Slashdot Mirror
What's On Your Hotel Keycard
Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.
You would think that actually using the reader would be illegal
:P
And they DO erase them after you check out, don't they? It could be a precaution telling you not to lose it
You always keep your keycards, and you always destroy them. I've yet to have an issue with a hotel wanting it back.
The fact that he read his own information off of the card has to be a DMCA violation - he should get a lawywer now.
Sig? We don't need no stinking sig....
- It certainly would be nice for the hotel to tell you what they put on the card
- They should tell you to report your credit card as stolen if you lose your key card.
- They should securely erase or destroy key cards when you check out
I generally trust the hotel staff with my credit card number, and I generally acknoledge that there is info about me on the magnetic stripes in my wallet. Is this anything to get upset about?What the world really needs is the ability for you to buy stuff using your hotel room key. Because it is not easy enough to spend money currently.
If these hotels are putting credit card and other personal info on the room key unencrypted, how else might they be mis-handling your personal information?
This is bad.
Avoid Missing Ball for High Score
http://www.snopes.com/crime/warnings/hotelkey.asp Who is right?
Let's see what the card says: "Housekeeping Notes: Customer uses excessive amounts of Kleenex on overnight stays ..."
HEY!!!
I wonder how much of that data is necessary for the card to work. Perhaps you could get a magstripe writer, scan the card, and re-write only what needs to be there to get the door to open.
Sidenote:
Fun with cards -- Use a reader/writer to exchange the data on different cards. (E.g., swap your gas station card with a retail store card. It's kind of like paying for fast food with $2 bills.)
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
Why do they even have that information on the card in the first place? The card is just to open your door, isn't it? It seems all it should need is some password that the door lock will recognize. It's not like the door charges your credit card, after all.
Stop! Dremel time!
Why would the Hotel need to put straight Credit Card information onto the card? This doesnt make any sense. Why wouldnt they just use some sort of key to tie your swipe card to your account on their system. This way if you DO lose your card and it isn't cancelled in time someone who decides to use it can only use it within the Hotel where it can then easily be tracked.
GL HF!
I've worked in a number of hotels for the past seven years- and all of them used electronic key systems, either the card type, or an electronic microchip key.
In EVERY case, the key system is a seperate box not tied into the main computer, and only contains your room number, and length of your stay. The device is ONLY a key coder - it does not tie-in to the main network or the hotel's database in any way.
This story is spreading FUD, do we really need more of that going around?
-Julius X
remove "-whatkindofspamdoyoutakemefor-" from email to send
Maybe I'm just a skeptic, but I'd really enjoy to see some sort of facts, or even a sentence or two about what sorts of places he actually tested, and what % of them came back with discernable information. The fact that he found it in 3 chains hardly means that things are worth panicing about.
Granted, I've never checked, but I'd find it hard to believe that the large national chains (Marriott, Hilton, Accor, etc.) put your credit card number on your room key, and nobody has made a giant fuss about it yet. Guess it's time to go check my latest Courtyard key and see for myself.
Yes, but you carry your creditcard with you, if you lose it you usally report it stolen. But what will happen if your hotel keycard gets lost?
I have a magnetic Money clip I use. If I put a hotel keycard even in the same pocket it wipes it completely. Whereas my credit card has never been a problem. Hotel cards use a different technology that is more easily wipable than standard credit cards.
TODO create witty sig.
I have to admit, I'm a little suspicious. I've heard this story before and it was labeled false. Add to the situation that the author "declined to name specific hotels" and it only adds to my doubts. Why not name names???
Instead of using a hotel keycard, they should code the lock to allow you to open your door with your own credit card. That's something you're far more likely to take good care of, and then you don't have to worry about duplicates of that information floating around.
When a true genius appears, you can know him by this sign: that all the dunces are in a confederacy against him.
you can get one from all electronics corp for 1.50 yes one dollar and FIF-tee cents all electronics reader then use stripesnoop (.sf.net) and you can figureout how to hook them up to a gameport/whatever on their forum check their forum
I know a lot of people (including myself, until now) simply assumed the card had some magick code on it that opened the door, and once they checked out, the code stopped working, so key cards got:
1) left in the room when you walked out. There's probably a box on the cleaning carts where they get chucked. Highly insecure.
