03:27 PM
Connect Directly

TSA Tests Identity Verification System

In wake of invalid boarding pass scares, Transportation Security Agency seeks to automate the process of authenticating travel documents and matching them to IDs.

Top 14 Government Social Media Initiatives
Top 14 Government Social Media Initiatives
(click image for larger view and for slideshow)
The Transportation Security Administration (TSA) has begun testing a new system that verifies an air traveler's identity by matching photo IDs to boarding passes and ensures that boarding passes are authentic.

The Credential Authentication Technology/Boarding Pass Scanning System (CAT/BPSS) is being tested at Washington's Dulles International Airport, and the pilot program will be expanded to Houston's George Bush Intercontinental and Luis Munoz Marin International Airport in Puerto Rico within the next few weeks.

The new systems cost about $100,000 each, or $3 million for an initial rollout of 30 machines. They will take the place of "lights and loupes" and other low-tech approaches to screening, according to Bob Burns, social media analyst with TSA's office of strategic communications and public affairs.

[ Privacy groups are speaking out against the proposed Cyber Intelligence Sharing and Protection Act. Is CISPA Worth Saving? ]

The need for an ID verification system was highlighted by several incidents in which travelers boarded planes without proper identification or with boarding passes that didn't belong to them. Last year, a Nigerian man boarded a plane from New York to Los Angeles using an invalid ID and a boarding pass issued to another person. A week later, he was caught trying to fly from Los Angeles to Atlanta--again, with invalid ID. FBI agents found 10 expired boarding passes in his possession.

CAT/BPSS is designed to detect fake boarding passes and falsified IDs. The scanner compares machine-readable and human-readable data from a traveler's ID with the boarding pass and verifies that neither has been altered. The system can be used with boarding passes printed on a PC or issued by the airlines, or paperless boarding passes sent to passengers' mobile devices.

Acceptable forms of ID, including passports, drivers' licenses, and permanent resident cards, carry encoded data in the form of barcodes, magnetic stripes, embedded circuits, or machine-readable text. The system also captures and displays the traveler's photograph. After verification, the data is deleted from the CAT/BPSS system.

Passengers will hand their IDs to TSA agents, who will scan them while the passengers self-scan their boarding passes. The new system shouldn't slow down the plane-boarding process, Burns wrote on the TSA blog.

Public comments on the TSA blog reflect a variety of concerns. Some maintain that merely allowing an undocumented traveler to board a plane isn't a threat to security. Others complain about government intrusion and cost.

The new system was subjected to a privacy impact assessment, which concluded it presented no greater threat to privacy than existing screening methods, according to Burns. Last year, TSA was forced to adapt its airport body scanners to show only the outlines of a person's body, after a public uproar over detailed images.

In our InformationWeek Government virtual event, Next Steps In Cybersecurity, experts will assess the state of cybersecurity in government and present strategies for creating a more secure IT infrastructure. It happens May 24.

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
User Rank: Apprentice
4/20/2012 | 8:02:15 PM
re: TSA Tests Identity Verification System
Why couldn't they tap into the airliners database directly and save themselves the money?!
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:20:58 AM
re: TSA Tests Identity Verification System
There are occasions where a flight will get booked by one person so that another may travel - you end up with mismatches from time to time in that scenario.
Andrew Hornback
Andrew Hornback,
User Rank: Apprentice
4/23/2012 | 1:29:21 AM
re: TSA Tests Identity Verification System
To some degree, I'm wondering why the TSA simply doesn't use biometrics? When was the last time a fingerprint or retina got forged?

Verify the flyer's identity and then verify that their flight is in order - that's the basis for this screening, right?

Any time there's a comparison of credentials that can be copied, manipulated, damaged in order to verify a person's identity, there is room for error and problems can occur.

Andrew Hornback
InformationWeek Contributor
User Rank: Apprentice
5/24/2012 | 6:38:10 PM
re: TSA Tests Identity Verification System
Kids have figured out the best way to get a fake ID is to "borrow" an older sibling/friend who has gotten a duplicate ID - see http://www.idscanner.com/id/sc...
How hard would it be for a banned person to get somebody's who looks like them to get a 2nd ID and "loan" it to them? All this money/technology will not stop the most dangerous elements. Biometrics would work, but people do not want their eyeballs scanned or fingerprints read just to go on vacation.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-25
The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406.

Published: 2014-10-25
The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files.

Published: 2014-10-25
EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force a...

Published: 2014-10-25
EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call.

Published: 2014-10-25
CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.