Slashdot Mirror
What's On Your Hotel Keycard
Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.
You would think that actually using the reader would be illegal
:P
And they DO erase them after you check out, don't they? It could be a precaution telling you not to lose it
You always keep your keycards, and you always destroy them. I've yet to have an issue with a hotel wanting it back.
Well, that, and I completely forget about it, heh. I have an inch tall pile of them at home, I've been meaning to get a card reader and take a look at some, heh.
HitScan
The fact that he read his own information off of the card has to be a DMCA violation - he should get a lawywer now.
Sig? We don't need no stinking sig....
- It certainly would be nice for the hotel to tell you what they put on the card
- They should tell you to report your credit card as stolen if you lose your key card.
- They should securely erase or destroy key cards when you check out
I generally trust the hotel staff with my credit card number, and I generally acknoledge that there is info about me on the magnetic stripes in my wallet. Is this anything to get upset about?What the world really needs is the ability for you to buy stuff using your hotel room key. Because it is not easy enough to spend money currently.
If these hotels are putting credit card and other personal info on the room key unencrypted, how else might they be mis-handling your personal information?
This is bad.
Avoid Missing Ball for High Score
http://www.snopes.com/crime/warnings/hotelkey.asp Who is right?
Let's see what the card says: "Housekeeping Notes: Customer uses excessive amounts of Kleenex on overnight stays ..."
HEY!!!
To be safe, the next time you check out of a hotel take your access card with you and shred it when you get home, Wallace advises.
Last summer while vacationing in Kentucky I stayed at a Holiday Inn Express, and had to turn in my cards at check out. Mind you, I don't stay in hotels very often (perhaps a dozen times in my lifetime, and 3 since graduating high school)...but do most hotels allow you to keep the access cards?
I wonder how much of that data is necessary for the card to work. Perhaps you could get a magstripe writer, scan the card, and re-write only what needs to be there to get the door to open.
Sidenote:
Fun with cards -- Use a reader/writer to exchange the data on different cards. (E.g., swap your gas station card with a retail store card. It's kind of like paying for fast food with $2 bills.)
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
Remember to keep valuables in the in-room safe. Lest your buddy's dawn wanderings around Atlantic City lead him and a cheap hooker back to your shared room. Cash in your wallet could prove valuable for any sort of "service upgrades" and I didn't have to lose my keycard to be $60 poorer.
Small potatoes make the steak look bigger.
My college residence uses keycards for their dorm doors.. I have about 30 sitting in my closet.. wonder if I should return them or destory them
Why do they even have that information on the card in the first place? The card is just to open your door, isn't it? It seems all it should need is some password that the door lock will recognize. It's not like the door charges your credit card, after all.
Stop! Dremel time!
Why would the Hotel need to put straight Credit Card information onto the card? This doesnt make any sense. Why wouldnt they just use some sort of key to tie your swipe card to your account on their system. This way if you DO lose your card and it isn't cancelled in time someone who decides to use it can only use it within the Hotel where it can then easily be tracked.
GL HF!
The Walt Disney World resort in Florida has a rather all-encompassing keycard system. Not only is it your hotel room key, but its also your pass into the theme parks as well. In the parks, you can use it to get Fast-Pass tickets, and the system keeps track to prevent you from having more than one at a time. At the stores and resturants you can charge any purchases to it and they will show up on your bill at checkout. They can even ship the gifts straight to your hotel room by pulling that info off the card as well.
I'd love to see what kind of data is on one of those.
May you be touched by His Noodly Appendage. RAmen.
The CC# is on you CC magstripe too, worse even, it's _written_ on your CreditCard.
My goodness !
Wrong. Snopes says that while it's true the information is on the card, there is no significant trend relating this to criminal activity.
Apparently the fundamentalist Christians are moderators today.
Your name and credit card are ludicrously easy to get anyway - snooping them off a hotel keycard is one of the harder way I can think of to steal them.
I've worked in a number of hotels for the past seven years- and all of them used electronic key systems, either the card type, or an electronic microchip key.
In EVERY case, the key system is a seperate box not tied into the main computer, and only contains your room number, and length of your stay. The device is ONLY a key coder - it does not tie-in to the main network or the hotel's database in any way.
This story is spreading FUD, do we really need more of that going around?
-Julius X
remove "-whatkindofspamdoyoutakemefor-" from email to send
I want one, where can I order it from?
You say things that offend me and I can deal with it. Can you?
Maybe I'm just a skeptic, but I'd really enjoy to see some sort of facts, or even a sentence or two about what sorts of places he actually tested, and what % of them came back with discernable information. The fact that he found it in 3 chains hardly means that things are worth panicing about.
Granted, I've never checked, but I'd find it hard to believe that the large national chains (Marriott, Hilton, Accor, etc.) put your credit card number on your room key, and nobody has made a giant fuss about it yet. Guess it's time to go check my latest Courtyard key and see for myself.
I have a magnetic Money clip I use. If I put a hotel keycard even in the same pocket it wipes it completely. Whereas my credit card has never been a problem. Hotel cards use a different technology that is more easily wipable than standard credit cards.
TODO create witty sig.
Do you know of a source for a magnetic strip writer for less than $1,000?
That something he keeps in his wallet with his driver's license and credit cards has his personal info and credit card number on it?
C-R-Y-B-A-B-Y.
People just love to invent stuff to complain about.
... when the data includes the movies I rented from Spanktravision.
You can have my credit card number, as long as you don't know that last night I watched Asian Prison Nurses 5.
