We Have Solid Authentication!!! So what?
I saw an interesting post over at TNT's blog where Ian Glazer had blogged about authentication being the holy grail for a lot of organizations, and gave an interesting example of why authentication is important but that everything after it is even more important and it had to do with checking in online for a flight. Having just done that a couple of hours ago, it made me think.
A snippet:
As I went through Dulles today, I had a chuckle at the most hackable authentication event you will ever see... airport check-in. Bruce has written about this. I am Jim Badguy and want to travel. I am a wanted bad person. I'm not on the TSA No-Fly list because that list is actually generated from a list of people who receive Publisher's Clearinghouse mailers. I have Bill Goodguy's credit card info. I buy an e-ticket with Bill's card info. I save the e-ticket out of my browser. I print a copy out with Bill's name on it. I manipulate the saved version of the e-ticket, and put my name on it. I head off to the airport with both copies of the ticket in my bag. I get to security and show them my valid driver's license and my manipulated e-ticket, the one with my name on it. Everything is cool and off I go to the gate. I get to the gate use the valid ticket, the one with Bill's name on it, to board the plane. Authentication totally hacked. What I do after the point of (mis)authentication because critically important.
###
I don't think I'll try this anytime soon, but I'm naive to think it hasn't already been done. The 9/11 hijackers didn't need to go to this level initially, and even in this era of Heightened Security, it makes me think about what Heightened means?
It conjurs up the vision of the town of Rock Ridge from Blazing Saddles where they built a 'town' that was merely a front a la a Hollywood set to look like a town, after installing a toll gate in the middle of the desert southwest to thwart the bad guys...
Somebody better go and get a sh*tload of dimes...
A snippet:
As I went through Dulles today, I had a chuckle at the most hackable authentication event you will ever see... airport check-in. Bruce has written about this. I am Jim Badguy and want to travel. I am a wanted bad person. I'm not on the TSA No-Fly list because that list is actually generated from a list of people who receive Publisher's Clearinghouse mailers. I have Bill Goodguy's credit card info. I buy an e-ticket with Bill's card info. I save the e-ticket out of my browser. I print a copy out with Bill's name on it. I manipulate the saved version of the e-ticket, and put my name on it. I head off to the airport with both copies of the ticket in my bag. I get to security and show them my valid driver's license and my manipulated e-ticket, the one with my name on it. Everything is cool and off I go to the gate. I get to the gate use the valid ticket, the one with Bill's name on it, to board the plane. Authentication totally hacked. What I do after the point of (mis)authentication because critically important.
###
I don't think I'll try this anytime soon, but I'm naive to think it hasn't already been done. The 9/11 hijackers didn't need to go to this level initially, and even in this era of Heightened Security, it makes me think about what Heightened means?
It conjurs up the vision of the town of Rock Ridge from Blazing Saddles where they built a 'town' that was merely a front a la a Hollywood set to look like a town, after installing a toll gate in the middle of the desert southwest to thwart the bad guys...
Somebody better go and get a sh*tload of dimes...