Risk
4/20/2012
03:27 PM
50%
50%

TSA Tests Identity Verification System

In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic.

The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) is being tested at Washington's Dulles International Airport, and the pilot program will be expanded to Houston's George Bush Intercontinental and Luis Munoz Marin International Airport in Puerto Rico within the next few weeks.

The new systems cost about $100,000 each, or $3 million for an initial rollout of 30 machines. They will take the place of "lights and loupes" and other low-tech approaches to screening, according to Bob Burns, social media analyst with TSA's office of strategic communications and public affairs.

[ Privacy groups are speaking out against the proposed Cyber Intelligence Sharing and Protection Act. Is CISPA Worth Saving? ]

The need for an ID verification system was highlighted by several incidents in which travelers boarded planes without proper identification or with boarding passes that didn't belong to them. Last year, a Nigerian man boarded a plane from New York to Los Angeles using an invalid ID and a boarding pass issued to another person. A week later, he was caught trying to fly from Los Angeles to Atlanta--again, with invalid ID. FBI agents found 10 expired boarding passes in his possession.

CAT/BPSS is designed to detect fake boarding passes and falsified IDs. The scanner compares machine-readable and human-readable data from a traveler's ID with the boarding pass and verifies that neither has been altered. The system can be used with boarding passes printed on a PC or issued by the airlines, or paperless boarding passes sent to passengers' mobile devices.

Acceptable forms of ID, including passports, drivers' licenses, and permanent resident cards, carry encoded data in the form of barcodes, magnetic stripes, embedded circuits, or machine-readable text. The system also captures and displays the traveler's photograph. After verification, the data is deleted from the CAT/BPSS system.

Passengers will hand their IDs to TSA agents, who will scan them while the passengers self-scan their boarding passes. The new system shouldn't slow down the plane-boarding process, Burns wrote on the TSA blog.

Public comments on the TSA blog reflect a variety of concerns. Some maintain that merely allowing an undocumented traveler to board a plane isn't a threat to security. Others complain about government intrusion and cost.

The new system was subjected to a privacy impact assessment, which concluded it presented no greater threat to privacy than existing screening methods, according to Burns. Last year, TSA was forced to adapt its airport body scanners to show only the outlines of a person's body, after a public uproar over detailed images.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thad
50%
50%
Thad,
User Rank: Apprentice
5/24/2012 | 6:38:10 PM
re: TSA Tests Identity Verification System
Kids have figured out the best way to get a fake ID is to "borrow" an older sibling/friend who has gotten a duplicate ID - see http://www.idscanner.com/id/sc...
How hard would it be for a banned person to get somebody's who looks like them to get a 2nd ID and "loan" it to them? All this money/technology will not stop the most dangerous elements. Biometrics would work, but people do not want their eyeballs scanned or fingerprints read just to go on vacation.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:29:21 AM
re: TSA Tests Identity Verification System
To some degree, I'm wondering why the TSA simply doesn't use biometrics? When was the last time a fingerprint or retina got forged?

Verify the flyer's identity and then verify that their flight is in order - that's the basis for this screening, right?

Any time there's a comparison of credentials that can be copied, manipulated, damaged in order to verify a person's identity, there is room for error and problems can occur.

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:20:58 AM
re: TSA Tests Identity Verification System
There are occasions where a flight will get booked by one person so that another may travel - you end up with mismatches from time to time in that scenario.
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
4/20/2012 | 8:02:15 PM
re: TSA Tests Identity Verification System
Why couldn't they tap into the airliners database directly and save themselves the money?!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5208
Published: 2014-12-22
BKBCopyD.exe in the Batch Management Packages in Yokogawa CENTUM CS 3000 through R3.09.50 and CENTUM VP through R4.03.00 and R5.x through R5.04.00, and Exaopc through R3.72.10, does not require authentication, which allows remote attackers to read arbitrary files via a RETR operation, write to arbit...

CVE-2014-7286
Published: 2014-12-22
Buffer overflow in AClient in Symantec Deployment Solution 6.9 and earlier on Windows XP and Server 2003 allows local users to gain privileges via unspecified vectors.

CVE-2014-8015
Published: 2014-12-22
The Sponsor Portal in Cisco Identity Services Engine (ISE) allows remote authenticated users to obtain access to an arbitrary sponsor's guest account via a modified HTTP request, aka Bug ID CSCur64400.

CVE-2014-8017
Published: 2014-12-22
The periodic-backup feature in Cisco Identity Services Engine (ISE) allows remote attackers to discover backup-encryption passwords via a crafted request that triggers inclusion of a password in a reply, aka Bug ID CSCur41673.

CVE-2014-8018
Published: 2014-12-22
Multiple cross-site scripting (XSS) vulnerabilities in Business Voice Services Manager (BVSM) pages in the Application Software in Cisco Unified Communications Domain Manager 8 allow remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug IDs CSCur19651, CSCur18555, CSCur1...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.