“…a list of people that are so dangerous we can’t allow them to fly for any reason, but so innocent we can’t arrest them. Who are these people?”

- Bruce Schneier

I’ll show you a quick way to get around the list in order to prove that the no-fly list, like most TSA procedures, does not provide additional security.

Are You On the List?

Using a service called CLEAR you can check to see if your name is on the No-Fly list by signing up for their service (they have a refund policy if you don’t use it). If they deny your account, then it is safe to assume you are on the no-fly list. Since that appears to be the only real reason they deny accounts.

Cheating the Checkpoints

This technique comes down to understanding when and how your identity is checked. Whenever you fly, your identity is checked at least three times (four times if you check-in to your flight in person). First, when you purchase the ticket (do this online), second, when you enter security, and finally when your boarding pass is scanned as you get on the plane.

Planning Your Purchase

When you purchase your ticket, the passenger name is checked against the no-fly list. This is the only time your name is checked. To bypass this, purchase the ticket with a credit card belonging to someone else. The ticket will be under their name, but (as I will demonstrate), it really doesn’t matter what name you book your ticket under (make sure to stick with the same gender, it just makes the process easier). Another option would be to use a prepaid debit card to purchase your ticket.

Remember, when selecting someone’s identity to use you should first check them against CLEAR.

Identity Crisis

The next check is just before you go through security. TSA Agents check your ID card (or passport) against your boarding pass, looking closely with a magnifying glass to verify that your ID is authentic. This detailed look at IDs makes using a fake a bad idea, plus the photo needs to look like you, so borrowing an ID won’t work either. The easiest way through this checkpoint is to modify your boarding pass (the only non-secure document here). At this stage, they are only checking you and your boarding pass against your ID. They don’t do a computer check against the no-fly list or even check that your boarding pass is authentic.

Modifying Your Boarding Pass

When printing a boarding pass you are simply printing an HTML page. With the Firefox extension Firebug you can live edit HTML directly in the page.  When viewing your boarding pass, print one authentic copy (with the stolen identity), then print another copy that has the name switched to yours (leave all the fight details intact). When you go through security present the modified boarding pass with the name that will match your valid ID. Easy.

The Switch

Finally, your boarding pass is checked as you get on the plane. It will be scanned and your name will appear on the screen (though ID is not checked), so you will need to switch back to your authentic boarding pass with the stolen name.

That’s it. Walk down the ramp and onto the plane. The most complicated part was using a Firefox extension to edit some HTML. You didn’t even have to open Photoshop. The no-fly list is another government program expected to help keep us safe. If it can be by-passed this easily shouldn’t we take a closer look at the rest of the TSA’s functions?

Note: This article is designed to point out the flaws in TSA Security. The author is not recommending that you try this as it is probably very illegal.

Basic Security

You see when you give your username and password to a service then they can login to your account. Sounds pretty basic right? But think about it. If they can login to your account they can post anything, change your photos, or whatever else. On Twitter they could even change your password and your email address so that you are locked out of your account without a recovery method.

I would never do something so foolish!

Of course you all have enough sense to not give out your password to just anyone who asks for it. Right?

Wrong. When I looked through my Twitter feed and see little ribbons next to people’s avatars I must point out that they just handed over access to their account to a complete stranger.

But all my friends are doing it!

The service Twibbon asks for your username and password which thousands of people are giving up without thinking twice. But it’s okay because they clearly state: “Your login details will not be stored and are only used to update your profile image.” Awesome. They sound nice. Why should you trust them?

@nipper Says it quite succinctly.

They don’t even look trustworthy! A single line of text shouldn’t make you think otherwise.

It gets worse.

You use email right? Is your Twitter password different than your email password? Yeah, I didn’t think so (to the smart ones who answered yes, congratulations! You passed web security 101). Interested in what you can steal if you know someone’s main email address and password?

• All social media accounts
• Bank Accounts
• Domain Names (It happened to David Airey)
• Blogs
• Your entire online identity
• Online Cell Phone Account

You get the idea. On the web your email address and password are the keys to your virtual kingdom. Why give up something so important just to turn your avatar green?

The best part.

Not only do users give up their password, but they also then post a tweet to tell their friends to do the same. Viral phishing! Now that’s clever.

Web developers should know better!

I found this unfortunate example the other day. The worst part is that many web apps are doing the same thing.

Even the well designed service BabelWith.me does it.

When otherwise intelligent web professionals build services that circumvent basic security principals we are teaching users that it is okay to give up valuable information to an unverified third party service. As designer and developers we need to be setting the standards (and following them!) for security if we are going to fight the increase in online identity theft. Not contribute to it!

There is a better way.

Twitter uses an authentication tool called OAUTH that allows for an app to temporarily access your account, but without requiring you to ever disclose personal information. It also controls what the app can do when they have access. Most of you have seen this screen:

The way security should be handled.

Basically this lets the app do the cool things it was designed to do, but it leaves you completely secure at the same time. It’s just better for everyone.

Think about this.

Your Twitter account is important. Business or personal it is still your brand online. You can’t afford to have it tarnished by a simple, foolish mistake. It would be really embarrassing to post to tell your 2000 followers they should all visit a porn site. It happened on MySpace and it is only a matter of time before it happens on Twitter.

Note: If I called you out specifically or offended you in some way please know that it is only because I am pushing for a safer web (and you were a perfect example!).

Update: This article from CodingHorror.com has some great information (Thanks @davidlwheeler):

You’re Probably Storing Passwords Incorrectly

Follow me on Twitter @nathanbarry