PreCheck "Hack" reached press
 

I think there was a post about this, which has now started to get coverage in mainstream press. TSA's non-denial of the problem is a bit surprising.

http://www.washingtonpost.com/nation...058_story.html

So FT posters are "experts"? :rolleyes:

I know a few are but I doubt they would proclaim themselves as such.

Media. Pah!

Nevermind, posted in wrong forum.

They must have known about this when they started the program; obviously it isn't a concern to them.

And the article is incorrect that a boarding pass can be modified and still get PreCheck; in practice, when a boarding pass signature scans as invalid, a person is either allowed to proceed through regular screening or to get a new boarding pass and try again (as it is a print-quality that causes this problem).

With elected representatives getting involved, expect the worst (ie a shutdown of pre-check).

It was an FT member Colpuck that is the blogger referenced in the story. I don't think its a big issue. We did just fine before full body scanners.

I think they'll do anything to avoid that; it would essentially require TSA to admit that they'd screwed up and were compromising "security" with the program. Modifications, perhaps (like a membership style program a la GE), but a total shutdown seems unlikely.

There are some ways the boarding passes can be modified and still get PreCheck LLL outcomes. But then to succeed with that requires relying upon human errors to take place. [Some human errors have very high frequency of incidence while others don't.]

I can only hope for an elimination of PreCheck -- and I continue to be serious about that. [But it won't happen anytime soon.]

There is no general need for liquids, laptops and laces to be exposed in bins at airport screening checkpoints. PreCheck LLL-type screening should be the default screening method for passengers in general.

Also giving the government another favor to grant or deny is just another way to enable it to control people it has already bought off during the divide and conquer game the government is playing on TSA-subjected individuals.

I wouldn't bet on that. Track record and all...

Why would terrorists even bother with this when they can just enter the NoS with a gun and have a 70% chance of getting it through? Or get a job with an airside vendor and have a 100% chance of getting the gun through?

I recently heard an AFSer insist that everyone and everything airside--including employees and goods destined for airside vendors--is screened by the TSA. Is there an ounce of truth in this? Did the guy behind the counter at the ATL Pizza Hut go through the TSA before getting to his workplace? Is every dolly stacked with Coke screened for prohibited items? Anyone who watches _Breaking Bad_ knows that a dolly stacked with Coke is a great hiding place.

The AFSer's claim is false. The TSA isn't omniscient and omnipresent -- it's a highly-flawed, overly-expensive organization.

Ah, yes, isn't he the one who wrote a whole post explaining how one can reverse-engineer his own boarding pass to get PreCheck only to find out that there is a boarding pass signature. Trying to "expose" a "security flaw" that doesn't exist. Fail. :rolleyes:

I question Colpuck's motive(s).

Actually, I believe he said he wasn't sure if there was a boarding pass signature and whether or not his reverse-engineered boarding pass would, um, pass...

Yes . . . I don't know what happened to that thread (moved? deleted?)

But he didn't explore whether there were any kind of security/check features added to the pass that would make changing a 1 to a 3 insufficient to "qualify" for precheck.

Curiously, TSA doesn't seem to have specified one way or the other, and it is reasonable to wonder whether it means that the PreCheck system will be changed or suspended as a result.

That's not what I read. The holier-than-thou post begins "I’m publishing this because I am seriously concerned with boarding pass security in the United States." Obviously, if someone is 'seriously' concerned about a security flaw, the proper course of action is to reach out to TSA and/or UA in private to bring it to their attention, not to alert the public with a bigger microphone than this blog so that it might be exploited. That's why I question his motives-- seems to me, he wanted to be a big shot and be the first to expose a security flaw in public (albeit a flaw which doesn't exist).

https://puckinflight.wordpress.com/2...-check-system/

The post continues:

(emphasis added)

I didn't see any hedging there at all. I believe he might also be wrong that 1 is no PreCheck-- 0 is no PreCheck. I don't know (I try to hedge when I don't know something for sure), but I think 1 means SSSS. I think 0 = CLR, 1 = SSSS, and 3 = LLL.

And then, when he figures out he is wrong:

https://puckinflight.wordpress.com/2...security-flaw/

Notice that the title is "Update on the TSA Security Flaw," not "Oops, I didn't know what I was talking about". It is hardly an 'update' when the information is only new to the author.

* * *

Whether knowing one has a '3' in advance of arriving at the security checkpoint constitutes a security risk is a topic open for debate; what Colpuck did was post fiction as fact to sound an alarm that didn't need sounding. There was no need to attract attention to a 'secret' frequent fliers find very convenient; the only thing that could come of it is that it changes, and that would be a bad thing for us.

What people also fail to recognize is that at airports like ORD, contract employees scan boarding passes before the line to security. Anyone wanting to probe the system can just turn around and go home if he doesn't get 3 beeps from the contract employee-- it isn't like one is already in the TSA area past some 'point of no return' when one finds out about PreCheck for a given flight. This 'flaw' (if it is one at all) was evident to me when AA first split the line in ORD T3 during PreCheck's first month. (Somehow, I resisted the temptation to post it, perhaps because I knew nothing good could come of running my mouth-- they could have reacted by shoving PreCheck back into the elite line). So one could probe the system long before people knew how to decode the barcode.

I take no pleasure in attacking my fellow FT'ers, but this poster's conduct is beyond irksome and requires calling out.

