Thursday, October 6, 2011

CAT/BPSS - Automatic ID/Boarding Pass Checker

Passport & Boarding Pass

You're probably wondering what exactly CAT/BPSS stands for, right? It's been making the news over the past week, but if you haven't read about the technology, it stands for Credential Authentication Technology/Boarding Pass Scanning System. I prefer to call it the ID Thingamabob.

Short Story: It detects fake documents and IDs.

Slightly Longer Story: This is a seriously cool piece of technology that enhances security and increases efficiency by automatically and concurrently comparing a passenger's ID and boarding pass to a set of security features. It verifies that neither have been falsified and that the information on both match. The system also verifies the IDs of airline personnel and can screen a wide range of travel documents.

Just last month, we purchased a total of 30 systems that will be deployed at select airports for further operational testing early next year. The airports included in our TSA Pre program (DFW, MIA, DTW, ATL) will be among some of the first recipients of the systems.

What should passengers expect once we begin to test these in airports? Passengers will hand their ID to the TSA Travel Document Checker (TDC) who will scan it while the passenger scans their own boarding pass using a built in scanner that's part of the technology. Once the scan is complete, the technology automatically and permanently deletes the information from the system. Here's a link to the Privacy Impact Assessment for the technology.

If testing proves successful, TSA could deploy the technology to airports nationwide. Our officers at airports that are not part of the operational testing will continue to verify travel documents with the aid of lights and loupes, as one of many layers of security.

Read more about IDs  Here

Blogger Bob
TSA Blog Team


If you’d like to comment on an unrelated topic you can do so in our Off Topic Comments post. You can also view our blog post archives or search our blog to find a related topic to comment in. If you have a travel related issue or question that needs an immediate answer, you can contact a Customer Support Manager at the airport you traveled, or will be traveling through by using Talk to TSA.

28 comments:

Nadav said...

As far as I don't like to work with potentially-information-collecting devices, I have to agree that this is a smart move from the TSA.

Humans make mistakes, computers don't. If a computer will verify credentials automatically while a human also takes a look at the information, it can be a big boost to security. Right now, when a person has to type the information, it's a potential disaster.

However, the system must be 100% safe and unhackable, or it will be hacked like any other computer.

Nadav

RB said...

TSA is only authorized by Congress to conduct an Administrative Search for Weapons, Incendiaries, and Explosives.

What part of searching for WEI does this ID and Boarding Pass inspection fall under?

Anonymous said...

And one more time, Bob, can you explain what ID has to do with security? Oh, wait, you can't, because it doesn't.

You lot would be funny if you weren't so dangerous.

Anonymous said...

Another non-problem solved at grotesque expense.

There is no major [or even minor] issue with passengers using falsified boarding passes and fake IDs to scam their way past "security".

There IS an issue with supposedly intelligent TSA wonks being unable to spot the difference between a college ID and a drivers license, matching the name "[something] Noibi" on the college ID to the name "John Jones" on the boarding pass, and being able to determine that the date on the boarding pass was two days ago.

A reasonably bright third grader could do this without high tech gizmory; TSA can't. Or at least couldn't back in May or June of this year when Noibi stole boarding passes with other peoples' names on them and used one to fly from NYC to LA, and then TRIED to use one to fly from LA to Atlanta.

Both times, TSA let him past "security"; the second time, the airline itself caught him before boarding.

The first time, the airline caught him in mid-flight and turned him over to TSA in LA ... who did nothing with him.

TSA has spent a half BILLION dollars on a technological solution to the $25 "butt-bomber", it's gobbled up billions in lost productivity for the $25 "shoe bomber" ... neither of which would have done more than make smoke and a few people gag. And now they're going to spend HOW MUCH of our money to do, with technology, what a child could do by counting on his fingers?

Will you people PLEASE give my wallet a rest?

.

And since I cannot comment with "Name/URL", I'll sign as if I am anyway:

rwilymz
http://dblyelloline.blogspot.com/

Anonymous said...

How exactly does checking ID's enhance security? After all, doesn't everyone still have to pass through screening?

A few months ago, when a person got through TSA ID checks with fake boarding passes that weren't even in his own name and flew a flight or two, TSA claimed that there was no danger or security problem because the person had still gone through regular screening and therefore was not a threat. So if that's the case, what's the point of the ID check at all? And please don't trot out the old "Identity Matters" line- that doesn't answer the question.

Oh, and by the way, since you are still allowed to fly without showing ID, the question again comes up, what is the point of the ID check at all?

This same question has been repeatedly asked by many people, and is always ignored by TSA.

