[Cryptography] TSA Blows Off Suggestion To Encrypt Boarding Passes

Mark Atwood me at mark.atwood.name
Fri Jul 10 16:55:52 EDT 2015

As soon as I first saw a PDF417 2d barcode on my boarding pass, I
scanned and decoded it.  It's got nothing that isn't also printed in
human readable text on the boarding pass, with no signature.   I then
found the IATA standards doc for boarding passes.

This means, of course, that one can fake up sets of boarding passes with
different info printed than in the barcode.

Imagining what this enables, is left as an exercise to the reader...

Somehow I really doubt that the TSA's barcode reader at each TSO station
is connected realtime to all the airlines' passenger manifest databases,
especially since those databases are in flux until the moment the
jetbridge door is closed.

One of the what might have beens, is that a friend of mine who does IT
research for the IATA told me that prior to 9/11, the IATA was, in
parallel with talking out the standard that led to PDF417s on boarding
passes, also talking out a way to optionally eliminate the boarding pass
entirely: by allowing the terminal at the boarding gate to read the MICR
OCR lines on a passport or driver's license or similar known ID card. A
passenger could have opt'ed to use a boarding pass, or to just use their
existing ID.

Mark Atwood <me at mark.atwood.name>

More information about the cryptography mailing list