Risk
4/20/2012
03:27 PM
Connect Directly
RSS
E-Mail
50%
50%

TSA Tests Identity Verification System

In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic.

The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) is being tested at Washington's Dulles International Airport, and the pilot program will be expanded to Houston's George Bush Intercontinental and Luis Munoz Marin International Airport in Puerto Rico within the next few weeks.

The new systems cost about $100,000 each, or $3 million for an initial rollout of 30 machines. They will take the place of "lights and loupes" and other low-tech approaches to screening, according to Bob Burns, social media analyst with TSA's office of strategic communications and public affairs.

[ Privacy groups are speaking out against the proposed Cyber Intelligence Sharing and Protection Act. Is CISPA Worth Saving? ]

The need for an ID verification system was highlighted by several incidents in which travelers boarded planes without proper identification or with boarding passes that didn't belong to them. Last year, a Nigerian man boarded a plane from New York to Los Angeles using an invalid ID and a boarding pass issued to another person. A week later, he was caught trying to fly from Los Angeles to Atlanta--again, with invalid ID. FBI agents found 10 expired boarding passes in his possession.

CAT/BPSS is designed to detect fake boarding passes and falsified IDs. The scanner compares machine-readable and human-readable data from a traveler's ID with the boarding pass and verifies that neither has been altered. The system can be used with boarding passes printed on a PC or issued by the airlines, or paperless boarding passes sent to passengers' mobile devices.

Acceptable forms of ID, including passports, drivers' licenses, and permanent resident cards, carry encoded data in the form of barcodes, magnetic stripes, embedded circuits, or machine-readable text. The system also captures and displays the traveler's photograph. After verification, the data is deleted from the CAT/BPSS system.

Passengers will hand their IDs to TSA agents, who will scan them while the passengers self-scan their boarding passes. The new system shouldn't slow down the plane-boarding process, Burns wrote on the TSA blog.

Public comments on the TSA blog reflect a variety of concerns. Some maintain that merely allowing an undocumented traveler to board a plane isn't a threat to security. Others complain about government intrusion and cost.

The new system was subjected to a privacy impact assessment, which concluded it presented no greater threat to privacy than existing screening methods, according to Burns. Last year, TSA was forced to adapt its airport body scanners to show only the outlines of a person's body, after a public uproar over detailed images.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thad
50%
50%
Thad,
User Rank: Apprentice
5/24/2012 | 6:38:10 PM
re: TSA Tests Identity Verification System
Kids have figured out the best way to get a fake ID is to "borrow" an older sibling/friend who has gotten a duplicate ID - see http://www.idscanner.com/id/sc...
How hard would it be for a banned person to get somebody's who looks like them to get a 2nd ID and "loan" it to them? All this money/technology will not stop the most dangerous elements. Biometrics would work, but people do not want their eyeballs scanned or fingerprints read just to go on vacation.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:29:21 AM
re: TSA Tests Identity Verification System
To some degree, I'm wondering why the TSA simply doesn't use biometrics? When was the last time a fingerprint or retina got forged?

Verify the flyer's identity and then verify that their flight is in order - that's the basis for this screening, right?

Any time there's a comparison of credentials that can be copied, manipulated, damaged in order to verify a person's identity, there is room for error and problems can occur.

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:20:58 AM
re: TSA Tests Identity Verification System
There are occasions where a flight will get booked by one person so that another may travel - you end up with mismatches from time to time in that scenario.
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
4/20/2012 | 8:02:15 PM
re: TSA Tests Identity Verification System
Why couldn't they tap into the airliners database directly and save themselves the money?!
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6646
Published: 2014-09-23
The bellyhoodcom (aka com.tapatalk.bellyhoodcom) application 3.4.23 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6647
Published: 2014-09-23
The ElForro.com (aka com.tapatalk.elforrocom) application 2.4.3.10 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6648
Published: 2014-09-23
The iPhone4.TW (aka com.tapatalk.iPhone4TWforums) application 3.3.20 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6649
Published: 2014-09-23
The MyBroadband Tapatalk (aka com.tapatalk.mybroadbandcozavb) application 3.9.22 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVE-2014-6650
Published: 2014-09-23
The NextGenUpdate (aka com.tapatalk.nextgenupdatecomforums) application 3.1.6 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

Best of the Web
Dark Reading Radio