Circumventing the No-Fly List in 30 Seconds

Published Wed Jan 11 2012 16:00:00 GMT-0800 (PST) by Rodney Folz

Every time you fly on an airline, your name is sent to the FBI’s Terrorist Screening Center to make sure you’re not a terrorist in disguise or something. If you have the misfortune to be on the TSC’s No-Fly list, you either aren’t allowed to board your flight or are subject to hours of interrogation and general mistreatment before you’re allowed on. Civil liberties violations aside, the list itself doesn’t actually work, especially since you can just change your name to get off of it.

However, if you’re on the no-fly list and you’d rather not change your name, there’s still a way to avoid being flagged:

  1. Get a friend who isn’t on the no-fly list to buy a ticket to wherever you want to go
  2. Check in online and go to print out your ticket from your browser. Print one copy.
  3. With your favorite DOM editor (Firefox and Chrome have them built in; press F12) change your friend’s name to your name. Print another copy.
  4. Give the ticket with your name to the TSA agent who scans your ID. It will match and you’ll be let through security.
  5. Give the ticket with your friend’s name to the gate agent who lets you board. It will match the flight information and you’ll be allowed to board.

This works because there is a massive lack of communication between the TSA and airlines; namely, that the TSA agent who looks at your ID doesn’t have access to the flight information, and the gate agent who checks your ticket against flight information doesn’t look at your ID.

This is so astonishingly simple there’s no way people aren’t doing it already. All that security, for nothing.

Update: Over at the Hacker News discussion, a few people have pointed out that I’m not the first one to write about this (although I came up with the idea independently). Christopher Soghoian and Bruce Schneier have both written articles on this subject as well, but discussed using Photoshop to alter a scan of the boarding pass rather than using a DOM editor to edit the raw HTML.

You can also find me @rodneyfolz on Twitter.