I have to admit, I'm a little suspicious. I've heard this story before and it was labeled false. Add to the situation that the author "declined to name specific hotels" and it only adds to my doubts. Why not name names???
Instead of using a hotel keycard, they should code the lock to allow you to open your door with your own credit card. That's something you're far more likely to take good care of, and then you don't have to worry about duplicates of that information floating around.
When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
I don't see the point in putting all that information on the card in the first place. All the card has to do is match the embedded code with the code the door is programmed to accept. Why bother with anything else?
A metal key doesn't need all that extra information, and is somewhat harder to duplicate. By that I mean all you need is a card reader/writer and a blank card. The card doesn't need to be a specific shape, they are all pretty generic, aren't they? A metal key in comparison is secured not only in the teeth cut into the key but also the grooves on the side of the key.
Any enlightening thoughts?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
It mentions in the article that the info on a Disney resort's card is garbled.
Check it out, maybe take this story with a grain of NaCl Hoax
This is a dupe. A pretty old one too.
/. readers to search the old stuff to make sure they're not posting something already discussed, but is this also something the editors aren't willing to do?
I know it's too much to expect
Don't become a regular here, you will become retarded. -- Yoda the Retard
...What right does the lay public have to know what information is on their own magnetic stripes? It just causes trouble! Now all the bad guys will know about these hotel-card stripes.
----> Note: IRONY ----
"How to Do Nothing," kids activities, back in print!
you can get one from all electronics corp for 1.50 yes one dollar and FIF-tee cents all electronics reader then use stripesnoop (.sf.net) and you can figureout how to hook them up to a gameport/whatever on their forum check their forum
They seem to be more than $39...
I'll turn into a supernova and burn up everything. Well I'll turn into a black little hole and you'll turn into string.
Is there any website or webpage describing what you need to buy, what software you need, to read cards? Are card readers able to write to the cards as well?
**FREE** Track and view your phone's via CellID and/or WIFI and/or GPS
I know a lot of people (including myself, until now) simply assumed the card had some magick code on it that opened the door, and once they checked out, the code stopped working, so key cards got:
1) left in the room when you walked out. There's probably a box on the cleaning carts where they get chucked. Highly insecure.
2) left in the rental car or wherever. You're done with it and presumably it has no information relevant to you.
3) idly thrown away (probably the most secure, provided its a sufficiently yucky trash can)
4) Taped to office doors or cube walls to make a "gee, I travel a lot" mosaic.
The idea that they're somehow secure because they MIGHT get stored and reused seems laughable.
This looks like a hoax accroding to snopes: http://www.snopes.com/crime/warnings/hotelkey.asp
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
Sure it's possible to put any kind of data you want on a magnetic strip, but you might as well worry the hotel is printing your PII data on sheets of paper and tossing them out the back windows. What possibly reason would they have to put info like that on the keycard??
I'm not buying this story, not even a little.
Your local retail store, obviously.
p e+card+reader&scoring=p
Or use a damn search engine: http://froogle.google.com/froogle?q=magnetic+stri
If the key has your room number and length of stay, then my lost & found room key plus a $39 magnetic stripe card reader equals a stolen laptop, right?
They don't/didn't write your name and credit card number on actual keys, why key cards?
Good god, what a gross display of stupidity this is. I'd love a list of which hotels do this.
This article has recently been linked from Slashdot. Please keep an eye on the page history for errors or vandalism.
And then someone accidently puts their credit card (which you often need to check out) on that pad and it then it gets wiped and then they sue, for inconvenience or embarrassment because they went to dinner and then they found out their card was erased and couldn't pay.
Just because it CAN be done, doesn't mean it should!
You always keep your keycards, and you always destroy them.
What for? If I return it to the desk, assume there's a possibility that desk clerk can read my personal data off of it. Why wouldn't that desk clerk just read it off the computer, or copy it when I give it at check-in?
I'm sure it is just a matter of time before this plot angle shows up in an episode of Law and Order. Other urban myths have been incorporated into that series in past scripts (i.e., kidney harvesting).
"Rocky Rococo, at your cervix!"
When a metal key is lost (which happens quite a bit) they have to rekey the door. Expensive.
When a criminal/cheapskate makes a copy of a metal key, nobody knows. Dangerous.
With the cards, you can make a copy of a card but it will only work until they reset the door. When you check out.
If you don't check out on time, your key stops working.
So, the cards are more secure and cheaper than metal keys.
I do get a nostalgic rush when given a "real" key though. The "Dude Rancher" in billings, montana gave me a metal key and I loved that place.
The brandin' iron design carpet might have had something to do with that though!
Man, you really need that seminar!
This is why I'll almost never pay for anything with my ATM card. The less I use my ATM card, the less chance there is my PIN will get out into the public domain. Once my PIN is out there the "protection" found with my credit card is gone.
part of me says who cares - quit inventing things to get upset over. then part of me thinks wait a second.. if i were in charge of deploying a card system that held sensitive information at any given point in time i would have at least implemented some sort of encryption - it's just logical. i mean, yeah, the liklihood someone's going to come in behind you, get your recent card and read off your personal info for malicious use is pretty slim but it is still another avenue to be utilized. raising the feasability raises the frequency.
Here's the link: http://www.snopes.com/crime/warnings/hotelkey.asp
I am not a crackpot.
Thanks you made me laugh with this article.
http://www.snopes.com/crime/warnings/hotelkey.asp
The key cards at hotels don't hold anything but the room number and number of nights it needs to work.
Hay since I can check out in the mornings using the television does that mean the TV holds all my CC info too?
Read up and use some common sense before posting an article. kthx bye.
