In addition to his comments on this blog, Matt Blaze has responded to the post below. He doesn't dispute my point that scanning boarding passes at the checkpoint will close the security hole that Schneier and Soghoian publicized.
In the comments to my post, I challenge Matt to explain why he thought his exploit was a real risk: "Maybe you can tell me what bad thing would happen if people could switch flights as you describe." He responds not with an actual example but by pointing out that TSA has said that it may decide to impose additional screening on particular routes if it has reason to be concerned about those routes. If TSA thinks it sometimes needs to focus on travelers using a particular route, he wonders, won't that screening be undone by ticket switching?
It's a fair point in theory but not in practice. Threats to routes have been very rare, and TSA has usually responded to those threats in an ad hoc fashion -- setting up special screening measures for passengers boarding those flights (you've probably seen some hand searches at the point of boarding, for example; an intensive version of those checks is eminently possible when a particular flight is threatened). That can include one-off checks of ID. That's a lot less expensive than completely redesigning the checkpoint system, which is apparently what Matt thinks TSA should do.
From a terrorist's point of view, even occasional gate checks make the Blazean exploit unattractive, because the consequences of having bad ID at that stage would be very serious for the terrorist. He'd immediately stand out from all the other travelers, and not in a good way. So relying on the ability to do one-off spot checks is a reasonable response to the rare occasions when intelligence pinpoints a particular route as under threat.
So we're back where we started. Matt hasn't identified a security hole that requires a massive change in TSA procedures, and he certainly hasn't proven his original claim that scanning boarding passes at the checkpoint is ineffective and ill-conceived.
Comments