Seems like a waste of taxpayer dollars by the TSA on yet another "cool" (to use your own words) piece of hardware that provides zero security improvement.

Anonymous said...

Just playing devil's advocate here, since we have all seen the TSA spend ungodly sums of money on equipment/procedures that did not work as advertised.

Here's a list of identification documents that CAT/BPSS needs to recognize with 100% accuracy, or it is worthless:
- Federal/DOD CAC's
- TWIC's (New and old formats)
- MMC's (Look it up. Sister agency).
- MMD's (Look it up. Sister agency).
- Driver's licenses of all 50 states, both 'National ID' standard and not.
- Passports from around the world.
- Passport Cards (US).

Wait a second. Doesn't this sound like the list of identification that TSO's were supposed to have been trained to recognize?

Does BPSS compensate for different printer types? Inkjet? Laser? Dot Matrix? Color Laser? Toner problems (What if the 'black' isn't the black it expects, say a 4 color printer with a bad Cyan cartridge?) Does a change in paper type cause any problems? How about stains (coffee, sweat, etc)?

If I print my boarding pass at home, and the printing bleeds, will this magical device say it is forged?

And how do we know this device will behave exactly as stated for the life of said device? Oh, that's right. We have the word of the TSA that is how it will behave.
Yes, I have a very explicit level of trust for the TSA.

Anonymous said...

[[Humans make mistakes, computers don't.]]

You've never worked with computers, have you, there, Nadav?

Computers make mistakes continually. Only in part because they are programmed by fallible human beings. The rest of the reason is because the computers are, in their essence, a mechanical apparatus and thus subject to mechanical failures and breakdowns.

My own desktop computer at work - a DoD machine - requires a government-issued smart card to log into. Smart cards are as stupid as a box of mismatched doorknobs. The card is encoded by a fixed format imprinter run by the DoD, and the card reader is interpretted by the corresponding fixed format credential verification run by the DoD. Half the time the card reader doesn't read, or the verification softward can't interpret. It takes three or four attempts most days to log on.

And then after I *AM* logged in, it often forgets who I am halfway through the day and won't let me have email or network access.

Every few months I have to take a half day to trot out to the base "security" office and get them to recode my "smart" card ... because these things never make mistakes. And all this is with digitized input in ONE FORM. There are fifty states with multiple credentials each, several territories and districts with their own, one federal passport and several other credentials, several airlines with various boarding pass formats ...

DoD is a system that has been in place for ye-e-e-ears. And DoD security is significantly better than what TSA puts out.

You wanna lay odds on how this is going to work?

.

And since I cannot comment with "Name/URL", I'll sign as if I am anyway:

rwilymz
http://dblyelloline.blogspot.com/

Anonymous said...

Why does it matter who is on the plane? As long as they have been properly screened and have no weapons or explosives, they are no real threat to the plane provided that the cockpit is secure. If somebody tries something on a plane, I predict the other passengers will beat them into submission.

This seems like an expensive overreaction to the incident a few months ago where the guy got through security twice with day old boarding passes in somebody else's name. Of course that guy was deemed not to be a threat because he was properly screened.

Saul said...

This sounds like yet another in the long list of TSA-purchased technologies that is a solution in search of a problem.

Ignoring the idea that identification has nothing to do with aviation security, what is the problem with the current system of showing the TDC your ID and boarding pass? It seems to me that it has worked perfectly fine.

And the well-publicized incident earlier this year where a passenger had several stolen boarding passes under other names? Your own employer stated that this presented no security risk whatsoever.

http://latimesblogs.latimes.com/lanow/2011/06/nigerian-stowaway-had-at-least-10-boarding-passes-none-in-his-name.html

«The Transportation Security Administration, which conducts passenger screenings, issued the following statement:

"Every passenger that passes through security checkpoints is subject to many layers of security including thorough physical screening at the checkpoint. TSA's review of this matter indicates that the passenger went through screening. It is important to note that this passenger was subject to the same physical screening at the checkpoint as other passengers."»

To the insult of all taxpayers, the TSA and DHS are fascinated with shiny new technology (often associated with well-connected lobbyists) that add absolutely no security benefit.

Nadav said...

[[Only in part because they are programmed by fallible human beings]]

You nailed it there. All the problems you described are due to bad equipment (card readers) and bad programming (forgetting who you are). The computer just does what it was told to do.

I am working with computers (I even do some programming sometimes), and all the mistakes the computer makes are because of my errors. Unless it was infected, I never saw a computer doing something stupid on its own.