Ave Molech Setting
Yes, I keep my hotel cards after I've checked out and destroy them in a vat of acid, burning the acid vat afterwards, then burrying the chard remains in 9 foot hole to be safe.
Nothing costs nothing
They don't erase them! They're disposable! They go into the trash where any identity thief can load up! Not to mention people lose their keys all the time. You see them left all over the place in Vegas.
1. Article is about a hotel that DOES this. Therefore, we're talking about it happening.
2. Snopes article has been revised a few times over the last several years. So, some of the information is older than other parts of the information.
3. "One of the difficulties in dealing with crime-related warnings is trying to distinguish between common occurrences to which the average person is likely to fall victim, and circumstances which are possible but have rarely (or never) played out in real life." from the Snopes article.
4. The Snopes article quotes a security expert who tested 6 cards at a security conference. 3 contained personal information, including one with a credit card number.
My experience at Walt Disney World is that the room key can be used in a credit card swiper and charges the card used to reserve the room. I still have this key card. If I ever get a stripe reader, I'll check.
The point of the Snopes article isn't that you will never find a CC number on a key card. The point is that they are not aware of this as an ACTUAL security threat. There's no reason that can't change in the near future, of course.
"What's On Your Hotel Keycard"
My hotel keycard has the little logo graphic of the hotel on the front of it and a memory storage device on the back. There's also a small mustard stain on it. What kind of data is stored within the memory on the card is an entirely different thing.
To quote George Carlin:
"About this time, they'll be telling you, 'Get on the plane. Get on the plane.' Well I say fuck you, I'm getting IN the plane. Let Evel Knievel get ON the plane. I'll be inside with the folks in uniform."
They passed this around work last week, can't believe ppl are buying this:
http://www.snopes.com/crime/warnings/hotelkey.asp
bad_outlook
--
Is this vague enough for you?
I've never, ever seen the hotel staff erase the cards. I have however, had hotel staff give me a card that had just been given back to them by a guest checking out. 2 passes thru the magstripe writer and it was mine, not the previous guests. All one would have to do is swipe a few cards out of the totally unsecured and easily accessable SHOEBOX on the counter. If I knew which chains did the CC#/name/address I'm sure I could abscond with enough data to cause real trouble for people. It's amazingly easy.
Thankfully, my credit card companies are extremely vigilant with my card activity. I have them well trained, and they've caught things that were nefarious within minutes of them happening. Big ups to Universal/Citi.They've saved my ass a few times.
This is not a sig. this is a duck. quack.
I am glad it doesnt list what movies I ordered!
2600 has a good article on doing this.
You mean that this guy was carrying around his credit card number and name in an UNENCRYPTED form in his wallet? That's OUTRAGEOUS! Obviously, his credit card and driver's license, which had his name and credit card number in that same wallet, were encrypted!
Oh, wait... they weren't? Well, then. That's a bit different.
steve
Oh, you're not stuck, you're just unable to let go of the onion rings.
Thats a lot of ifs.
A) If the keycards have the room # encoded on them, they shouldn't. It is a risk.
B) However, crime = means + motive + opportunity. The value of a laptop is motive enough. A room # on a lost key would be means enough. But the likelihood of a thief, ready with a card reader, where and when you accidentally loose your card is low. Much easier for a thief to go to the front desk and say they are staying in room #3074 and need an extra key.
--Barry
There is only one thing worse than subtle bugs and design flaws: deliberate stupidity!
They do for sure dayly/weekly backups and password changes.
They use firewalls, anti-virus, anti-spywares and VPNs.
But you can bet there is none in that company that understand why. (Please read my 17 years old signature!)
Maybe Computers will never be as intelligent as Humans.
For sure they won't ever become so stupid. [VR-1988]
Most places you stay do not charge you if you keep the card. Make sure you won't be charged, keep the card, and go home and shred it. You have a shredder, right? I'm sure snopes is right, but an ounce of paranoia is worth a pound of identity theft.
This is a hoax, great job doing research you your stories, see here: http://www.snopes.com/crime/warnings/hotelkey.asp
Even if this is true, you should be more concerned about the employees that take your credit card at stores and hotels rather then the hotel key. While not common, and definetly not a "smart" crime to commit, a friend of mine fell victim to a simple case of a store employee taking his credit card information, address and other personal information then ordering a bunch of stuff online. The guy was caught quickly, but it took a few months before the credit card company reversed the charges.
Someone should never have your credit card longer then it takes to swipe it into an electronic device and hand it back. I REFUSE to buy anything on credit card if they use the old carbon paper impression machines. I also try not to get into a situation where I have to recite my credit card information over the phone (like hotel reservations). They honestly don't need to know your credit number until you arrive to pay for the room, if they do, use a different hotel chain. But I am still dismayed that many electronic cash systems print your full credit card number on receipts or list them on screen that any morally ambiguous staff can easily see. If they have access to your address or personal information, it is easy for them to go on most online sites and order stuff on your expense.
Anyways, this does sound like one of them office "I thought you should know" warnings, like urban myths, about how someone somewhere do things that should be obvious not to do, or warn against things that most people don't understand about in the first place.
I haven't thought of anything clever to put here, but then again most of you haven't either.
