Risk
4/20/2012
03:27 PM
50%
50%

TSA Tests Identity Verification System

In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic.

The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) is being tested at Washington's Dulles International Airport, and the pilot program will be expanded to Houston's George Bush Intercontinental and Luis Munoz Marin International Airport in Puerto Rico within the next few weeks.

The new systems cost about $100,000 each, or $3 million for an initial rollout of 30 machines. They will take the place of "lights and loupes" and other low-tech approaches to screening, according to Bob Burns, social media analyst with TSA's office of strategic communications and public affairs.

[ Privacy groups are speaking out against the proposed Cyber Intelligence Sharing and Protection Act. Is CISPA Worth Saving? ]

The need for an ID verification system was highlighted by several incidents in which travelers boarded planes without proper identification or with boarding passes that didn't belong to them. Last year, a Nigerian man boarded a plane from New York to Los Angeles using an invalid ID and a boarding pass issued to another person. A week later, he was caught trying to fly from Los Angeles to Atlanta--again, with invalid ID. FBI agents found 10 expired boarding passes in his possession.

CAT/BPSS is designed to detect fake boarding passes and falsified IDs. The scanner compares machine-readable and human-readable data from a traveler's ID with the boarding pass and verifies that neither has been altered. The system can be used with boarding passes printed on a PC or issued by the airlines, or paperless boarding passes sent to passengers' mobile devices.

Acceptable forms of ID, including passports, drivers' licenses, and permanent resident cards, carry encoded data in the form of barcodes, magnetic stripes, embedded circuits, or machine-readable text. The system also captures and displays the traveler's photograph. After verification, the data is deleted from the CAT/BPSS system.

Passengers will hand their IDs to TSA agents, who will scan them while the passengers self-scan their boarding passes. The new system shouldn't slow down the plane-boarding process, Burns wrote on the TSA blog.

Public comments on the TSA blog reflect a variety of concerns. Some maintain that merely allowing an undocumented traveler to board a plane isn't a threat to security. Others complain about government intrusion and cost.

The new system was subjected to a privacy impact assessment, which concluded it presented no greater threat to privacy than existing screening methods, according to Burns. Last year, TSA was forced to adapt its airport body scanners to show only the outlines of a person's body, after a public uproar over detailed images.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
lacertosus
50%
50%
lacertosus,
User Rank: Apprentice
4/20/2012 | 8:02:15 PM
re: TSA Tests Identity Verification System
Why couldn't they tap into the airliners database directly and save themselves the money?!
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:20:58 AM
re: TSA Tests Identity Verification System
There are occasions where a flight will get booked by one person so that another may travel - you end up with mismatches from time to time in that scenario.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:29:21 AM
re: TSA Tests Identity Verification System
To some degree, I'm wondering why the TSA simply doesn't use biometrics? When was the last time a fingerprint or retina got forged?

Verify the flyer's identity and then verify that their flight is in order - that's the basis for this screening, right?

Any time there's a comparison of credentials that can be copied, manipulated, damaged in order to verify a person's identity, there is room for error and problems can occur.

Andrew Hornback
InformationWeek Contributor
Thad
50%
50%
Thad,
User Rank: Apprentice
5/24/2012 | 6:38:10 PM
re: TSA Tests Identity Verification System
Kids have figured out the best way to get a fake ID is to "borrow" an older sibling/friend who has gotten a duplicate ID - see http://www.idscanner.com/id/sc...
How hard would it be for a banned person to get somebody's who looks like them to get a 2nd ID and "loan" it to them? All this money/technology will not stop the most dangerous elements. Biometrics would work, but people do not want their eyeballs scanned or fingerprints read just to go on vacation.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?