I agree that this system isn't perfect (and I am a huge supporter of less government spending), but it uses a great advantage computers have over us, humans: they can do the same task over and over without getting tired, for 24 hours a day. They don't care if it's 2pm or 2am, and they are less likely to make a mistake becaus they're tired or fought with their wife before arriving to work.

This system needs to be programmed and checked over and over before it's introduced to airports. TSA officers should be able to do this job (checking boarding passes and IDs), but apparently, as others have pointed here, there have been cases that they were misguided and didn't notice. A well-programmed computer should catch that easily.

Nadav

Adrian said...

On a recent flight from OAK, the document checking podium had a new barcode scanner. The officer checking the documents try to read the 2D barcode on my boarding pass with it. After several tries, he gave up and allowed me to enter. (The boarding pass read fine at the airline gate.)

This experience leads to me to believe you will still be able to forge boarding passes. Just use an inkjet printer, and smear the barcode a little bit. A drop of two of rain should do it. Once the podium reader fails, the TSO will compare the printed information to your ID card (which will scan just fine).

Adrian said...

More than three million on 30 test units. That's roughly a $100,000. If the TSA decides the tech is good, they'll need hundreds (thousands) more. (Sure, the actual devices might be cheaper, but you have to pay for maintenance, certification, repair, replacements, etc.)

Seems like an awful lot of money to check IDs. How's TSA gonna pay for all that?

Anonymous said...

So you got a solution where you don't have a problem? And this is considered cool.

Why does TSA care who flies as long as they've been checked as incapable of being a threat? Little wonder the employees of TSA have a confused understanding of what their jobs are. Their management has no mission in mind.

Sad that the agency is such a pitiful waste of taxpayer money.

Anonymous said...

These machines would only be of some, limited, use if you had a useful database of actual dangerous persons (and not a half a million innocent people) and if high quality fake IDs could not be produced.

Not the case.

Curtis said...

I suspect that is going to be another pile of scrap in a few years- remember the 'puff portals?' However, I would rather the TSA spend its budget money on junk that probably won't work very well than on more AIT machines. I say go for it.

Anonymous said...

According to how this is described hee, this will only match names on two documens. Then the info is deleted. That is unlikely; this is a digital, networked device, which means that absolutely everything can be retained on a database. This is another case of the Federal government telling us that they won't do something, when time after time it is later revealed that it did exactly what they said they would not do.

Seems like a lot of money for little benefit. Again, what does identity have to do with security on an airline flight?

Oh, by the way, I believe that airline tickets should be transferable, exchangeable, and refundable. All of this attention to ID on airlines makes no sense. It should now be this: if you have a ticket, you get on the plane. Period. An airport should be have been turned into the Constitutional twilight zone.

Anonymous said...

[[All the problems you described are due to bad equipment (card readers) and bad programming (forgetting who you are). The computer just does what it was told to do.]]

You are incorrect, and I suspect you know nothing about computers.

You've never had an optical mouse refuse to recognize mouse movement? That is a mechanical failure, has nothing to do with human fallibility, and if you say "no" I'm going to call you a liar - or someone that's never used an optical mouse.

Card readers fails mostly because of dust and grime infiltrating and obscuring the magnetic read heads. Has nothing to do with human fallibility and everything to do with the limitations of mechanical engineering. Then next most common reason is the gradual degausing of the mag strip on the CAC. Another limitation of the mechanics - and my most common annoyance. This affects frequently-used credit cards as well, or those stored improperly.

My smart card terminal is used to read a CAC three, maybe four times a day, depending on how many meetings I go to that cause me to auto-lock the terminal. Every three months or so I have to get the CAC reset. This TSA "solution" to a non-problem is going to have glorified card readers in more/less continual operation on a daily basis collecting grime, fingerprints, sebacious oozing from every non-latex-gloved passenger who comes into contact with it, dust and electromagnetic interference.

The card swipes in your local grocery stores don't last a month between tune-ups. Are these going to go as much as a week?

How many failed reads are going to be pulled aside as attempted infiltration of a "secure zone" and strip-searched or arrested or simply 'detained' until they miss their flights? And all because people - like you - who know nothing about computers, are determined to insist that "computers never make mistakes".

Pay attention here, Nadav: Yes. They. Do.

rwilymz
http://dblyelloline.blogspot.com/

TJ said...

@Adrian: The data on both state IDs and boarding pass barcodes is unencrypted. A fake boarding pass does not have to have an unreadable barcode to defeat this "security."

A determined enough evildoer can defeat this scheme just like any other - so it's another waste of our money and time at the checkpoint.