From "Pretty Woman": "I miss keys" - Richard Gere's character
Hotel Card Keys
by Robert Mitchell on Tuesday, September 20th, 2005 @ 09:00AM
www.computerworld.com
"Regarding the hotel key information on Computerworld's Web site, that was indeed an observation in my blog and not a reported story. It's a snippet of information gleaned while talking to Wallace for another topic. Often during reporting interesting asides come up and my blog is a good place to drop those snippets from time to time. I have no reason to think that Wallace would make any of this up. It was simply a side comment he made. Wallace won't say which hotels, but it wouldn't surprise me to find out that a few smaller chains have this problem. But one doesn't have to take his word for it. There's an easy way to find out if he's right, isn't there?"
Mitchell at Techdirt
My existing lock system only encodes the check-in date, the check out date, the number of keys (1 of 2, 2 of 2) and a sequence number.
On the date of check out the key will stop working at 3:00 PM. If you check out early, your key will continue to work until 3:00 PM on your check out date. But if I check someone else into the room and create them a new key, when they open the door, they will advance the sequence register on the door lock and all prior keys will stop working.
My system has the ability to but the guests name on the card but in order to do this the card must be made directly by the key system. This only happens when I make master keys for employees. Guest keys are processed through an interface between my Front Office system and the key system. As a result no name is transmitted and when I read the key it will list the guest name as Guest.
what's the best card reader to buy?
sounds nice: USB interface to Excel upload... cool.
https://www.accountkiller.com/removal-requested
Dude, if you loose your room key then who ever finds it can open up the room, even without a mag stripe reader -- WTF were you born that stupid or just read slashdot too much ?
This is the depth to which ComputerWorld has sunk? When did they do away with the assumption that their target readership has already seen a computer? Ooooh, garbled numbers and letters! Whatever could that be?
Have fun: Join D.N.A. (National Dyslexics Association)
No hotel encodes payment info....Just room number and length of stay! This story is nothing more than a lie. It makes it hard for people who really believe in privacy etc....when this stuff is out there. Makes everyone look foolish and makes it harder to argue when people on the otherside can just point and say privacy advocates are nothing but liars!!
yup, stupid to have room # encoded on them. i am not sure hotels are that stupid.
An internet myth: Snopes
If the key has your room number and length of stay, then my lost & found room key plus a $39 magnetic stripe card reader equals a stolen laptop, right?
I don't think the room number is stored on the card. In fact, I don't think any information on the card itself is changed at all.
I worked in a computer lab in college that had a card-swipe reader to let the students in. They used their student ID cards, which were only coded with a 9-digit ID number. Every semester, we were given a list of the new students in the department and their ID numbers, and we programmed them into the door lock (over a serial connection, actually... we had to bring a laptop to the door and plug it in).
It seems to me that in the case of the hotel, programming the room number and swiping the card at the front desk just sends the card's serial number to the server, which contacts the correct door and says "admit this serial number until date xx/xx". Of course, there would be other serial numbers in the door, specifically for cards issued to security, maid service, etc. I'm not sure if this is done wirelessly or over a wired connection (perhaps through the hinge of the door?), but that would be the most secure way to do it.
Someone who has experience with hotel door lock systems, please correct me if I'm speculating incorrectly.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
When does "leaking confidential security info" become a crime with penalties like "breaking but not entering" carries?
--
make install -not war
I believe the parent poster's point was that the person who finds the lost key won't know which door it opens, unless, of course, the hotel is kind enough to include that information on the mag stripe (and said person has a card reader handy).
If I want to look something up, I can ask the customer his keycard, swipe it and check their name (security: you have to show me something - the card - and identify yourself). If a card is misplaced, I can make a new one after verifying the customer is who he/she claims to be. The old card will not function anymore then, the system controlling the locks will not open the lock unless you have a valid keycard.
So, if I want to look up the customers' info (CC# passport# whatever) I can just as easily look it up in the system. All purchases within the hotel are bound to the keycard so you can put something on your tab. But the keycard itself only has the information of the roomnumber, so all other enquiries will automatically go through the front desk.The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
The information is encoded on the key, it's much more cost-effective to do it this way than to try to have "networked" door locks. Although I'd imagine that the information is not the room number but instead the lock id.
If you pay with your credit card in a store, the guy selling you the stuff also sees your name and your credit card number. Well, he even gets a signature from you.
If a fraudulent transaction happens on your card, you get a new one.
No reason to start a rebellion for this.
Unless you had +just+ checked in, most decent hotels won't provide additional keys without verifying the photo ID of a person on the room's folio.
Using a regular card reader I'm pretty confident you could only get one "generation." To get the next one you'd have to use some pretty specialized equipment. And I'm not sure it would be a sure thing either, provided that the information was recorded into the stripe using the same equipment and the same power level.
However if the hotel personnel sometimes used card reader/writer A, which has low power, but occasionally reader B, which has an ever so slightly higher power level, then assuming the last one used was A, you ought to be able to get at least 2 records off of the card, because the last record from B will be buried a little deeper in the strip than the overwrite by A.
Or if you had 3 card reader/writers, each at slightly different power levels, and used them in the right order, you might be able to reconstruct 3 sets of data from the card.
The analogy I'm thinking of is like how (analog) HiFi audio is written to a VHS tape: it's recorded onto the tape underneath the video signal, using a recording head where the flux pattern goes deeper into the recording medium. (It's also separated by virtue of an FM carrier and the azimuth angle of the recording heads, which you wouldn't have on a magnetic stripe card.)
I've read some articles on recovering overwritten information from linear magnetic tape (Nixon tapes, etc.) and it's no easy task. The usual way to do it is to just look for areas of the tape near the edges that weren't saturated by the erase head the second time around. I'm fairly confident in saying that recovery of two sets of data, made by the same reader/writer, would be non-trivial.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Im wondering what the effects of actually re-writing the information on the card might be.
