Consider the following security measures for airline travel. A list of names of people who are not allowed to fly is maintained by the government and given to the airlines; people whose names are on the list are not allowed to make flight reservations. Before entering the departure area of the airport, passengers go through a security check where they have to present a government-issued ID and a

boarding pass. Before boarding a flight, passengers must present a boarding pass, which is scanned to verify the reservation. Show how some one who is on the no-fly list can manage to fly provided boarding passes can be printed online. Which additional security measures should be implemented in order to eliminate this vulnerability?

What will be an ideal response?

The attack is committed by using two printed boarding passes. One of them is
the real boarding pass that is issued by the airline. The real boarding pass has the name
of a fake person on it, however, like "Mark Twain"—someone who is not on the no-fly list.
The other is a fake boarding with the flyer's real name printed on it. The flyer uses the fake
boarding pass to get through the security check, since it only checks whether the name on
the boarding pass matches that of the government-issued ID. Then the flyer uses the real
boarding pass with the fake name to get on the plane, since the scanner at the gate only
checks whether the reservation is valid. This way a reservation is made for someone who is
not on the no-fly list, but it is then used by someone who is on the no-fly list. There are at
least two solutions to limit the possibility of using this attack: (1) Have the security check
process also check that the printed boarding pass is for a valid reservation using the same
name (e.g., by having the barcode include a signed statement from the airline matching
the person's name to their reservation). (2) Have the airline gate check include a second
inspection of the flyer's government issued ID just before they board, to verify that their
name matches the one on what now must clearly be a valid reservation.