Anonymous said...

this should turn into a constructive blog all thosae with problems with the tsa please provide reasonable solutions to the problems you are complaining about. what good is it if all you do is say 'i dont like this, i dont like that' common bloggers your smart enough to see the problem lets hear a solution. and no 'get rid of tsa' is not a solution. btw what percentage of the govt budget/defecit does tsa make up for?

Anonymous said...

solution!
give the id check back to the airlines! of course they never made any mistakes... they are the ones that put this on the tsa in the first place. why not take it up with them the next time you book your overpriced airfare. another govt bailout is on the way

Anonymous said...

its funny how so many people want to know why names and boarding passes are important and then others that slam the tsa for not being able to do it. perhaps you folks should get together and figure out what is what, you cant have it both ways.

Anonymous said...

Bob, will these machines be deployed at all checkpoints?

If not, I think it is very important that they be programmed to simulate the experience one receives at the other checkpoints, thereby providing a consistent experience for the passenger.

For instance, you should program the machine to insist that Nexus/Global Entry cards are not valid forms of ID. Have the machine refuse them randomly about half of the time.

Then, when presented with evidence that they are in fact valid ID (such as a print out from this blog or the TSA website), have the machine yell in a loud voice "the website is out of date!" , "that is not a valid form of ID", "respect my authority".

Then send the machine for "retraining" every year or so, at a prohibitive cost.

This level of consistency at the checkpoints will not only keep us safe from terrorists, but will also keep the budget dollars flowing in.

Screen shot saved.

Anonymous said...

Bob,

Will this prevent me from having to explain what a NEXUS card is to the Travel Document Checker every time I fly? Also may I ask where the Privacy Impact Assessment is for the Advanced Imaging Technology project? All in all it does sound like a good idea. My last question is will it validate that the boarding pass is actually valid like the scanners at O'Hare.

Jim Huggins said...

Anonymous writes: this should turn into a constructive blog all thosae with problems with the tsa please provide reasonable solutions to the problems you are complaining about.

You're obviously new here. Plenty of suggestions for ways to change TSA procedures have been cited here, week after week after week. Most go unacknowledged. A few are rejected outright. The rest are dismssed with statements like "you just don't understand".

There's no point in making constructive suggestions when it feels like nobody's listening.

Adrian said...

@TJ: According to the privacy disclosure document linked in the original post, the barcode on the boarding pass includes a digest encrypted with the airline's private key. The TSA decrypts the digest with the public key and verifies it. Thus it is hard to forge a working barcode. It would be much easier to smear the ink and render the barcode unscannable.

Anonymous said...

jim huggins said:
"You're obviously new here. Plenty of suggestions for ways to change TSA procedures have been cited here, week after week after week. Most go unacknowledged. A few are rejected outright. The rest are dismssed with statements like "you just don't understand".

There's no point in making constructive suggestions when it feels like nobody's listening."

actually im on here prob as much as you and NO there arent constructive alternatives provided. its usally "we all hate the tsa now go away!"
you understand that the tsa is involved in screening over a million, yes million people a day. im completely rational to understand that there will be instances where the tsa will make mistakes. the tsa is a HUMAN organization that hires HUMANS to do the job needed. well guess what HUMANS are prone to making mistakes, sometimes often because they are in fact HUMAN. the problem on here is that everyone thinks that the tsa HUMANS should be perfect, PERIOD. well any rational person realizes that this in not possible. you realize that the typical tsa person earns ~$28k/yr. in any major metro area you cannot live on this amount. you realize that the people applying for these jobs are the same ones applying for jobs at the same pay level, ~$13/hr. you tell me, what type of person will apply for a job that earns $13/hr? im guessing a high school grad, possible some post college classes and thats it. if the tsa was to raise its average wage perhaps the quality of HUMANS that apply for the job will be in a higher level, this allows for the POSSIBILITY that the overall level of mistakes could go down however they are still HUMAN. so, lets stop with the whining and offer positive solutions to the problem. for instance, mine is increase the salaries for tsa people and see if things start to improve.

Jesús- Comida a domicilio en Mazatlán said...

Hi Nadav,

I agree with you, it is true that this device can boost the security; however I'm wondering if it is economically profitable; in other words perhaps it cost too much for the benefit that it is going to give.

Anonymous said...

Of course, after you check in under your real name, you can go to your gate, buy another ticket with your laptop under any name you want, and print it on a portable printer, thereby making it impossible to determine who really boarded the flight.

But who cares? This new system costs a lot and makes things LOOK REALLY SAFE, which is what's important, right?