If ANYTHING on there is unencrypted there is room for mischief.
Whats to stop you changing the room number on the card in order to get into the room next door??
Any hotel chain that does this is in violation of the Visa Payment Card Industry Data Security Standard. Notably Sections: 3.4 .."Render sensitive cardholder data unreadable anywhere it is stored (including data on portable media, backup media, in logs...
Requirement 4: Encrypt transmission of cardholder and sensitive information across
public networks.
Requirement 9: Restrict physical access to cardholder data
Any physical access to data or systems that house cardholder data allows the opportunity to access
devices or data, and remove systems or hardcopies, and should be appropriately restricted.
Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit cardholder data. Additionally, these security requirements apply to all "system components" which is defined as any network component, server, or application included in, or connected to, the cardholder data environment.
Violations of the Visa PCI Security Standard can result in the institution being fined and potentially losing the ability to process future credit card transactions. Fines are generated when an audit of theft of information shows non-compliance by the company. Fines range into the hundreds of thousands of dollars.
The PCI Data Security Standard has been adopted by Visa/Mastercard and in similar forms by Discover and American Express.
I wonder where the PCI auditors are with checking for this.
Anyone who wants to catch up on the Visa PCI Data Security Standard can do so here: http://usa.visa.com/business/accepting_visa/ops_ri sk_management/cisp.html
According to this almost 2 year old report (http://hasbrouck.org/blog/archives/000038.html), this concern may have been unwarranted.
* * *
About 25 years ago, at a computer show, I swiped my credit card on a reader hooked to a terminal. To my surprise, the PIN was right there, on the screen.
Nevertheless, I immediately yanked the power cord off the terminal, pissing-off the booth attendents...
It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.
None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).
I think instead we just have a case where reality imitated art a little too closely -- the art in this case being that hoax, and reality being the stuff the hotels are putting on your card.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
or "Yet Another Urban Legend" as you can check out here
The information is encoded on the key, it's much more cost-effective to do it this way than to try to have "networked" door locks. Although I'd imagine that the information is not the room number but instead the lock id.
Ahh, that would make sense, as long as the lock IDs did not correlate with the room numbers in any predictable way. Thanks for clarifying that.
For security, the MD5 hash of this message and sig is 09f911029d74e35bd84156c5635688c0.
Grr...why do people never actually read the snopes discussion and just blindly rely on the 'true/false' distinction. Often that is quite misleading.
If you read the snopes discussion it says that some hotels might do this but they have recieved no evidence this is true. Well this sounds like some evidence to me.
Basically snopes is responding to an over-sensationalized urban legend not taking a position that this is somehow impossible. While they do offer the analysis that they see no reason why the hotel would put personal information on the cards things have changed since then.
As one poster commented on the article it is quite likely that the hotels want to enable purchases with your key cards but don't have a fully integrated IT solution which can access the card database.
Just because some rumor was false once doesn't mean it can't become true!
If you liked this thought maybe you would find my blog nice too:
I work for a company that provides main hotel reception/reservation systems. When a guest checks in we can interface with the key encoder, sending it guest name, length of stay, room number etc, so that all the receptionist has to do is put a fresh key in the encoder. I don't know of any key cutting interface specs that require a CC number, but I imagine if there were we would point-blank refuse to send it.
I happen to work in IT at "a major hotel company", and I call B.S. Key cards never have, and never will contain your credit card number. There is simply no valid technical reason that they ever should. In fact, some key system vendors use proprietary encoding on the mag stripes, so you can't even read the key with a normal swipe reader. This whole story is complete BS!!
After all, the card contains magnetically encoded data. By reading the card, you are breaking the encoding to acquire proprietary business data. You are thus committing a felony. By owning the reader, you are in possession of an instrument of felony, like carrying around a crowbar or a crack pipe. You, sir, by implying that there is no crime committed, are aiding and abetting criminal activities, itself a crime. Please report to your nearest Department of Love education center for processing.
Not that there may (or may not) be personal info unencrypted on the card, but how easy would it be to write a magnetic strip that would get you into a room? If all it takes is a track with the room number, and 'key valid' dates which fall either side of today, then there is a bigger problem.
I just thought that I'd point out that most of the major cruise lines do this on-ship also. When you book the ticket or check in, you choose a credit card to 'associate' with your room account.
Then during the course of the whole vacation, you don't use cash or your credit card at all (except to leave tips for the crew, and the last time I went on one they had even come up with a way to charge those). Food, wine, bar tabs, even gambling in the casino all go onto your room charge. Then when you check out you sign one big-ass honking receipt for the whole bill, and it gets dumped onto your credit card.
The cards that they use on cruise ships though are not the reusable variety in hotels: they have a magnetic stripe but are also printed on the front side with your name, ship name and arrival and departure dates, and often your photo. So they're not reused afterwards.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
...you carry a tape degausser when travelling!
-- often wrong; never in doubt
When I recently locked myself out of a hotel room, the hotel staff gave me a new card. The old card didn't work anymore after that (the hotel staff confirmed that only one card can work at a time). Either inserting the new card disables any old cards, or the doors are actually networked. In the latter case, it has to be some wireless protocol, since I couldn't find any cables leading to the door (I don't find it very likely that the hinges serve a double role as electrical conductors).
Avantslash: low-bandwidth mobile slashdot.
http://www.interesting-people.org/archives/interes ting-people/200310/msg00221.html
"...the cards are encoded at check-in with a very large, randomly generated code that is associated on the main database with the guest record and the room(s) to which they are assigned. No information about the customer is placed on the card."
