Happy Hijackers

Slate has an article has an article showing how all the TSA CAPPS II no-fly lists are useless. It works like this: Joe Terrorist buys an airline ticket under an assumed name, say Bob Jones, probably with Bob's stolen credit card. The day of the flight, he downloads an online boarding pass. He then hacks the image of the pass to create a copy with his real name on it, and prints both the hacked and unhacked versions.

At the airport, he shows the security droid his hacked boarding pass and his real ID. The droid never checks the pass to see if it is the name it was sold to. When Joe boards the plane, he turns in the original boarding pass, which does shows the name it is supposed to. No need to show an ID again.

In this scenario, it's Bob Jones' name that gets checked against the blacklist. Since Bob is a fine upstanding citizen, his references are as white as snow. Most ten year-olds today could pull this off.

So much for the TSA spending a gazillion tax dollars and hacking into everyone's electronic records in the name of almighty security.