prints out the two boarding passes: the original in my name and an altered duplicate in his name.
At the first security checkpoint (the one where no scan takes place), he can breeze through using any name he wishes—even his own—just so long as his photo ID matches the altered boarding pass. Unless the security guard has the entire No-Fly List memorized, she isn't going to stop Mr. Threat. On the way to his gate he does the old switcheroo, and produces the pass with my name, which will match the computer record. Child's play. His real identity has never set off the computer's alarm bells.
Just to check my theory, I ran it by a noted airport security expert. When he heard my scenario, he immediately asked not to be named, because he didn't want to be on the record saying a method of foiling security might work. But he's pretty sure it would. "[The double boarding pass scam] would completely negate, for all intents and purposes, an identity check," he said gravely. It is, he agreed, "a potential loophole in the process."
I also spoke with Nico Melendez, a field communications director for the TSA. "We recognize that something like that could happen," he said. But he noted that even if someone passed through on a fake name, they are still subject to metal detectors, baggage scans, air marshals, and all the other physical safeguards (both seen and unseen) at airports and on planes. And he pointed to the high-tech biometric scanning systems now being tested, among them facial recognition cameras and eye scans.
All of that is comforting. But why, if we're spending so much on new technologies and personnel, are we allowing such an obvious procedural flaw to undermine our very first line of defense—the No-Fly List?
I know some readers may be seething at this point: Some will be saying, why is this jackass giving the terrorists a blueprint? Others will worry that I'm endangering their beloved online check-in. But I ask you to think it through a little. …
First, document fakery is all around us these days, from sophisticated efforts like this shot of Jane Fonda and John Kerry side-by-side at an anti-Vietnam War rally, to the ham-handed Rathergate memos. And we know modern terrorists are very computer-savvy—remember their online beheading videos. Do you really think they can't figure out how to change a few letters on a boarding pass without my help? If we're going to allow documents printed outside the airport to serve official purposes, we need to give them more scrutiny, not less.
Second, this problem is simple to fix, and in a way that won't scuttle online check-in. All the TSA needs to do is to have at least one document check station that simultaneously compares all three elements: the boarding pass, a government-issued ID, and the No-Fly List in the airline's computer. This could be at security or at the gate (where, after all, IDs used to be checked). TSA spokesman Melendez says there are no plans for such simultaneous checks.
Could an extra ID check slow us down a little? Yes, it probably would. Tough luck. We've already endured two wars and countless other disruptions in the name of safety. A few extra minutes at the airport isn't going to kill anyone.