2) left in the rental car or wherever. You're done with it and presumably it has no information relevant to you.
3) idly thrown away (probably the most secure, provided its a sufficiently yucky trash can)
4) Taped to office doors or cube walls to make a "gee, I travel a lot" mosaic.
The idea that they're somehow secure because they MIGHT get stored and reused seems laughable.
Let's keep reading, shall we? Snopes ACTUALLY says that none of the hotel chains they contacted put sensitive information on the cards. One reader who works at a hotel said that the only thing that goes on there is the room number, the number of nights in the stay, and the number of keys issued.
I am scientifically inaccurate.
I'm sure it is just a matter of time before this plot angle shows up in an episode of Law and Order. Other urban myths have been incorporated into that series in past scripts (i.e., kidney harvesting).
"Rocky Rococo, at your cervix!"
Here's the link: http://www.snopes.com/crime/warnings/hotelkey.asp
I am not a crackpot.
There's no reason, however, that the hotel couldn't have a strip like that behind the counter and make it a routine part of check-out for the clerk to use it.
Yes, I keep my hotel cards after I've checked out and destroy them in a vat of acid, burning the acid vat afterwards, then burrying the chard remains in 9 foot hole to be safe.
Nothing costs nothing
1. Article is about a hotel that DOES this. Therefore, we're talking about it happening.
2. Snopes article has been revised a few times over the last several years. So, some of the information is older than other parts of the information.
3. "One of the difficulties in dealing with crime-related warnings is trying to distinguish between common occurrences to which the average person is likely to fall victim, and circumstances which are possible but have rarely (or never) played out in real life." from the Snopes article.
4. The Snopes article quotes a security expert who tested 6 cards at a security conference. 3 contained personal information, including one with a credit card number.
My experience at Walt Disney World is that the room key can be used in a credit card swiper and charges the card used to reserve the room. I still have this key card. If I ever get a stripe reader, I'll check.
The point of the Snopes article isn't that you will never find a CC number on a key card. The point is that they are not aware of this as an ACTUAL security threat. There's no reason that can't change in the near future, of course.
"What's On Your Hotel Keycard"
My hotel keycard has the little logo graphic of the hotel on the front of it and a memory storage device on the back. There's also a small mustard stain on it. What kind of data is stored within the memory on the card is an entirely different thing.
To quote George Carlin:
"About this time, they'll be telling you, 'Get on the plane. Get on the plane.' Well I say fuck you, I'm getting IN the plane. Let Evel Knievel get ON the plane. I'll be inside with the folks in uniform."
You see them left all over the place in Vegas.
Jackpot!!!
As opposed to the employee that can just print out the same information, take home the printout, and go shopping at your expense? Seriously, it may be an additional location where your information is stored, but it isn't anything that the front desk doesn't already have ample access to.
Learn to love Alaska
My existing lock system only encodes the check-in date, the check out date, the number of keys (1 of 2, 2 of 2) and a sequence number.
On the date of check out the key will stop working at 3:00 PM. If you check out early, your key will continue to work until 3:00 PM on your check out date. But if I check someone else into the room and create them a new key, when they open the door, they will advance the sequence register on the door lock and all prior keys will stop working.
My system has the ability to but the guests name on the card but in order to do this the card must be made directly by the key system. This only happens when I make master keys for employees. Guest keys are processed through an interface between my Front Office system and the key system. As a result no name is transmitted and when I read the key it will list the guest name as Guest.
What are you talking about? People don't leave Vegas until they don't have any money left, and all their credit cards are maxed out. You couldn't make a dime off that.
An internet myth: Snopes
Using a regular card reader I'm pretty confident you could only get one "generation." To get the next one you'd have to use some pretty specialized equipment. And I'm not sure it would be a sure thing either, provided that the information was recorded into the stripe using the same equipment and the same power level.
However if the hotel personnel sometimes used card reader/writer A, which has low power, but occasionally reader B, which has an ever so slightly higher power level, then assuming the last one used was A, you ought to be able to get at least 2 records off of the card, because the last record from B will be buried a little deeper in the strip than the overwrite by A.
Or if you had 3 card reader/writers, each at slightly different power levels, and used them in the right order, you might be able to reconstruct 3 sets of data from the card.
