Slashdot Mirror

← Back to Stories (view on slashdot.org)

What's On Your Hotel Keycard

Posted by CmdrTaco on from the get-your-paranoia-on dept.

Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.

23 of 416 comments (clear)

  1. This is why... by Shkuey · · Score: 5, Interesting

    You always keep your keycards, and you always destroy them. I've yet to have an issue with a hotel wanting it back.

    1. Re:This is why... by Bensel · · Score: 5, Informative

      Aha... here's the email I heard this from:

      From the Colorado Bureau of Investigation:

      "Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry.

      Although room keys differ from hotel to hotel, a key obtained from the "Double Tree" chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:

      a.. Customers (your) name b.. Customers partial home address c.. Hotel room number d.. Check in date and check out date e.. Customer's (your) credit card number and expiration date!

      When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

      Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest's information is electronically "overwritten" on the card and the previous guest's information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

      The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it's illegal) and you'll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!

      Information courtesy of: Sergeant K. Jorge, Detective Sergeant, Pasadena Police Department

    2. Re:This is why... by bedroll · · Score: 4, Informative
      Let's have a reality check here.

      First, I want to say that I've worked at a hotel (night auditor/clerk). We had a VingCard system when I was there and at no point did any personal information hit these cards. I know people who work at hotels with slightly more advanced systems, and none of them store any personal information. They just store the room and duration.

      I won't say that such cards with personal information don't exist. I will say that they aren't the norm. Let's look at this from a realistic standpoint though:

      • If your hotel doesn't allow you to use your card to charge things to your account then you probably have nothing to worry about. Why would they include any personal information if you can't use that card for anything but entry to the building and your room?
      • Even if your hotel does allow this, what benefit do they gain from having your information (more than your room) on the card? Obviously the payment system must be hooked into the registry somehow, so why wouldn't they just store the room number/unique id to make the link? Wouldn't it be MORE work for them to link it back if they use your information instead of theirs?
      • Let us say that these cards are in a lot of places, why are we worried about them when folios are normally plain text and stored in paper format somewhere on the premises? You don't know what happens to these records. Normally they just get locked in a storage closet for a while until they get thrown out.
      • I hope you don't ever buy anything online. I'd venture to guess that it's much more common for poor security practices to be used on billing databases for e-comm than it is for hotels to embed your billing info on your keycard. For that matter, if you have a CC you probably use it all over the place. The receipts are normally poorly handled and not very secure. Point being that your CC information is rarely secure, and that includes places that also get your address.

      This seems like much ado about nothing. It's a fairly low risk scenario when compared to all the other ways to get at this information. Who's going to sit around at these hotels and swipe cards looking for embedded information? If they did, don't you think the CC companies would eventually catch onto how it was happening, or at least that it was just a few hotels?

      I'd ask how my information was being shared if they said that I could use my keycard to pay for things. If there's nothing like that, I wouldn't worry about it. Depending on the situation, I might keep the card. Normally I just turn it into the clerk, who has access to all the information on it anyway.

      If you do keep your card, perhaps you should consider keeping it under your tinfoil hat.

  2. DMCA by senducemhere · · Score: 5, Funny

    The fact that he read his own information off of the card has to be a DMCA violation - he should get a lawywer now.

    --
    Sig? We don't need no stinking sig....
  3. Really a big deal? by DeadSea · · Score: 5, Interesting
    Your credit card contains your name and credit card number on it in an unencrypted form. If your key card does as well, you should treat it like a credit card.
    1. It certainly would be nice for the hotel to tell you what they put on the card
    2. They should tell you to report your credit card as stolen if you lose your key card.
    3. They should securely erase or destroy key cards when you check out
    I generally trust the hotel staff with my credit card number, and I generally acknoledge that there is info about me on the magnetic stripes in my wallet. Is this anything to get upset about?
    1. Re:Really a big deal? by stuckinarut · · Score: 5, Interesting

      You often hear about people that have had their ATM cards wiped by the magnets used to disable the security tags in stores. Many stores have 'Don't place cards here' signs to prevent this. If the hotels had 'Please place keycards here' on a similar magnet when you sign out then that would wipe them and problem solved.

