Tuesday, February 13, 2007

TSA has outsourced the TSA Traveler Identity Verification Program?

Feb 20 2007 Update: TSA took the site down, and has put it back up again. They've fixed a few of the problems, but the website is still outsourced, and still uses cookies (a violation of federal policy). See more here

Browsing TSA's website this evening, I came across a link to the new TSA Traveler Identity Verification Program.

"The TSA Traveler Identity Verification Program is designed to assist those airline passengers who have been delayed or prevented from traveling as a result of TSA's security measures."

The site is specifically aimed at passengers who have suffered from any of the following problems:

* Unable to print Boarding Pass at Kiosk/Home
* Directed to Ticket Counter every time I fly.
* Ticket Agent states that I am on a Federal Government Watch List
* Missed flight while attempting to obtain boarding pass

You can submit a handy-dandy form online to register your request/complaint.

Two things immediately jump out at me.

1. You are required to enter sensitive information from three of the following forms of identification:

A non-U.S. Passport, Voter Registration Card, Immigrant Visa, Driver's License, Birth Certificate, Government Identification Card, Naturalization Card, Military Identification Card, Certificate of Citizenship, DD Form 214.

These are very sensitive bits of info. A drivers licence number in particular, is often used by banks (due to Patriot Act provisions) to authenticate you when you open an account.

Worst of all - the form you submit doesn't go over an SSL connection! It goes plaintext over the wire. Heaven forbid you do this from an airport starbucks after being denied boarding, as anyone could sniff your info.

The relevant bit of code in question: form method=POST action=/pivf.htm

Now, they do at least have a ssl webserver running at https://rms.desyne.com/. But they're using a self-signed cert.

Update: I want to make it clear. I've only tested this by pressing submit on an empty form, and by viewing the source code to the form. To tell for sure, I'd have to submit a request to TSA - with bogus data.. and my now finely tuned "will TSA investigate me for this" radar tells me that submitting false information to an official government request form is a bad bad idea.

I searched the source for the words "https" - nothing.
I also found the 'form method' section, where it describes how the form is submitted.
It's quite possible that the creators of the website have created some kind of url-rewriting javascript sneaky tricks - although Occam's Razor leads me to believe that a simple mistake on a web designer's part is far more likely....

2. Unlike the rest of the TSA website, this is served from a different domain: http://rms.desyne.com/

Which means that a private company is running this site...

The whois database shows as follows:

Administrative Contact, Technical Contact:
Desyne, Inc. dns@DESYNE.COM
Desyne Web Services, Inc.
PO Box 143
Boston, VA 22713
(703) 391-2400 fax: (703) 391-2550

Record expires on 21-Mar-2015.
Record created on 20-Mar-1996.
Database last updated on 13-Feb-2007 21:32:10 EST.

This begs the question: Who are these guys, why don't they know how to use SSL and how were they awarded this sweet contract?

Why can't TSA do a simple form submission themselves?


Anonymous said...

A total guess here, but "desyne" looks like a variant of "design".

Could it be that the design of that section of the site was done by that firm, and the "integration of their deliverable" isn't complete?

If you visit http://www.desyne.com/done.htm
you will see that Desyne claims TSA as a client.

Anonymous said...

This may be surprising to hear: I am an employee at a major airline and I just recieved an e-mail that said we now have access to the TSA no-fly list, selectee list, and cleared list. I just accessed it and found it to contain thousands of names, DOB, SSN#s, drivers licesense #'s, military ID #'s, addresses, and even home phone #'s. The TSA just made this list and all of this information readily available to thousands of employees at my airline (and probably others). I think that previously this list was only available to ticket agents, but now it is available to every employee.
I find it quite disturbing that any airline employee has access to this information, and that many of the ppl on the cleared list have to give up there SSN# and other information.

Anonymous said...

anonymous - I think you'd do ordinary people a great service by posting a list of the names on those lists (bu omit the other details)

It would be useful for everyday citizens to see if they are on the list.

Sid Stamm said...

Wired 27b-6 is talking about this now.

Unknown said...

Regarding HTTPS and "It's quite possible that the creators of the website have created some kind of url-rewriting javascript sneaky tricks", you could use Fiddler to watch the actual HTTP request when the form is submitted to see whether they're doing that (without having to examine any javascript they use on the page); see fiddlertool.com.

Anonymous said...

DESYNE is a very corrupt and dishonest organization run by a man with a criminal record for fraud and internet charges. to have this rogue group linked to anything TSA or government related is a crime...