"From a design standpoint, there is no reason to encode personal data on a card like this. Such data is useless to the purpose of the card-- the card is simply a key that expires once the guest has checked out. All of the systems with which we have associated keep personal guest information in the database. This gives the hotel chain the benefit of not worrying about the
card when it's not under their control."
At any nice place can one still you pay in cash, upfront, and not even use a credit card at all, even for deposit purposes?
arent you supposed to return them upon checkout?
the hotel then reencodes them for the next customer.
what would you do with these keys anyways? (besides destroy them?)
this sig has been discontinued.
Just give me a damn card that opens the freakin door. Last hotel visit, I had to visit the front desk 3x just to get a card that would open the door. Desk clerk was incredulous. Obviously I was some hick from the sticks. Security escorted me to the room the 3rd time to "show" me how it worked. Didn't work for her either.
Call me a Luddite, but I miss the old key system.
Actually, I've had to get extra keys at hotels several times (usually when guests arrive late), and if they can say the name and room number of the guy who checked in originally they can almost always get another key without hassle. In fact, they SHOULD hassle the other guy more because when he uses his key it invalidates all of the other keys, forcing him to distribute the new keys to everyone else in the room or (more often) make us all go down to the front desk and get a whole new set of keys.
Frankly, I'm shocked that the keys had that much information on them (assuming this story is true), the only thing they need is the encrypted key and perhaps a sequence number that the lock compares against its internal key. I suppose a check-out time is a good idea as well so people can't mooch off of presumably vacant hotel rooms--although that will be a hassle if someone tries to extend their say. One of the other posters mentioned that it can be used to check for room service as well, but it seems to me that a check in the kitchen would be better than one that you won't spot until the food is at the door. How do you read it? By sticking a special card in the door and checking the lights? It might be tempting to put the room number on the door so the wait staff can return lost keys, but the keys are so cheap (and may be out of date by the time the wait staff finds it) that I can't imagine this being worth the danger.
I read the internet for the articles.
. Article is about a hotel that DOES this. Therefore, we're talking about it happening.
This is an article about somebody who *claims* to have seen it, but has no proof and won't even name the hotel chains. Therefore, we're talking about it *possibly* happening.
The new card disables the old card. The new card can also be programmed with the earliest date and time at which it will be accepted by the lock. The old card will not be disabled if use of the new card is attempted prior to the new card's enable time.
Another neat thing is that the lock stores key usage information, a reader device (a keycard interface to a handheld device) can be used to recall this information. This allows the hotel to find out definitively what key was used to gain entry to a room and at what time this occurred.
I don't buy this at all. Typically when you're card is swiped, the CC# is not stored in the vendor's computer. It is sent directly to the CC processor for authorization and an auth# is returned. This auth# is what the CC company uses to resolve the charges at a later date. This system was designed so that merchants would not have access to customers CC# after the purchase. Therefore, the hotel would not even have the actual CC# to be imprinted on the room key.
There is a fraud scheme where a retail clerk has a hidden card reader and scans your card with his card reader and then with the store's card reader. They then go home and hook it up to a PC and voila, they have your CC# and name. They have to do this because the store DOES NOT record your CC# it it's computer system.
They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.
They later quoted a reader who said
Near the end, they mentioned that during a security conference, a number of people had their hotel keys scanned, and only one showed up with a credit card number, but it could have been from a single hotel, and very likely was not a large chain.
Despite Snopes' insistence on making the site look like a personal home page ca 1995, it continues to provide useful information.
Insert simplistic political, ideological, or personal proselytization here.
I have a credit card reader as well, and occassionally amuse myself by running all the cards in my wallet through it. I was surprised to find that not one but ALL of my credit cards have both my name and credit card number in the magnetic stripe on the back in unencrypted form! If I lost one of these cards, someone with a card reader could easily retrieve all my information and go on a geek shopping spree. I guess we just can't lose our hotel keys or credit cards anymore...
(this is offended to the end of comments you post, 120 chars)
There is a way to add a guest onto the room without it invalidating the previously issued cards for that room. However, it seems like all front desk staff have a hard time remembering that the sequence for adding a guest to the room is (like, one keypress) different for the one that replaces the current set of guests. The guest stay can be extended as well.
Really. Despite the fact that this has already been identified as a probable urban legend by Snopes, I ask everyone on this site to think of this like an engineer.
Think about this. You're designing an electronic key-card system for a hotel. In order to do this you have to deal with lobby-monkeys who only occasionally swipe the card correctly through the machine when the customer's checking in. These cards are going to get shoved in pockets, scratched and generally abused.
Now, as an engineer are you going to create a solution that (a) writes to the magnetic strip for every person who checks into the hotel, running the risk that the card runs through skewed or otherwise renders the information unusable, or (b) are you going to assign each card a unique ID number similar to a credit card number that's permanently printed on the card repeatedly across the magnetic strip.
Talk amongst yourselves, but think about the fact that a mag-stripe WRITER costs more than a mag-stripe READER. If you control the locks from a central computer which only has to recognize that card (a) opens door (z), then how are you going to engineer that system for optimum efficiency and lowest cost?
While I don't doubt some droid might consider it a nice idea to have all the customer's info on the card, it doesn't make an awful lot of sense from an engineering perspective now, does it?
And yes, I've worked on hotel key card systems, and no I've never seen one that writes the cards in any way shape or form on check in.
is if all this information is supposedly on the keycard, and unencrypted, that means you could get the room code information straight and break in to the room. It seems like if they should encrypt anything it would be that. Let alone not putting your CC info on the card to begin with.