If they do a membership program like GE (and I'd gladly pay for that), they better have it rolled out across all airlines and at all the major and secondary airports.

While I agree with you, I don't expect this to ever happen again. Too many people are scared by the thought of people bringing "bad things" onto planes. The TSA has done a fantastic job scaring people into thinking bottled water and shoes are dangerous instruments.

The End of Pre-check?
 

Another article this morning about how terrorists can alter boarding passes to qualify for pre-check. Is this a TSA scam to end pre-check and increase their self worth?

http://news.yahoo.com/spoofed-boardi...231754237.html

The End of Pre-check?
 

I read it in cnnfn.com and thought the exact same thing. Great program, only if it works.

http://www.flyertalk.com/forum/check...pre-check.html

Well, it would not depend on the barcode, but rather on what's in the database on the backend.

Why would the TSA want to end it's own program?

http://www.tsa.gov/tsa-pre%E2%9C%93%E2%84%A2

Pre does not mean no checks. It's supposed to be a shorter line and keeping shoes on. You can already keep shoes on if you are elderly and don't need to be Pre.

As this concerns travel security, please follow it as it moves to the Practical Travel Safety Issues forum. Ocn Vw 1K, Moderator, TravelBuzz.

It shouldn't matter that the 1 or 3 referenced in the article above is in the clear. The barcode is digitally signed to prevent alteration. So long as the certificate(s) used to do the signatures remains secure, any alteration like that described in the article would mean that the barcode would fail the sig check. happened to me when my barcode was smudged and misread.

Another idiot news outlet takes Colpuck's word as the gospel truth. :rolleyes:

That would/should be the beauty of it: scan an ID and you're good to go. I would imagine it's much easier to get this right if it's an ID issued by TSA, scanned by a TSA scanner and no interface with the airlines is required.

But they want access to PNR data before giving out PreCheck on a given flight . . . though they don't require this of military.

I have spent a good 15 minutes looking around for these mysterious websites that can decode barcodes, and not found anything but this one, which doesn't work on any barcode image file I give it.

I have seen many breathless articles about the Grave Threat To Our Security posed by being able to know ahead of time whether I'll be groped and scanned.

How can I decode a barcode, either on a website or with my phone? None of the barcode scanner apps for iOS seems to read boarding pass barcodes.

I downloaded one for iphone that simply shows up as "scanner" and it works well. FWIW the boarding pass barcode is in PDF 417 format so finding one that supports it will work.

Ah, the missing link. Thanks! I just searched the app store for "pdf 417". Only one app showed up, but it seems to work. Thanks again! ^

My goodness, this terrible research by internet "reporters" is going to cause everyone to panic for no reason. So what if you can read the bar code. You cannot change the bar code and have it work, because it will no longer match the signature also encoded in the bar code, and you will be rejected.

This is simply the same system used to make sure that the pdf I am reading was not changed by someone. Just because I can read the pdf, does not mean I can change it.

The only "flaw" is that I can know before I go to the airport whether I will get PreCheck or not, which is not really a flaw.

It is a partial flaw.

If I'm an Evil Terrorist, attempting to subvert this system, I and my Evil Terrorist Co-Conspirators might try to establish a deep cover by doing enough air travel to qualify for PreCheck --- knowing that if we do qualify, we can take advantage of the lesser standards for PreCheck screening to smuggle our Evil Contraband through the checkpoint with high probability of success. If I know that I'm not going to get PreCheck, then I and my Evil Terrorist Co-Conspirators will have time to adjust our plans accordingly.

After all, it would be awfully suspicious if I come up to a checkpoint, present my boarding pass, and turn around and leave because I didn't qualify for PreCheck --- even if I'd be allowed to leave at that point. (I'm never quite clear about at what point TSA says I'm not allowed to leave without "completing the screening process".)

Sure, it's a small vulnerability. So is the chance that an aircraft is going to be taken down by a terrorist.

As I pointed out earlier in the thread, at major hubs, one is turned away from the PreCheck line long before getting to TSA; this is done by an airline-paid contract employee with a scanner. I doubt the contract employee will say anything much less notice or care if you just walk away if you don't get sent to the PreCheck line.

Just go to ATL. When denied for PreCheck by the airport private security, I turn around and go to the other screening checkpoint as the so-called elite line for NoS is just too long, and there's still some WTMD only lanes open on the opposite side. I've yet to have an issue.

Unless you get one who wants to try for the Big Catch, just like their brethren in the TSA ...

so what is the method to see if you'l qualify for pre-check on a Droid? Download a 417 barcode scanner, and then do what?

Scan the barcode on your BP. The last (some airlines 2nd to last) will be a 3 if you qualify.

So I checked in online for my Delta flight tomorrow from LGA (assuming they have pumped out LGA by then...). I scanned the bar code and the last digit was a 3. Yay!

Question: is the determination of getting into PreCheck static for the entire segment now, or might it change if I print out a boarding pass at the airport tomorrow?

Reprints should be ok; there was a problem during the summer when they didn't work, but that was very short lived.

No one here is privy to the internals of the PreCheck so this question is open. If I were designing such a system I would have a randomizer on both the check-in activity as well as at the check in location. I have no working knowledge of how this is actually done.

I doubt if its the best use of time uncovering details on pre-check as these can obviously be changed quickly at any time. I suspect in the near future the so called digit approval will be changed to a simple checksum verification and then the barscan party will be over and these threads will drift into the oblivion of Internet ether...