  4. Snopes claims this to be false by Anonymous Coward · · Score: 5, Informative

    http://www.snopes.com/crime/warnings/hotelkey.asp Who is right?

  5. I have a card reader ... by Anonymous Coward · · Score: 5, Funny

    Let's see what the card says: "Housekeeping Notes: Customer uses excessive amounts of Kleenex on overnight stays ..." HEY!!!

  6. Re:Illegal? by Anonymous Coward · · Score: 5, Insightful

    Now admittedly this country has gone to hell, but why in the world would you think a card reader would be illegal?

    That is incredibly depressing.

    For the government, and its media cronies to have you in the state of mind where you feel that you should not have access to something like a card reader is sad and pathetic.

  7. Necessary data by bytesmythe · · Score: 4, Funny

    I wonder how much of that data is necessary for the card to work. Perhaps you could get a magstripe writer, scan the card, and re-write only what needs to be there to get the door to open.

    Sidenote:
    Fun with cards -- Use a reader/writer to exchange the data on different cards. (E.g., swap your gas station card with a retail store card. It's kind of like paying for fast food with $2 bills.)

    --
    bytesmythe
    Hypocrisy is the resin that holds the plywood of society together.
    -- Scott Meyer
  8. Information On Card by Daveznet · · Score: 5, Insightful

    Why would the Hotel need to put straight Credit Card information onto the card? This doesnt make any sense. Why wouldnt they just use some sort of key to tie your swipe card to your account on their system. This way if you DO lose your card and it isn't cancelled in time someone who decides to use it can only use it within the Hotel where it can then easily be tracked.

    --
    GL HF!
  9. I call BS... by Julius+X · · Score: 5, Informative

    I've worked in a number of hotels for the past seven years- and all of them used electronic key systems, either the card type, or an electronic microchip key.

    In EVERY case, the key system is a seperate box not tied into the main computer, and only contains your room number, and length of your stay. The device is ONLY a key coder - it does not tie-in to the main network or the hotel's database in any way.

    This story is spreading FUD, do we really need more of that going around?

    --

    -Julius X
    remove "-whatkindofspamdoyoutakemefor-" from email to send
  10. Magnetic Money Clip by Loether · · Score: 4, Informative

    I have a magnetic Money clip I use. If I put a hotel keycard even in the same pocket it wipes it completely. Whereas my credit card has never been a problem. Hotel cards use a different technology that is more easily wipable than standard credit cards.

    --
    TODO create witty sig.
  11. Urban Legend? by nonsense28sal · · Score: 4, Informative

    I have to admit, I'm a little suspicious. I've heard this story before and it was labeled false. Add to the situation that the author "declined to name specific hotels" and it only adds to my doubts. Why not name names???

  12. $1.50 card reader by Anonymous Coward · · Score: 5, Informative

    you can get one from all electronics corp for 1.50 yes one dollar and FIF-tee cents all electronics reader then use stripesnoop (.sf.net) and you can figureout how to hook them up to a gameport/whatever on their forum check their forum

  13. You're kidding, right? by swb · · Score: 5, Insightful

    I know a lot of people (including myself, until now) simply assumed the card had some magick code on it that opened the door, and once they checked out, the code stopped working, so key cards got:

    1) left in the room when you walked out. There's probably a box on the cleaning carts where they get chucked. Highly insecure.

    2) left in the rental car or wherever. You're done with it and presumably it has no information relevant to you.

    3) idly thrown away (probably the most secure, provided its a sufficiently yucky trash can)

    4) Taped to office doors or cube walls to make a "gee, I travel a lot" mosaic.

    The idea that they're somehow secure because they MIGHT get stored and reused seems laughable.

  14. Re:Wrong (Re:Snopes claims this to be false) by millennial · · Score: 5, Informative

    Let's keep reading, shall we? Snopes ACTUALLY says that none of the hotel chains they contacted put sensitive information on the cards. One reader who works at a hotel said that the only thing that goes on there is the room number, the number of nights in the stay, and the number of keys issued.

    --
    I am scientifically inaccurate.
  15. I remember this hoax . . . by Rob+the+Bold · · Score: 5, Informative
    It was a good one, too.