How is the lock powered ?
Here are sites detailing this myth...
t m
h tml
s .asp?HName=Hotel+Key+Card+Hoax&Page=4
http://www.truthorfiction.com/rumors/k/keycards.h
http://www.breakthechain.org/exclusives/keycards.
http://www.trendmicro.com/vinfo/hoaxes/hoaxDetail
I'm surprised this one passed thru Slashdot's editorial staff.
"If it's got a switch... it's my bitch!!"
Whether people actually store sensitive info on keycards or not, it's just very simple to take them with you, and destroy them when you're done, by cutting up the card, which includes cutting the magnetic strip.
Yeah! I hate the RIAA too, and I can't believe that they are... oops. Sorry. I thought all Slashdot stories were now required to be about some RIAA thing or other.
I LOVE the guy's comment at the very end:
He admits to even having considered taking a shredder with him on some trips. "The thought has crossed my mind. I'm a paranoid S.O.B. because I know the tricks that are out there," he says.
You gotta respect a guy who refers to himself as a "paranoid S.O.B."
I couldn't tell if you were experimenting with poor-man's cryogenics or looking for the orange sherbet.
Just nuke the card...
Really? I've never been in a hotel where they could do that without invalidating all of the other keys. I'd assumed it was part of the technology and done that way for security purposes.
In theory the basic system is very simple. Each door has a reader with a cryptographic key that is hashed together with a counter. The programmer at the front desk has all of the cryptographic keys in it as well, along with a set of counters that keep it in sync with the doors. Whenever a key is inserted, the door just has to check if it matches the current key (someone returning to their room) or the next key (someone entering the room for the first time). If it's the next key, the internal counter is updated. Theoretically, there is no reason the card programmer couldn't make an extra key (just don't update the internal count) but they either don't work that way or the front desk staff never read the manual.
I read the internet for the articles.
The front desk staff never read the manual.
Although this is undoubtedly a hoax, let's pretend these key cards did have unencrypted credit card information on them. As you've described, the clerks have access to the CC info anyway, so this is a non-issue. Desk Clerks aren't the concern. A CC # theft operation anchored by a hotel desk clerk would be identified immediately by cross-referencing card usage prior to the theft.
The larger threat would be non-employees pilfering cards out of the convenient 'express checkout' drop-boxes. Much more difficult to track down.
Seth
$5 / month hosted VPS on linux = awesome!
I have no doubt in my mind that this is true. My girlfriends dad is an FBI agent and somehow this topic came up one night when we we're sitting around talking.
I often attributed this to exaggeration or showing off, but I think it's much more sinister. After a number of trips with different friends, it's apparent that people don't realize how much they've won or lost.
The common case in poker is a player sits down with $100 in chips. They hit a bad beat or a stupid play early, try to bluff it back, and lose it all. Then they rebuy for another $100. After a rebuy or two, they get some cards, hover between $100-$200 for a few hours, then cash out either "ahead" or "even", depending on when they leave. And they honestly don't remember losing the first couple hundred.
The other great case I see with table games is the player who keeps pushing small bets into Carribean Stud or some other similar jackpot game. After slowly working through $500, they hit a $300 hand and blow their "winnings" in a club. The next morning, they recall their winning night from before.
On a somewhat related note, I've long wondered how an even-odds or player-favored casino would do if they had good enough player tracking to refuse to seat players that didn't shop in their mall, eat at their restaurants, and sleep in their hotel.
This is why I ALWAYS give the hotels fake credit information. That way, I dont have to worry about the room key getting stolen, and having my real credit information read :D
I assume with a battery. It only needs to blink a LED when a card is inserted and power a small electromagnet for a few seconds.
Avantslash: low-bandwidth mobile slashdot.
What I found more disturbing, however, was this passage by the Snopes article author: It never occurred to me that hotels might have a record of every time you opened your door.
If you can read this sig, you're too close.
Only the statement hotels routinely encode this information might be False. Remove "routinely" and it looks like it does happen in enough circumstances to warrent due care on all our parts.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
I work in a hotel. The only thing that goes on a Guests key card is the room #, # of keys, a timestamp, a checkout date, and maybe a oneshot flag if the guest wants a preview of the room.
now for houskeeping and master cards i can also change the amount of time the door stays unlocked and a few other need tricks but its unlikly i'll be giving them to you when you check in.
FWIW: Almost all small to medium sized hotel properties that I know about use this system...
More larger (and more expensive properties) often use the more expensive PC based version...
The main competitors to onity are vingcard, saflok and kaba-ilco, but I'm pretty sure that onity has the lion's share of the market...
I'm bringing my own towel to hotels from now on.
I read Usenet for the articles.
That is not true at all! I own two card readers that I use for my business. Its perfectly legal. Just because you own a card reader does not mean you break the law. Also, reading your magnetic info on a hotel card is Legal. it is Your information. You are not using the info to commit fraud or any crime. Making information illegal is not the answer to crime. this would truly be censorship in a big way.
And she said that they don't.
Luddite. :)
I mod everyone down who says "I'll get modded down for this." I hate to disappoint.
They also put kiddie porn and a terrorist plot on the card in case the FBI needs to arrest you.
...is that the article was posted yesterday. Is Computerworld really posting blatantly false information? I realize that it was in a blog, but that's no excuse for fear-mongering by a regular contributor (he's a featured blogger there and also contributes to the non-blog section of the site). Shouldn't any self-respecting editor consider firing a journlist who posts a false (at least nowadays) story without checking his sources.
