Reports today suggest that two of the people traveling on the ill-fated Malaysia Airlines Flight 370 were using stolen passports to conceal their identity. Two of the passengers who “boarded” the plane (one Italian and one Austrian) are alive and well today, and nowhere near the airplane. Both had reported their passports stolen (two years and 6 months earlier, respectively) while in Thailand.

How is it that anyone can board a plane today using a stolen passport?

Before 9/11, travel on fraudulent documents was not infrequent. That’s because no central repository or database for lost travel documents existed. So, while a stolen American passport might, for example, be known to be invalid and flagged when the document was used to travel to America, there was no effective real-time way for border agents in, say, France, to know whether the American passport presented to them had been invalidated because it was stolen. If it carried a valid expiration date and looked authentic, it was accepted.

After September 11, however, the threat of terrorism and an effort to stem illegal travel pushed the West to move forward with the creation of a large scale database of lost and stolen travel documents. Today, that database is housed at Interpol, which accepts reports of lost travel documents from 166 countries. As of late 2013, more than 39 million invalid travel documents were in the data base.

But that, of course, does not answer the problem completely. Two issues remain and are answered with varying degrees of success across the globe. The first is the speed and completeness with which countries report stolen documents to Interpol. When a citizen reports missing documentation to his own embassy, it takes time for that information to get passed along to Interpol.

The second problem, which is of greater concern, is that many countries continue to lack a real-time live connection to the Interpol database. It does little good to know that a document that is presented has been stolen if that information isn’t provided in a timely manner. That’s why most Western countries have live, real-time links to the Interpol database and check passport validity at the time of presentation.  When a visiting Frenchman, say, arrives at Dulles, one of the checks that is done is a query to Interpol about the validity of his passport.  But not all countries have that capability – in fact, a majority of them still do not.

It is too early to tell if any of this matters in the Malaysian tragedy.  It may be that the two individuals who boarded the plane are just as much victims of an accident as everyone else, with the doubly unlucky circumstance that because they were traveling on false documents their identities will remain unknown to their family and friends, who will be left to wonder.  It may also be that Malaysia’s system of passport controls operated well, but the stolen passports were not in the Interpol database.

On the other hand, it may be that the flaw was in Malaysia’s lack of a good real-time capability to check the Interpol database. And, it turn, it may be that the two holders of the false passports were malicious actors who played a role in the crash.  At this point, we don’t know – but what we do know is that lost and stolen passports remain a significant vulnerability around the globe – and that we should redouble our efforts to close that gap in our security.