The analogy I'm thinking of is like how (analog) HiFi audio is written to a VHS tape: it's recorded onto the tape underneath the video signal, using a recording head where the flux pattern goes deeper into the recording medium. (It's also separated by virtue of an FM carrier and the azimuth angle of the recording heads, which you wouldn't have on a magnetic stripe card.)
I've read some articles on recovering overwritten information from linear magnetic tape (Nixon tapes, etc.) and it's no easy task. The usual way to do it is to just look for areas of the tape near the edges that weren't saturated by the erase head the second time around. I'm fairly confident in saying that recovery of two sets of data, made by the same reader/writer, would be non-trivial.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.
None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).
I think instead we just have a case where reality imitated art a little too closely -- the art in this case being that hoax, and reality being the stuff the hotels are putting on your card.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
Grr...why do people never actually read the snopes discussion and just blindly rely on the 'true/false' distinction. Often that is quite misleading.
If you read the snopes discussion it says that some hotels might do this but they have recieved no evidence this is true. Well this sounds like some evidence to me.
Basically snopes is responding to an over-sensationalized urban legend not taking a position that this is somehow impossible. While they do offer the analysis that they see no reason why the hotel would put personal information on the cards things have changed since then.
As one poster commented on the article it is quite likely that the hotels want to enable purchases with your key cards but don't have a fully integrated IT solution which can access the card database.
Just because some rumor was false once doesn't mean it can't become true!
If you liked this thought maybe you would find my blog nice too:
I have a credit card reader as well, and occassionally amuse myself by running all the cards in my wallet through it. I was surprised to find that not one but ALL of my credit cards have both my name and credit card number in the magnetic stripe on the back in unencrypted form! If I lost one of these cards, someone with a card reader could easily retrieve all my information and go on a geek shopping spree. I guess we just can't lose our hotel keys or credit cards anymore...
(this is offended to the end of comments you post, 120 chars)
Really. Despite the fact that this has already been identified as a probable urban legend by Snopes, I ask everyone on this site to think of this like an engineer.
Think about this. You're designing an electronic key-card system for a hotel. In order to do this you have to deal with lobby-monkeys who only occasionally swipe the card correctly through the machine when the customer's checking in. These cards are going to get shoved in pockets, scratched and generally abused.
Now, as an engineer are you going to create a solution that (a) writes to the magnetic strip for every person who checks into the hotel, running the risk that the card runs through skewed or otherwise renders the information unusable, or (b) are you going to assign each card a unique ID number similar to a credit card number that's permanently printed on the card repeatedly across the magnetic strip.
Talk amongst yourselves, but think about the fact that a mag-stripe WRITER costs more than a mag-stripe READER. If you control the locks from a central computer which only has to recognize that card (a) opens door (z), then how are you going to engineer that system for optimum efficiency and lowest cost?
While I don't doubt some droid might consider it a nice idea to have all the customer's info on the card, it doesn't make an awful lot of sense from an engineering perspective now, does it?
And yes, I've worked on hotel key card systems, and no I've never seen one that writes the cards in any way shape or form on check in.
Here are sites detailing this myth...
t m
h tml
s .asp?HName=Hotel+Key+Card+Hoax&Page=4
http://www.truthorfiction.com/rumors/k/keycards.h
http://www.breakthechain.org/exclusives/keycards.
http://www.trendmicro.com/vinfo/hoaxes/hoaxDetail
I'm surprised this one passed thru Slashdot's editorial staff.
"If it's got a switch... it's my bitch!!"
False information, nothing.
Having just called my buddy who's a manager at the Hampton Inn nearby, he told me "Yes, we do put all that info onto the card. It serves as a way to track the person who owns it, where it's been used in attempts to access areas, and as validation that the room is still open and the card is still valid to our computer systems. It also tells us when the card is used for entry, and allows us to contact the person if they're in the room."
So false information? For some hotels, possibly, but not for that particular one I just called. Perhaps you should call around hotels and just do a brief checkup on what they do/do not put on the card. I think I'll be doing this so I can determine a more secure hotel to stay at whenever I'm out of town.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
What I found more disturbing, however, was this passage by the Snopes article author: It never occurred to me that hotels might have a record of every time you opened your door.
If you can read this sig, you're too close.