Zach Lipton sez:
Andy Bowers over at Slate has hit upon something that has been bugging me for a long time: online check-in for airplane flights and the ability for anyone to print a boarding pass with whatever name they want on the front. Here's how the flaw works:
1. John Evildoer purchases a ticket for a flight under a false name (using a stolen credit card naturally) and on the day of the trip, prints his boarding pass online with the airline's online checkin service.
2. Mr. Evildoer then fires up his trusty image editor and changes the name in his HTML boarding pass to his real name.
3. When he goes through security screening at the airport, he shows the second boarding pass (the one with his true name) and his real ID. The name on the boarding pass and the ID match, so he is admitted. At this point, the no-fly list or other watchlists are not checked.
4. When he goes to board the flight, he hands the gate agent his first boarding pass (with the fake name). The pass is real, so the barcode scan detects no problems, but since no ID is required at the gate, there is no actual confirmation that he traveled under his real name. If John Evildoer were on the no-fly list, the TSA never would have known.
Link to Slate story.
Several readers have also pointed out that Bruce Schneier covered this issue in 2003, on his blog: Link (thanks, Don Whiteside, Kenneth Prager, Rod Begbie, and others)