Former TSA site vulnerable to hackers

By Eileen Sullivan

updated 3:12 p.m. ET Jan. 11, 2008

WASHINGTON - Some travelers may be vulnerable to identity theft after petitioning the government a year ago to have their names removed from lists that restrict them from flying.

As many as 247 travelers who petitioned the government between October 6, 2006 and February 13, 2007 to have their names removed from those lists may be vulnerable, according to a congressional investigation.

The investigation into the Transportation Security Administration's traveler redress site found security problems with the government-sanctioned Web site, which have since been fixed.

The report, posted Friday on the House Oversight and Government Reform Committee's Web site, also found that TSA awarded a no-bid contract to a small Virginia-based company to run the program.

Investigators found one of the senior program managers at TSA who oversaw the launch of the redress site is a former employee of Desyne Web Services — the company that received the $48,816 contract to develop the site and continues to do business with TSA today. The employee is also a high school friend of the company's owner, according to the report.

TSA immediately fixed the site's security problems when it was made aware of the vulnerabilities last February. Every person who provided information to the insecure site was contacted, TSA spokesman Christopher White said. And there is no evidence than anyone's identity has been stolen.

"This is an old issue that was completely cleared up early last year and is not a significant issue today," White said.

A graduate student in Indiana discovered the site's security vulnerabilities last February while researching a paper on boarding pass security. Chris Soghoian — who is getting his doctorate in information security at Indiana University — noticed that the redress site was not secure, yet it asked for names, Social Security numbers and birthdates. Soghoian said when he sees a site like this "alarm bells go off in my head."

The lack of security makes the site vulnerable to those who want to steal others' identities.

Soghoian was interviewed for the congressional report.

Soghoian said he initially thought the site was a "phishing" site — a fraudulent Web site that tricks consumers into handing over personal information. But he soon discovered this was TSA's solution to help reduce innocent travelers from experiencing unnecessary security restrictions.

TSA has two lists — the no-fly list which can keep a traveler from boarding a plane and the selectee list which tags domestic airline passengers for extra searching and questioning at airports. These lists are much smaller portions of the terrorist watchlist. It takes more evidence of terrorist links to get on these smaller sections of the list than it does to get on the full list. Travelers have been prevented from boarding planes because their names were similar to names on the lists.

The agency is close to releasing rules for a frequent traveler program that would ensure a person is only mistaken for someone else on a watchlist once.

MORE FROM TECHNOLOGY & MONEY

Technology & Money Section Front

Your shopping type: Black Friday? Cyber Monday? Can your name affect your career? Is Black Friday really worth the effort?   Navigating Black Friday   Is Black Friday the best day for deals? 10 tips to find seasonal work this year   Experts share financial advice   Stop holiday overspending before it starts   Is the recovery real on Wall Street?   Study: Wall St. execs cashed in before collapse Technology & Money Section Front   Add Technology & Money headlines to your news reader: