Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

What's On Your Hotel Keycard

Posted by CmdrTaco on Tue Sep 20, 2005 10:52 AM
from the get-your-paranoia-on dept.
Security IT
Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.
+ -
story
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

What's On Your Hotel Keycard 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • This is why... (Score:5, Interesting)

    by Shkuey (609361) on Tuesday September 20 2005, @10:55AM (#13604823)
    You always keep your keycards, and you always destroy them. I've yet to have an issue with a hotel wanting it back.
    • Why destroy them?
      I keep them as souvenirs from my various trips.

    • Re:This is why... (Score:5, Informative)

      by bedroll (806612) on Tuesday September 20 2005, @01:34PM (#13606631) Journal
      Let's have a reality check here.

      First, I want to say that I've worked at a hotel (night auditor/clerk). We had a VingCard system when I was there and at no point did any personal information hit these cards. I know people who work at hotels with slightly more advanced systems, and none of them store any personal information. They just store the room and duration.

      I won't say that such cards with personal information don't exist. I will say that they aren't the norm. Let's look at this from a realistic standpoint though:

      • If your hotel doesn't allow you to use your card to charge things to your account then you probably have nothing to worry about. Why would they include any personal information if you can't use that card for anything but entry to the building and your room?
      • Even if your hotel does allow this, what benefit do they gain from having your information (more than your room) on the card? Obviously the payment system must be hooked into the registry somehow, so why wouldn't they just store the room number/unique id to make the link? Wouldn't it be MORE work for them to link it back if they use your information instead of theirs?
      • Let us say that these cards are in a lot of places, why are we worried about them when folios are normally plain text and stored in paper format somewhere on the premises? You don't know what happens to these records. Normally they just get locked in a storage closet for a while until they get thrown out.
      • I hope you don't ever buy anything online. I'd venture to guess that it's much more common for poor security practices to be used on billing databases for e-comm than it is for hotels to embed your billing info on your keycard. For that matter, if you have a CC you probably use it all over the place. The receipts are normally poorly handled and not very secure. Point being that your CC information is rarely secure, and that includes places that also get your address.

      This seems like much ado about nothing. It's a fairly low risk scenario when compared to all the other ways to get at this information. Who's going to sit around at these hotels and swipe cards looking for embedded information? If they did, don't you think the CC companies would eventually catch onto how it was happening, or at least that it was just a few hotels?

      I'd ask how my information was being shared if they said that I could use my keycard to pay for things. If there's nothing like that, I wouldn't worry about it. Depending on the situation, I might keep the card. Normally I just turn it into the clerk, who has access to all the information on it anyway.

      If you do keep your card, perhaps you should consider keeping it under your tinfoil hat.

      • Re:This is why... (Score:5, Informative)

        by Bensel (881718) on Tuesday September 20 2005, @11:10AM (#13605009)
        Aha... here's the email I heard this from:

        From the Colorado Bureau of Investigation:

        "Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry.

        Although room keys differ from hotel to hotel, a key obtained from the "Double Tree" chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:

        a.. Customers (your) name b.. Customers partial home address c.. Hotel room number d.. Check in date and check out date e.. Customer's (your) credit card number and expiration date!

        When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

        Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest's information is electronically "overwritten" on the card and the previous guest's information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

        The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it's illegal) and you'll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!

        Information courtesy of: Sergeant K. Jorge, Detective Sergeant, Pasadena Police Department

        • I remember this hoax . . . (Score:5, Informative)

          by Rob the Bold (788862) on Tuesday September 20 2005, @11:22AM (#13605134)
          It was a good one, too.

          Here's the link: http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com]

          • Ironic: Debunking the Debunking (Score:4, Interesting)

            by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Tuesday September 20 2005, @12:25PM (#13605932) Homepage Journal
            It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.

            None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).

            I think instead we just have a case where reality imitated art a little too closely -- the art in this case being that hoax, and reality being the stuff the hotels are putting on your card.
            • It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.
              No, we don't have good evidence - we have a posting on a blog.
              None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).
              We have no reason to make an assumption either way - that this is a hoax, or that he is telling the truth.

          • Re:I remember this hoax . . . (Score:4, Insightful)

            by lxs (131946) on Tuesday September 20 2005, @02:34PM (#13607389)
            For someone from a community that has a healthy scepticism to all things published both on- and offline, the average slashdot reader appears to have an unshakable faith in snopes.com
      • Well after they saw the stain on my card, the hotel clerk said PLEASE keep it.

        • Re:I don't get it (Score:4, Insightful)

          by AK Marc (707885) on Tuesday September 20 2005, @11:48AM (#13605442)
          As opposed to the employee that can just print out the same information, take home the printout, and go shopping at your expense? Seriously, it may be an additional location where your information is stored, but it isn't anything that the front desk doesn't already have ample access to.

  • DMCA (Score:5, Funny)

    by senducemhere (563189) on Tuesday September 20 2005, @10:55AM (#13604827) Homepage
    The fact that he read his own information off of the card has to be a DMCA violation - he should get a lawywer now.

  • Really a big deal? (Score:5, Interesting)

    by DeadSea (69598) * on Tuesday September 20 2005, @10:57AM (#13604841) Homepage Journal
    Your credit card contains your name and credit card number on it in an unencrypted form. If your key card does as well, you should treat it like a credit card.
    1. It certainly would be nice for the hotel to tell you what they put on the card
    2. They should tell you to report your credit card as stolen if you lose your key card.
    3. They should securely erase or destroy key cards when you check out
    I generally trust the hotel staff with my credit card number, and I generally acknoledge that there is info about me on the magnetic stripes in my wallet. Is this anything to get upset about?

    • Re:Really a big deal? (Score:5, Interesting)

      by stuckinarut (891702) on Tuesday September 20 2005, @11:01AM (#13604899)
      You often hear about people that have had their ATM cards wiped by the magnets used to disable the security tags in stores. Many stores have 'Don't place cards here' signs to prevent this. If the hotels had 'Please place keycards here' on a similar magnet when you sign out then that would wipe them and problem solved.
    • If a hotel offered to copy my credit card & hand it to my kids or my coworker so they could get into the roomm I'd probably decline. Shared credit card account numbers are often unique. They should similarly have unique numbers on hotel keys.

  • Yeah, please make it easier to spend money... (Score:3, Insightful)

    by soft_guy (534437) on Tuesday September 20 2005, @10:57AM (#13604847)
    What the world really needs is the ability for you to buy stuff using your hotel room key. Because it is not easy enough to spend money currently.

    If these hotels are putting credit card and other personal info on the room key unencrypted, how else might they be mis-handling your personal information?

    This is bad.
      • They keep a ton of information on those cards I think. I went to Disney World for my honeymoon and we were given 25 of those magical wishes. You could just take your room key to Planet Hollywood, Rain Forest Cafe or any of those places at Downtown Disney and tell them you wanted to use a magical wish for your meal. Then you could get anything on the menu as long as it was one appetizer one main course and one desert, tip was included. We ate surf and turf almost every night.

        It would also work if you
      • That's not really using it as the credit card - that's just using it as a method to bill something to your room - like you can do with a meal at almost any hotel.
      • Ever been to Disney?

        No. And I don't plan to go - ever. I avoid Disney like the plague which means I miss out on a lot of movies. But I can't stand a company that got where they are by using stories in the public domain, then uses their money and power to eliminate the public domain.

  • Snopes claims this to be false (Score:5, Informative)

    by Anonymous Coward on Tuesday September 20 2005, @10:57AM (#13604848)
    http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com] Who is right?
    • All snopes claims is that this isn't a widespread phenomenon. Presumably different hotels have different policies, and it's entirely possible the the hotel mentioned here does it while others don't.

    • Re:Snopes claims this to be false (Score:4, Funny)

      by fnj (64210) on Tuesday September 20 2005, @11:22AM (#13605135)
      Snopes says EVERYTHING is false. A big hurricane in New Orleans? False. Insurgency in Iraq? False. World War 2 is over? False. The earth is round? False.

      • Re:Wrong (Re:Snopes claims this to be false) (Score:5, Informative)

        by millennial (830897) on Tuesday September 20 2005, @11:16AM (#13605072) Journal
        Let's keep reading, shall we? Snopes ACTUALLY says that none of the hotel chains they contacted put sensitive information on the cards. One reader who works at a hotel said that the only thing that goes on there is the room number, the number of nights in the stay, and the number of keys issued.

        • Sigh... (Score:4, Informative)

          by JLavezzo (161308) on Tuesday September 20 2005, @11:26AM (#13605180) Homepage
          1. Article is about a hotel that DOES this. Therefore, we're talking about it happening.

          2. Snopes article has been revised a few times over the last several years. So, some of the information is older than other parts of the information.

          3. "One of the difficulties in dealing with crime-related warnings is trying to distinguish between common occurrences to which the average person is likely to fall victim, and circumstances which are possible but have rarely (or never) played out in real life." from the Snopes article.

          4. The Snopes article quotes a security expert who tested 6 cards at a security conference. 3 contained personal information, including one with a credit card number.

          My experience at Walt Disney World is that the room key can be used in a credit card swiper and charges the card used to reserve the room. I still have this key card. If I ever get a stripe reader, I'll check.

          The point of the Snopes article isn't that you will never find a CC number on a key card. The point is that they are not aware of this as an ACTUAL security threat. There's no reason that can't change in the near future, of course.

  • I have a card reader ... (Score:5, Funny)

    by Anonymous Coward on Tuesday September 20 2005, @10:57AM (#13604854)
    Let's see what the card says: "Housekeeping Notes: Customer uses excessive amounts of Kleenex on overnight stays ..." HEY!!!

  • Necessary data (Score:5, Funny)

    by bytesmythe (58644) <bytesmythe@gmaUMLAUTil.com minus punct> on Tuesday September 20 2005, @10:58AM (#13604864)
    I wonder how much of that data is necessary for the card to work. Perhaps you could get a magstripe writer, scan the card, and re-write only what needs to be there to get the door to open.

    Sidenote:
    Fun with cards -- Use a reader/writer to exchange the data on different cards. (E.g., swap your gas station card with a retail store card. It's kind of like paying for fast food with $2 bills.)
    • Fun with cards -- Use a reader/writer to exchange the data on different cards. (E.g., swap your gas station card with a retail store card. It's kind of like paying for fast food with $2 bills.)

      An interesting social experiment: rewrite your old, expired credit card with the mag information from the new card, and see how many cashiers notice. Better yet, use a card that expired years ago (this experiment will take a little longer to do). Usually, if the authorization goes through on the cash register, the cas

  • Information On Card (Score:5, Insightful)

    by Daveznet (789744) on Tuesday September 20 2005, @11:00AM (#13604887)
    Why would the Hotel need to put straight Credit Card information onto the card? This doesnt make any sense. Why wouldnt they just use some sort of key to tie your swipe card to your account on their system. This way if you DO lose your card and it isn't cancelled in time someone who decides to use it can only use it within the Hotel where it can then easily be tracked.

  • I call BS... (Score:5, Informative)

    by Julius X (14690) on Tuesday September 20 2005, @11:02AM (#13604913) Homepage
    I've worked in a number of hotels for the past seven years- and all of them used electronic key systems, either the card type, or an electronic microchip key.

    In EVERY case, the key system is a seperate box not tied into the main computer, and only contains your room number, and length of your stay. The device is ONLY a key coder - it does not tie-in to the main network or the hotel's database in any way.

    This story is spreading FUD, do we really need more of that going around?

  • Magnetic Money Clip (Score:4, Informative)

    by Loether (769074) on Tuesday September 20 2005, @11:06AM (#13604949) Homepage
    I have a magnetic Money clip I use. If I put a hotel keycard even in the same pocket it wipes it completely. Whereas my credit card has never been a problem. Hotel cards use a different technology that is more easily wipable than standard credit cards.

  • Urban Legend? (Score:4, Informative)

    by nonsense28sal (680645) on Tuesday September 20 2005, @11:07AM (#13604976) Homepage
    I have to admit, I'm a little suspicious. I've heard this story [snopes.com] before and it was labeled false. Add to the situation that the author "declined to name specific hotels" and it only adds to my doubts. Why not name names???

  • Better idea! (Score:3, Insightful)

    by czarangelus (805501) <iapetus@gm3.14ail.com minus pi> on Tuesday September 20 2005, @11:08AM (#13604987)
    Instead of using a hotel keycard, they should code the lock to allow you to open your door with your own credit card. That's something you're far more likely to take good care of, and then you don't have to worry about duplicates of that information floating around.

  • New TV Drama Hook (Score:3, Funny)

    by geomon (78680) on Tuesday September 20 2005, @11:20AM (#13605117) Homepage Journal
    I'm sure it is just a matter of time before this plot angle shows up in an episode of Law and Order. Other urban myths have been incorporated into that series in past scripts (i.e., kidney harvesting).

  • Tin foil hat time (Score:5, Funny)

    by smallguy78 (775828) on Tuesday September 20 2005, @11:24AM (#13605159) Homepage
    Yes, I keep my hotel cards after I've checked out and destroy them in a vat of acid, burning the acid vat afterwards, then burrying the chard remains in 9 foot hole to be safe.

  • Think about this logically; (Score:5, Interesting)

    by Thumper_SVX (239525) on Tuesday September 20 2005, @01:52PM (#13606838) Homepage
    Really. Despite the fact that this has already been identified as a probable urban legend by Snopes, I ask everyone on this site to think of this like an engineer.

    Think about this. You're designing an electronic key-card system for a hotel. In order to do this you have to deal with lobby-monkeys who only occasionally swipe the card correctly through the machine when the customer's checking in. These cards are going to get shoved in pockets, scratched and generally abused.

    Now, as an engineer are you going to create a solution that (a) writes to the magnetic strip for every person who checks into the hotel, running the risk that the card runs through skewed or otherwise renders the information unusable, or (b) are you going to assign each card a unique ID number similar to a credit card number that's permanently printed on the card repeatedly across the magnetic strip.

    Talk amongst yourselves, but think about the fact that a mag-stripe WRITER costs more than a mag-stripe READER. If you control the locks from a central computer which only has to recognize that card (a) opens door (z), then how are you going to engineer that system for optimum efficiency and lowest cost?

    While I don't doubt some droid might consider it a nice idea to have all the customer's info on the card, it doesn't make an awful lot of sense from an engineering perspective now, does it?

    And yes, I've worked on hotel key card systems, and no I've never seen one that writes the cards in any way shape or form on check in.

  • URBAN MYTH ALERT (Score:5, Interesting)

    by Thurmont (712483) on Tuesday September 20 2005, @01:59PM (#13606920)
    Here are sites detailing this myth...

    http://www.truthorfiction.com/rumors/k/keycards.ht m [truthorfiction.com]
    http://www.breakthechain.org/exclusives/keycards.h tml [breakthechain.org]
    http://www.trendmicro.com/vinfo/hoaxes/hoaxDetails .asp?HName=Hotel+Key+Card+Hoax&Page=4 [trendmicro.com]

    I'm surprised this one passed thru Slashdot's editorial staff.
    • I have to wonder if they do erase them. I mean most ppl just keep the key or toss it after they check out. And because its a simple magnetic strip the data will be resident on it unless someone physically demagnitizes it or deguasses it.
        • And in the meantime that hotel employee is reading all of them for data after the guest has left. Since there is no tampering with the computer, there is no audit trail that a guest has been comprimised.
          -nB

    • Re:Illegal? (Score:5, Insightful)

      by Anonymous Coward on Tuesday September 20 2005, @10:57AM (#13604858)
      Now admittedly this country has gone to hell, but why in the world would you think a card reader would be illegal?

      That is incredibly depressing.

      For the government, and its media cronies to have you in the state of mind where you feel that you should not have access to something like a card reader is sad and pathetic.

    • Re:Illegal? (Score:3, Interesting)

      by JadeNB (784349)
      And they DO erase them after you check out, don't they?
      Although this seems suspicious to me (it's hard to believe that as highly-motivated a work force as the desk personnel at a hotel won't slip up and forget from time to time), I guess it's true that the keys are then kept in a reasonably safe place until they are re-encoded for the next visitor. (Is this true? Is there a way to recover old information from a magnetic stripe even after it's been overwritten?)

