Interesting that it isn't mandated, so feasibly you could create an unsigned barcode in the right local,

It is up to the airline and the security authorities to decide if they want a signature; if neither require one, it doesn't have to be there.

MSM has picked this up...

http://www.usatoday.com/story/travel...-flaw/1654781/

This will not end well.

Does the bar code reader connect to the airlines' booking system? If not, then the reader would allow an unsigned BP.

TSA is stupid, but even I find it hard to believe that they are that stupid as to not realize this was readable with very rudimentary tools. And to suspend PreCheck, as I've already said in other threads, would be to admit that TSA made a mistake, which they categorically do not do.

If anything, I think this will coincide with PreCheck becoming a membership-based program and it will be an excuse to get people to submit to a background check and pay a fee. No different really than GE (other than the competency level of the administering agency).

It seems like the flaw mentioned in the article is that someone could know beforehand if they would need regular security or not before they get to the airport and thus could know if they could bring dangerous items, etc. because their BP would have that info already on it.

So why not make the scanner itself be what determines if regular screening is needed instead of the BP? Or am I missing something?

No, but it knows the airline's private key. I'm unclear why you think it would need a live link to the airline in order to verify signatures if it has the private key.

The TSA wants to assess a number of risk factors, including travel history and Trusted Traveler membership, to determine selection for PreCheck. An offline scanner can't make those assessments.

Thanks. That makes sense.

And herein lies the "problem". As long as passengers are permitted to print their own boarding passes outside of an airport, TSA will have a problem determining if the boarding pass is legitimate. Since TSA relies on the boarding pass to determine positive (PreCheck) or negative (SSSS) eligibility for screening, this is going to be an inherent flaw in the system.

I wonder if the "solution" to this is going to be a regression to the bad old days when you had to line up at the airline ticket counter to get a boarding pass issued ...

Good god-- why does everyone keep posting about a flaw that doesn't exist. Do people not understand what an electronic signature is? This has been posted several times already.

I am starting to question the competence and literacy of my fellow FT'ers.

Not to mention the fact that I was under the impression that those with SSSS couldn't print a home BP...

There's no flaw and no security threat, only a great deal of speculation by uninformed individuals who haven't taken the time to verify any of their assertions.

The airlines send names to the TSA 72 hours prior to departure. The TSA determines who should not get PreCheck screening under any circumstances: the general public, those on "no-fly" lists, members who list a Trusted Traveler number that doesn't match their full name, etc. These people get a "0". Other people that are potentially approved for PreCheck screening get a "3". This information is stored in the boarding pass barcode, but it's not a secret. Security does not increase or decrease when passengers view the barcode information, including the PreCheck digit. The PreCheck approval digit and other identifying information in the bar code (like passenger name and flight details) are digitally signed by the airline which prevents any possibility of tampering. This signature uses public key encryption to allow the signature to be verified offline, without any connection to a live database maintained by the airline or the TSA.

At the airport when the BP is scanned, the reader makes a decision whether to allow the person into the expedited screening lane:
0 -> Normal screening
3 -> Expedited screening MOST of the time. The barcode reader or any TSA official can require a normal screening for any or no reason, whether there is a 3 there or not. This is the critical "random" element that ensures that getting a "3" on your BP is not a free pass.

The final screening decision is always made at the checkpoint, regardless of what is printed on the BP barcode. There's no hackery going on here (unless you call scanning a cereal box at the grocery store checkout "hacking") and no security threat.

We glaze over the most important point of the article:



Soghoian of the ACLU suggests that if keeping laptops and small amounts of fluids in carry-on bags are a threat, TSA should keep random screenings confidential, rather than alerting PreCheck passengers early. He says that if those materials aren't a threat, then everyone should get expedited screening such as PreCheck