AA Boarding Pass & iPhone

I saw this blog entry this morning and it has been eating at me all day. I am not sure if this person just got "lucky" or if this is something the airline is instructing gate agents to do. It will only be a matter of time until I am involved in the meetings regarding using an electronic version of a boarding pass. I have a few ideas regarding how we can handle this:

• Don't allow it... for now - I see many opportunities to game this (obviously) but of course you can get on a plane with a printout from a website; which in my opinion is about as secure as accepting boarding passes made with crayons and construction paper.
• Accept it... but only after working on a method of authenticating and authorizing the boarding pass. Perhaps some sort of code that is sent via SMS to a predefined phone number that is only valid until boarding is completed or the plane leaves the gate... the code would be sent when the gate agents "activate" the flight some time before boarding begins. The catch is getting the gate agents the code verified in a timely manner. Perhaps a shared code?

Obviously the TSA and DHS will have something to say about this as they use the boarding pass as authorization to get to the gates. That one will be trickier as I have been stopped and pulled aside for having a printout (not crayon-based) of a standby pass. The TSA agent looked at me like I handed him a restaurant menu. It took three of them to decide I was ok to proceed to the gate. I can only imagine what will happen when someone shows them an iphone or blackberry...

I take my job seriously...

because of articles such as this one. Whole-disk encryption is part of the solution but I think we need to take an honest look at how and when sensitive data is accessed and how we treat it when it is at rest.

How not to hire a CISO on parole

Seriously, how do things like this happen?