Risk
4/20/2012
03:27 PM
50%
50%

TSA Tests Identity Verification System

In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic.

The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) is being tested at Washington's Dulles International Airport, and the pilot program will be expanded to Houston's George Bush Intercontinental and Luis Munoz Marin International Airport in Puerto Rico within the next few weeks.

The new systems cost about $100,000 each, or $3 million for an initial rollout of 30 machines. They will take the place of "lights and loupes" and other low-tech approaches to screening, according to Bob Burns, social media analyst with TSA's office of strategic communications and public affairs.

[ Privacy groups are speaking out against the proposed Cyber Intelligence Sharing and Protection Act. Is CISPA Worth Saving? ]

The need for an ID verification system was highlighted by several incidents in which travelers boarded planes without proper identification or with boarding passes that didn't belong to them. Last year, a Nigerian man boarded a plane from New York to Los Angeles using an invalid ID and a boarding pass issued to another person. A week later, he was caught trying to fly from Los Angeles to Atlanta--again, with invalid ID. FBI agents found 10 expired boarding passes in his possession.

CAT/BPSS is designed to detect fake boarding passes and falsified IDs. The scanner compares machine-readable and human-readable data from a traveler's ID with the boarding pass and verifies that neither has been altered. The system can be used with boarding passes printed on a PC or issued by the airlines, or paperless boarding passes sent to passengers' mobile devices.

Acceptable forms of ID, including passports, drivers' licenses, and permanent resident cards, carry encoded data in the form of barcodes, magnetic stripes, embedded circuits, or machine-readable text. The system also captures and displays the traveler's photograph. After verification, the data is deleted from the CAT/BPSS system.

Passengers will hand their IDs to TSA agents, who will scan them while the passengers self-scan their boarding passes. The new system shouldn't slow down the plane-boarding process, Burns wrote on the TSA blog.

Public comments on the TSA blog reflect a variety of concerns. Some maintain that merely allowing an undocumented traveler to board a plane isn't a threat to security. Others complain about government intrusion and cost.

The new system was subjected to a privacy impact assessment, which concluded it presented no greater threat to privacy than existing screening methods, according to Burns. Last year, TSA was forced to adapt its airport body scanners to show only the outlines of a person's body, after a public uproar over detailed images.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Thad
50%
50%
Thad,
User Rank: Apprentice
5/24/2012 | 6:38:10 PM
re: TSA Tests Identity Verification System
Kids have figured out the best way to get a fake ID is to "borrow" an older sibling/friend who has gotten a duplicate ID - see http://www.idscanner.com/id/sc...
How hard would it be for a banned person to get somebody's who looks like them to get a 2nd ID and "loan" it to them? All this money/technology will not stop the most dangerous elements. Biometrics would work, but people do not want their eyeballs scanned or fingerprints read just to go on vacation.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:29:21 AM
re: TSA Tests Identity Verification System
To some degree, I'm wondering why the TSA simply doesn't use biometrics? When was the last time a fingerprint or retina got forged?

Verify the flyer's identity and then verify that their flight is in order - that's the basis for this screening, right?

Any time there's a comparison of credentials that can be copied, manipulated, damaged in order to verify a person's identity, there is room for error and problems can occur.

Andrew Hornback
InformationWeek Contributor
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:20:58 AM
re: TSA Tests Identity Verification System
There are occasions where a flight will get booked by one person so that another may travel - you end up with mismatches from time to time in that scenario.
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
4/20/2012 | 8:02:15 PM
re: TSA Tests Identity Verification System
Why couldn't they tap into the airliners database directly and save themselves the money?!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Five Things Every Business Executive Should Know About Cybersecurity
Don't get lost in security's technical minutiae - a clearer picture of what's at stake can help align business imperatives with technology execution.
Flash Poll
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Dark Reading Strategic Security Report: The Impact of Enterprise Data Breaches
Social engineering, ransomware, and other sophisticated exploits are leading to new IT security compromises every day. Dark Reading's 2016 Strategic Security Survey polled 300 IT and security professionals to get information on breach incidents, the fallout they caused, and how recent events are shaping preparations for inevitable attacks in the coming year. Download this report to get a look at data from the survey and to find out what a breach might mean for your organization.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Security researchers are finding that there's a growing market for the vulnerabilities they discover and persistent conundrum as to the right way to disclose them. Dark Reading editors will speak to experts -- Veracode CTO and co-founder Chris Wysopal and HackerOne co-founder and CTO Alex Rice -- about bug bounties and the expanding market for zero-day security vulnerabilities.