Ping Identity > Blogs > PingTalk 

PingTalk Blog

Authentication. The TSA has your back for a song

  • By ,
  •  | 

This caught my eye on Friday in the Washington Post. “The [Transportation Security Administration] is about to invest $3.2 million to make sure you are who you say you are before you board an airplane.”

As comedian Seth Meyers might say, “Really……”

It’s been 10 years since 9/11 and the TSA is just getting around to this. It must have been inspired by last month’s spate of moving 9/11 tributes. Bless their pressed blue uniforms. I’m flattered they have trusted us up to this point.

So here’s how the TSA plans to do what seems to be a more perplexing and complex issue outside of airports.  

Scanners will replace the TSA agents that inspect IDs and boarding passes using that secret-decoder flashlight that verifies security features on driver’s licenses and passports. IDs will be scanned for authenticity. Boarding passes also will be scanned. The data will be matched. Passengers that pass are free to fly.

I’m not familiar with this being a major breach point in the system, but the TSA appears to be going out on a limb with such a definitive statement about authentication.

Maybe the motto should be "make sure you are who you say you are.... but not who you really might be."

Especially when the forms of ID are 1) often printed by the user (boarding pass) and 2) historically targets for fraud (state-issued driver's licenses). The magnetic stripe doesn’t even merit a sniff from European credit card issuers bent on security, but perhaps it can lock down airports. Ontario, Canada is already eliminating it on licenses.

The 2D barcode has a better shot and is now included on every state driver's license, according to the American Association of Motor Vehicle Administrators (AAMVA). But if the bad guys can create realistic licenses with holograms, the barcodes can’t be much more of an effort given the availability of barcode creation software and the AAMVA’s publicly available barcode creation guidelines.

But here’s the TSA acid test. The more flawed your current ID credential is, the more authentic you are.

According to the Washington Post article, genuine driver's licenses issued by states contain imperfections. Those “quirks” will be added to the scanner’s logic. Credentials that are actually “perfect” will reveal themselves as frauds.

I’ll wait while you read that again.

Yes, air safety is leveraging the fact that the credential you currently hold is flawed in such ways that no self-respecting counterfeiter would settle for such a reproduction. Or that terrorists lack the intelligence to reverse-engineer the stealth flaws and reproduce them in the counterfeit copy.

Cleary terrorism has shown it has that kind of energy.

Heaven help the legit passenger who ends up with the state-issued anomaly. The ID with the imperfections that are themselves imperfect.

Earlier this year, California ran off track with a five-year, $63 million contract to produce more secure driver’s licenses.

“The new vendor has struggled with color accuracy, the raised lettering and the positioning of images such as the state icons El Capitan in Yosemite and San Francisco's Golden Gate Bridge,” California DMV officials told the Santa Cruz Sentinel.

Given the length of the contract, Californian's alone (37 million people) will be showing one of at least two legit driver's licenses for the next five years. Do you see where I am going here?

Of course, there is this additional backdoor. People can use falsified identity documents at the DMV to get a valid “pre-flawed” driver’s license.

Regardless, the TSA issued a statement saying it “will purchase and pilot new technologies designed to provide TSA greater ability to identify altered or fraudulent passenger identification credentials and boarding passes in order to further enhance travel safety. TSA plans to test the technology at select airports in early 2012.”

Or they could try this.

Driver’s licenses issued in the state of Oklahoma have the lyrics of the song Oklahoma microprinted on them. Some lyrics, however, have been deliberately deleted (psst – the stealth flaw). The TSA could force us all to sing our home state’s song. Foreigners would have to sing national anthems. I wonder if it is cheaper than $3.2 million to provide Karaoke machines to TSA agents?

 “Oklahoma, where the wind comes sweepin' down the plain,

And the wavin' wheat can sure smell sweet….”

Add your comment