A week ago I wrote TSA’s 25,000 Security Lapses & How They Can Be Reduced and referenced the use of Aztec barcodes as a security feature stating “TSA has not worked with airlines to implement these impossible to forge barcodes.”
I received a few comments and emails stating Aztec barcodes could be forged. Some readers sent me Aztec bar codes containing links to Flying With Fish, or messages stating that Aztec bar codes can be forged … such as this QR barcode:
While an Aztec barcode can be created to link to any website, graphic or nearly anything else online, what those commenting on Aztec barcodes are missing the secure security procedures that need to be universally established, and implemented by an organization such as IATA, to make it virtually fool proof.
The Transportation Security Administration (TSA) and airlines have long since struggled with the boarding pass verification. The TSA seeks to implement boarding pass verification for passenger identification and security, while airlines seek options for passengers’ identification for the papooses of revenue protection. Presently nearly all paper boarding passes have a standard 2D Bar Coded Boarding Pass (BCBP) that has been implemented as part of IATA’s Simplifying The Business Program and all mobile boarding passes utilize Aztec Code, also as part of IATA’s BCBP standardization program. With these standard in place what is not in place is this …
… the Aztec or BCPB barcodes linking to a ‘live site.’ Some of these features are in place with the mobile boarding passes, a TSA Travel Document Checker scans the mobile boarding pass and a passengers name and flight information comes up from the airline, which is secure unless the system is hacked … but this security feature is presently limited to mobile boarding passes only. This security limitation and a frequently relaxed attitude that results in incorrect identification matching leads to security lapses that should not occur.
Can someone create an Aztec barcode that links to a fake website? Yes, but if the scanner is only allowed to accept Aztec barcodes leading to a secure site, any forged barcode leading elsewhere simply won’t scan.
Is any network hack proof? No, not yet, but breaking into a network and inserting fake flight information is considerably more difficult than simply generating a fake Aztec barcode.