    Here's the link: http://www.snopes.com/crime/warnings/hotelkey.asp

    --
    I am not a crackpot.
  16. Tin foil hat time by smallguy78 · · Score: 5, Funny

    Yes, I keep my hotel cards after I've checked out and destroy them in a vat of acid, burning the acid vat afterwards, then burrying the chard remains in 9 foot hole to be safe.

    --
    Nothing costs nothing
  17. Data Recovery by Kadin2048 · · Score: 4, Insightful

    Using a regular card reader I'm pretty confident you could only get one "generation." To get the next one you'd have to use some pretty specialized equipment. And I'm not sure it would be a sure thing either, provided that the information was recorded into the stripe using the same equipment and the same power level.

    However if the hotel personnel sometimes used card reader/writer A, which has low power, but occasionally reader B, which has an ever so slightly higher power level, then assuming the last one used was A, you ought to be able to get at least 2 records off of the card, because the last record from B will be buried a little deeper in the strip than the overwrite by A.

    Or if you had 3 card reader/writers, each at slightly different power levels, and used them in the right order, you might be able to reconstruct 3 sets of data from the card.

    The analogy I'm thinking of is like how (analog) HiFi audio is written to a VHS tape: it's recorded onto the tape underneath the video signal, using a recording head where the flux pattern goes deeper into the recording medium. (It's also separated by virtue of an FM carrier and the azimuth angle of the recording heads, which you wouldn't have on a magnetic stripe card.)

    I've read some articles on recovering overwritten information from linear magnetic tape (Nixon tapes, etc.) and it's no easy task. The usual way to do it is to just look for areas of the tape near the edges that weren't saturated by the erase head the second time around. I'm fairly confident in saying that recovery of two sets of data, made by the same reader/writer, would be non-trivial.

    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
  18. Think about this logically; by Thumper_SVX · · Score: 4, Interesting

    Really. Despite the fact that this has already been identified as a probable urban legend by Snopes, I ask everyone on this site to think of this like an engineer.

    Think about this. You're designing an electronic key-card system for a hotel. In order to do this you have to deal with lobby-monkeys who only occasionally swipe the card correctly through the machine when the customer's checking in. These cards are going to get shoved in pockets, scratched and generally abused.

    Now, as an engineer are you going to create a solution that (a) writes to the magnetic strip for every person who checks into the hotel, running the risk that the card runs through skewed or otherwise renders the information unusable, or (b) are you going to assign each card a unique ID number similar to a credit card number that's permanently printed on the card repeatedly across the magnetic strip.

    Talk amongst yourselves, but think about the fact that a mag-stripe WRITER costs more than a mag-stripe READER. If you control the locks from a central computer which only has to recognize that card (a) opens door (z), then how are you going to engineer that system for optimum efficiency and lowest cost?

    While I don't doubt some droid might consider it a nice idea to have all the customer's info on the card, it doesn't make an awful lot of sense from an engineering perspective now, does it?

    And yes, I've worked on hotel key card systems, and no I've never seen one that writes the cards in any way shape or form on check in.

  19. URBAN MYTH ALERT by Thurmont · · Score: 5, Interesting

    Here are sites detailing this myth...

    http://www.truthorfiction.com/rumors/k/keycards.ht m
    http://www.breakthechain.org/exclusives/keycards.h tml
    http://www.trendmicro.com/vinfo/hoaxes/hoaxDetails .asp?HName=Hotel+Key+Card+Hoax&Page=4

    I'm surprised this one passed thru Slashdot's editorial staff.

    --
    "If it's got a switch... it's my bitch!!"
  20. Re:Illegal? by thparker · · Score: 4, Insightful
    Think about it, if your computers went down, and all you had were your customers keycards... they want to be able to bill you no matter what.

    I find this whole article suspect. Just the other day when I checked into a Sheraton, the computer system was down. No reservation data (they had a faxed list from some other location), no swiping of the credit card, nothing. Still, I could get my keycard and get into my room -- because the keycard encoding was part of a completely different system.

    I'm not suggesting that when all systems are online that additional info couldn't be passed to the keycard, but I don't buy it.