I wouldn't be so worried about someone finding a card that may or may not have credit card information on it. If you destroy the card yourself, you have nothing to worry about.
What would worry me is if I lost my card and someone grabbed it, went up to the counter to check me out so they could get my folio and guest registration (and imprint). Now they got my CC, CV2, Drivers Liscence number, Home address and porn preferences.
The big danger isn't what's on the card, it's that the average hotel clerk will trust you are who you say you are if you come up to them with your card and say you want to check out. Oh, and by the way, you want the imprint and guest registration card for security, you don't feel comfortable leaving it behind.
- The Google Toolbar has a spell checker button AND it works, consider that before hitting submit next time k?
I've been working in hotels in australia and london, the only thing I know that goes on these cards is enabling them to open the room door, but come to think of it, my security card i used to get around had my name encoded on it, but that was it, hmmm.....
Probably one of the first times I've been able to comment on /. about MY field - the manufacture of plastic cards. As a former owner of one of the USA's leading suppliers of magnetic stripe cards (hotels, casinos, universities, etc.) I can say 100% that this story is FALSE!
Magnetic hotel keys only hold a small amount of information on one track of the magnetic stripe. This is typically limited to a code for the lock, the number of days of stay (or exp date), and sometimes the number of keys issued. There is no need for any additional information (nor the liability that would come with it). Any system that is using a keycard to auto-charge to a room is simply doing a database lookup of the account to charge the card on file. The only risk when losing your key is during your stay - someone will randomly find your room or attempt to charge a meal/etc. to your account. Both of these are EXTREMELY rare occurences.
It's been my view that this rumor is a combination of the misunderstanding of how hotel room keys work and the real threat of hotels using magnetic key cards - which is the 'duping' of actual credit card information to the key card. Hotel key cards are commonly used as 'blanks' to copy real credit card data (both tracks) to be used in machines that do not require a signature or teller attendence (gas pumps, etc.). The technology of both mag stripes are identical (albeit made of different materials) - the room keys are simply a 15-year old version of a credit card stripe - and since readers are typically made backwards compatible, they will perform just fine. I used to regularly give demonstrations in our plant using a commonly available mag stripe reader/encoder on how quick a MC/Visa could be copied (about 3 seconds). It's because of the availability of 'blank stock' now that many gas stations now ask for your zip code at the pump or require you to take it inside to show someone. Imagine if toilet paper were made from the same cotton paper our currency is printed on - that's the exact problem the credit card companies have. They can add all the security features they like to the card (and there are MANY), but if there isn't someone validating the card visually, then it is just too easy.
OK, babbled a little off-topic, but I believe it's a combination of these two issues that has cause this 'urban legend'. We also see the same story "if you buy a gift card with a credit card". Again, not true.
If the keycard didn't have the room number encoded on it, then it wouldnt be able to open your room.
It wouldn't make a very good keycard then, would it?
-Julius X
remove "-whatkindofspamdoyoutakemefor-" from email to send
Clearly, that can't be all the card contains. What differentiates a valid card from an expired card? What stops any idiot from generating a valid card? I don't think Alan Feldman has ever looked at the contents of the card's mag stripe. I think his answer is simply an extrapolation from the behavior he's seen from the card - it opens doors, and it lets you charge food if a flag is set.
Now I'll grant that most systems, most of the time, probably don't record any personal info on the card. But I believe the detective who says that a few cards did have personal info over the hospitality executives issuing vague blanket denials.
Thanks. I kind of guessed there was variation in how the systems worked. The snopes articles shows the hotel chains issuing blanket denials, which makes me think they (executives) have no idea what mix of systems they have.
It's quite easy, with a bit of practice, to learn to memorize credit card numbers for a few minutes. It's a fairly common way for credit card numbers to be stolen, in fact. Remember the customer's name and hometown and the phone book can provide his address, phone number, etc. Unscrupulous employees can memorize your card number while you're standing right there, and remember it long enough to write it down where you can't see them.
I remember, about ten years ago, a housemate who worked at a store in a mall talking about the exciting thing that had happened at work that day: the cops arresting an acquaintance who worked in a nearby store. Seems she had been doing exactly that -- memorizing CC numbers -- and was stupid enough to try to use one to pay for a purchase at the store where she worked. She got caught ringing up her own purchase (against store policy) and the jig was up.
Um, did you read the Snopes article?
No, they didn't say it's true. They talked to a number of hotel representatives who said it was not true and never had been, and the only person claiming it had ever been true (but wasn't any more) was someone with the Pasadena police department who apparently didn't even have firsthand knowledge of the matter.
And given how long that scare story has been around, you'd think that if it was true, there would have been numerous examples of that data being exploited. Crooks do things as technically elaborate as putting little scanners over the slots on ATMs, so they'd certainly be taking and using the keycard information if it was there. The fact that while there have been many case of things like ATM-mounted scanners, entire fake online businesses, phishing sites, and various other ways of getting card numbers, but no reports of this happening with a hotel keycard in the years since that email started circulating, gives a lot of support to the contention that it's just another groundless scare story.
I figure that even though it's obviously not necessary to have this information on the card some over zealous, bored or almost out of things to do programmer decided to add everything but the kitchen sink just for the hell of it. He/She might do this with all their programming jobs just to create more job security for themselves. I mean the more information the longer it takes to write and the more there is to go wrong with it in the future. Call it a conspiracy theory if you like, yeah I also figure that auto mechanics break something everytime they fix something just to suck more food out of my childrens mouths, but I'm sure it happens.
Jay Dale "If you're not living on the edge then you're taking up too much space!"