Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's On Your Hotel Keycard

Posted by CmdrTaco on from the get-your-paranoia-on dept.

Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.

20 of 416 comments (clear)

  1. Yeah, please make it easier to spend money... by soft_guy · · Score: 2, Insightful

    What the world really needs is the ability for you to buy stuff using your hotel room key. Because it is not easy enough to spend money currently.

    If these hotels are putting credit card and other personal info on the room key unencrypted, how else might they be mis-handling your personal information?

    This is bad.

    --
    Avoid Missing Ball for High Score
    1. Re:Yeah, please make it easier to spend money... by TykeClone · · Score: 2, Insightful

      That's not really using it as the credit card - that's just using it as a method to bill something to your room - like you can do with a meal at almost any hotel.

      --
      A fine is a tax you pay for doing wrong and a tax is a fine you pay for doing all right.
    2. Re:Yeah, please make it easier to spend money... by soft_guy · · Score: 2, Insightful

      Ever been to Disney?

      No. And I don't plan to go - ever. I avoid Disney like the plague which means I miss out on a lot of movies. But I can't stand a company that got where they are by using stories in the public domain, then uses their money and power to eliminate the public domain.

      --
      Avoid Missing Ball for High Score
  2. Re:Illegal? by Anonymous Coward · · Score: 5, Insightful

    Now admittedly this country has gone to hell, but why in the world would you think a card reader would be illegal?

    That is incredibly depressing.

    For the government, and its media cronies to have you in the state of mind where you feel that you should not have access to something like a card reader is sad and pathetic.

  3. Information On Card by Daveznet · · Score: 5, Insightful

    Why would the Hotel need to put straight Credit Card information onto the card? This doesnt make any sense. Why wouldnt they just use some sort of key to tie your swipe card to your account on their system. This way if you DO lose your card and it isn't cancelled in time someone who decides to use it can only use it within the Hotel where it can then easily be tracked.

    --
    GL HF!
  4. What's the problem ? by Anonymous Coward · · Score: 1, Insightful

    The CC# is on you CC magstripe too, worse even, it's _written_ on your CreditCard.

    My goodness !

    1. Re:What's the problem ? by Spy+der+Mann · · Score: 2, Insightful

      Yes, but you carry your creditcard with you, if you lose it you usally report it stolen. But what will happen if your hotel keycard gets lost?

  5. Better idea! by czarangelus · · Score: 3, Insightful

    Instead of using a hotel keycard, they should code the lock to allow you to open your door with your own credit card. That's something you're far more likely to take good care of, and then you don't have to worry about duplicates of that information floating around.

    --
    When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
  6. Re:Really a big deal? by Noksagt · · Score: 2, Insightful

    If a hotel offered to copy my credit card & hand it to my kids or my coworker so they could get into the roomm I'd probably decline. Shared credit card account numbers are often unique. They should similarly have unique numbers on hotel keys.

  7. You're kidding, right? by swb · · Score: 5, Insightful

    I know a lot of people (including myself, until now) simply assumed the card had some magick code on it that opened the door, and once they checked out, the code stopped working, so key cards got:

    1) left in the room when you walked out. There's probably a box on the cleaning carts where they get chucked. Highly insecure.

    2) left in the rental car or wherever. You're done with it and presumably it has no information relevant to you.

    3) idly thrown away (probably the most secure, provided its a sufficiently yucky trash can)

    4) Taped to office doors or cube walls to make a "gee, I travel a lot" mosaic.

    The idea that they're somehow secure because they MIGHT get stored and reused seems laughable.

  8. Re:Why a mag wipe out pad is a bad idea by RLiegh · · Score: 2, Insightful

    There's no reason, however, that the hotel couldn't have a strip like that behind the counter and make it a routine part of check-out for the clerk to use it.

  9. Re:I don't get it by AK+Marc · · Score: 3, Insightful

    As opposed to the employee that can just print out the same information, take home the printout, and go shopping at your expense? Seriously, it may be an additional location where your information is stored, but it isn't anything that the front desk doesn't already have ample access to.

