8 Responses

  1. Sice
    Sice at |

    Thanks for posting reasoned and rational thought on your blog, I appreciate the views you offer.

  2. Gary Leff
    Gary Leff at |

    People completely misuse the word security, it refers to several different things and can promote misunderstanding. There’s reservation and frequent flyer account security which is of course totally different from aviation security.

  3. Austin
    Austin at |

    A few thoughts:
    1) I’m surprised your paper boarding pass that is coded for PreCheck doesn’t have a digital signature
    2) While the TSA barcode scanners check to make sure a signature is valid, your paper boarding pass tells me that they don’t check that a signature actually exists. Thus, you could easily generate an Aztec barcode for a fake boarding pass on your mobile phone that doesn’t have a signature, and the TSA barcode scanner would treat it as valid. Of course, the solution to this is to simply have the data in all barcodes signed, regardless of format (PDF417 on a paper boarding pass or Aztec on a mobile boarding pass).
    3) You don’t quite make it clear, since you only mention it in connection with the signature-less paper boarding pass, but the applicable IATA specification includes details on how to include a (optional) digital signature.
    4) Finally, as Gary points out, this may not be an aviation security issue, but it is still an IT security issue–the fact that I can easily access someone else’s information is not a good thing, although the fact that the information revealed is random does make it significantly less useful.

    1. TheSterlingTraveler
      TheSterlingTraveler at |

      While it does say PreCheck on the BP, I don’t think he would have gotten the “3 beeps” to go through the PreCheck line. Look at this part: “15C>318 0 K4265BUA”… that 0 would need to be a 3.

      1. Austin
        Austin at |

        That 0 is way too early to be the PreCheck flag. According to the IATA spec, I think that’s the “passenger description” field (http://www.iata.org/whatwedo/stb/Documents/BCBP_Implementation_Guidev4_Jun2009.pdf), with a 0 meaning adult.

        It looks like Seth may have edited out a few characters, but the PreCheck flag is supposed to be the 91st character (“selectee indicator” in IATA parlance)…

  4. Greg
    Greg at |

    Privacy risk is the better term. And in this world that’s an issue of personal importance to more people. Simply having someone random know my FFN and itinerary is a concern for me – it’s enough for someone to play games canceling it as agents are inconsistent in asking for supporting info on the phone.

  5. Austin
    Austin at |

    Hi Seth,

    Probably a dumb question, and only semi-related, but any idea why your UA boarding pass shows LAST/FIRSTMIDDLE (which I believe mine should be, seeing that per TSA it must exactly match my ID)… mine always prints LAST/AUSTINCMR (where the C is my middle initial followed by MR)… its never been an issue but this is the first time I actually looked at someone else’s boarding pass and went hmmmmm. For what its worth, my ID has last, first, and full middle name.