Boarding Pass Failure
Closing an airport security loophole.
The FBI raided the home of Indiana University grad student Christopher Soghoian, who created a Web site that lets users forge their own airline boarding passes. Soghoian said he intended to call attention to an airport security loophole. In a "Hey, Wait a Minute" article published in 2005 and reprinted below, Andy Bowers identified the loophole, created his own fake documents, and proposed a simple fix.
The Homeland Security Department's No-Fly List has always seemed a bit absurd to me. Only the stupidest terrorist would try booking a flight under his own name (or his known aliases) three years after the 9/11 attacks, and one thing I hope we've all learned is that our most dangerous enemies aren't stupid.
But even if you assume the No-Fly List serves an important purpose, the system as it presently operates contains a gaping, dangerous loophole that makes the list nearly useless. It's a loophole so obvious, it occurred to me the first time I held it in my hand. And believe me, if I can figure it out, any terrorist worth his AK-47 realized it a long time ago.
The loophole is "Internet check-in," a convenience most airlines now offer. (It was first used by Alaska Airlines in 1999, but expanded rapidly after 9/11, as air carriers looked for ways to ease wait times for grumpy passengers.)
Here's how Internet check-in works: On the day of your flight, you can now go online, check in as though you were standing at a kiosk in the airport, and—this is the important part—print out your own boarding pass at home. You then bring your boarding pass, which includes a unique barcode, with you to the airport and go straight through the security line (in many cases, you can check bags at the curb).
It's a terrific timesaver, and there's actually nothing inherently wrong with allowing people to print their own traveling documents at home or the office. The problem is what the airlines and the Transportation Security Administrationdo with those documents at the airport. (In the last year, I've used Internet check-in on three different major airlines and at airports both large and small across the country. In every case, I could have exploited the loophole with ease, and in exactly the same way.)
A home-printed boarding pass is generally checked only twice at the airport:
1) Right before you go through security, a security guard checks your boarding pass against your government-issued ID, making sure the names match. This check does not include a scan of the barcode, in part because the same security checkpoints process passengers for multiple airlines with different computer systems. Occasionally a second security guard at the metal detector will double-check the boarding pass, but again, not by scanning it.
2) Once you get to your boarding gate, the barcode on the printed pass is finally scanned just before you enter the Jetway. However, as the boarding agents remind you over and over, you no longer need to show your ID at the gate. (The TSA estimates 80 percent of U.S. airports have done away with ID checks at the boarding gate.)I've noticed that many passengers still have their driver's licenses or passports in hand as they approach, remembering post-9/11 enhanced security. But the agents cheerily tell them to put their IDs away—they're no longer necessary.
Do you see the big flaw? At no point do you have to prove that the person in whose name the ticket was bought is the same person standing at the airport.
Photograph of a plane on Slate's home page by MedioImages.