    --
    Learn to love Alaska
  10. Re:Illegal? by networkBoy · · Score: 2, Insightful

    And in the meantime that hotel employee is reading all of them for data after the guest has left. Since there is no tampering with the computer, there is no audit trail that a guest has been comprimised.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  11. Re:Illegal? by Anonymous Coward · · Score: 1, Insightful

    What's he going to read off them? The name and address you gave him when you checked in? The number off the credit card you handed him when you checked in? How do you figure the number got into the computer to be encoded on the card in the first place? It was entered by hotel employees!

  12. Data Recovery by Kadin2048 · · Score: 4, Insightful

    Using a regular card reader I'm pretty confident you could only get one "generation." To get the next one you'd have to use some pretty specialized equipment. And I'm not sure it would be a sure thing either, provided that the information was recorded into the stripe using the same equipment and the same power level.

    However if the hotel personnel sometimes used card reader/writer A, which has low power, but occasionally reader B, which has an ever so slightly higher power level, then assuming the last one used was A, you ought to be able to get at least 2 records off of the card, because the last record from B will be buried a little deeper in the strip than the overwrite by A.

    Or if you had 3 card reader/writers, each at slightly different power levels, and used them in the right order, you might be able to reconstruct 3 sets of data from the card.

    The analogy I'm thinking of is like how (analog) HiFi audio is written to a VHS tape: it's recorded onto the tape underneath the video signal, using a recording head where the flux pattern goes deeper into the recording medium. (It's also separated by virtue of an FM carrier and the azimuth angle of the recording heads, which you wouldn't have on a magnetic stripe card.)

    I've read some articles on recovering overwritten information from linear magnetic tape (Nixon tapes, etc.) and it's no easy task. The usual way to do it is to just look for areas of the tape near the edges that weren't saturated by the erase head the second time around. I'm fairly confident in saying that recovery of two sets of data, made by the same reader/writer, would be non-trivial.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  13. Could be true by logicnazi · · Score: 2, Insightful

    Grr...why do people never actually read the snopes discussion and just blindly rely on the 'true/false' distinction. Often that is quite misleading.

    If you read the snopes discussion it says that some hotels might do this but they have recieved no evidence this is true. Well this sounds like some evidence to me.

    Basically snopes is responding to an over-sensationalized urban legend not taking a position that this is somehow impossible. While they do offer the analysis that they see no reason why the hotel would put personal information on the cards things have changed since then.

    As one poster commented on the article it is quite likely that the hotels want to enable purchases with your key cards but don't have a fully integrated IT solution which can access the card database.

    Just because some rumor was false once doesn't mean it can't become true!

    --

    If you liked this thought maybe you would find my blog nice too:

  14. Re:I remember this hoax . . . by lxs · · Score: 3, Insightful

    For someone from a community that has a healthy scepticism to all things published both on- and offline, the average slashdot reader appears to have an unshakable faith in snopes.com

  15. Re:$1.50 card reader by nblender · · Score: 2, Insightful

    Great research. Now let us know when you find a 3-track reader so it will actually pertain to the hotel keycards we're talking.

  16. Re:Ironic: Debunking the Debunking by DerekLyons · · Score: 3, Insightful
    It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.
    No, we don't have good evidence - we have a posting on a blog.
    None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).
    We have no reason to make an assumption either way - that this is a hoax, or that he is telling the truth.
  17. Re:Illegal? by thparker · · Score: 4, Insightful
    Think about it, if your computers went down, and all you had were your customers keycards... they want to be able to bill you no matter what.

    I find this whole article suspect. Just the other day when I checked into a Sheraton, the computer system was down. No reservation data (they had a faxed list from some other location), no swiping of the credit card, nothing. Still, I could get my keycard and get into my room -- because the keycard encoding was part of a completely different system.

    I'm not suggesting that when all systems are online that additional info couldn't be passed to the keycard, but I don't buy it.