      • You're kidding, right? (Score:5, Insightful)

        by swb (14022) <mobocracy@gmail.com> on Tuesday September 20 2005, @11:16AM (#13605068)
        I know a lot of people (including myself, until now) simply assumed the card had some magick code on it that opened the door, and once they checked out, the code stopped working, so key cards got:

        1) left in the room when you walked out. There's probably a box on the cleaning carts where they get chucked. Highly insecure.

        2) left in the rental car or wherever. You're done with it and presumably it has no information relevant to you.

        3) idly thrown away (probably the most secure, provided its a sufficiently yucky trash can)

        4) Taped to office doors or cube walls to make a "gee, I travel a lot" mosaic.

        The idea that they're somehow secure because they MIGHT get stored and reused seems laughable.
    • they DO erase them after you check out, don't they?

      I'd be willing to bet that most of them simply put them back on the stack behind the front desk, to be overwritten if and when they get reused. This, of course, raises another interesting question - can the information of prior users of the card be obtained with data recovery techniques? How many generations of data could one conceivably extract from a single keycard?

      • Data Recovery (Score:5, Insightful)

        by Kadin2048 (468275) <slashdot@kadin.xoxy@net> on Tuesday September 20 2005, @12:19PM (#13605836) Homepage Journal
        Using a regular card reader I'm pretty confident you could only get one "generation." To get the next one you'd have to use some pretty specialized equipment. And I'm not sure it would be a sure thing either, provided that the information was recorded into the stripe using the same equipment and the same power level.

        However if the hotel personnel sometimes used card reader/writer A, which has low power, but occasionally reader B, which has an ever so slightly higher power level, then assuming the last one used was A, you ought to be able to get at least 2 records off of the card, because the last record from B will be buried a little deeper in the strip than the overwrite by A.

        Or if you had 3 card reader/writers, each at slightly different power levels, and used them in the right order, you might be able to reconstruct 3 sets of data from the card.

        The analogy I'm thinking of is like how (analog) HiFi audio is written to a VHS tape [eed.usv.ro]: it's recorded onto the tape underneath the video signal, using a recording head where the flux pattern goes deeper into the recording medium. (It's also separated by virtue of an FM carrier and the azimuth angle of the recording heads, which you wouldn't have on a magnetic stripe card.)

        I've read some articles on recovering overwritten information from linear magnetic tape (Nixon tapes, etc.) and it's no easy task. The usual way to do it is to just look for areas of the tape near the edges that weren't saturated by the erase head the second time around. I'm fairly confident in saying that recovery of two sets of data, made by the same reader/writer, would be non-trivial.
    • Hotel cards aren't for your convenience, they are for the hotel's convenience. An easy way to create and distribute keys to rooms, keeping out only the most simple theives...
      Easy to distribute master cards to maids, easy for them to tell how to bill you by just the card.

      Think about it, if your computers went down, and all you had were your customers keycards... they want to be able to bill you no matter what.

      They don't care about your security/safety, it's just the convenience for the hotels.

      • Re:Illegal? (Score:5, Insightful)

        by thparker (717240) on Tuesday September 20 2005, @04:59PM (#13608966) Homepage
        Think about it, if your computers went down, and all you had were your customers keycards... they want to be able to bill you no matter what.

        I find this whole article suspect. Just the other day when I checked into a Sheraton, the computer system was down. No reservation data (they had a faxed list from some other location), no swiping of the credit card, nothing. Still, I could get my keycard and get into my room -- because the keycard encoding was part of a completely different system.

        I'm not suggesting that when all systems are online that additional info couldn't be passed to the keycard, but I don't buy it.

    • Having worked at a motel before, I can attest that it is NOT policy to erase the cards after use. The cards are usually given an expiration date (usually the checkout date). The expiration date only serves as data for the card reader on the door. The key will not be erased at this date...it will only be unable to open the door.

    • $1.50 card reader (Score:5, Informative)

      by Anonymous Coward on Tuesday September 20 2005, @11:14AM (#13605051)
      you can get one from all electronics corp for 1.50 yes one dollar and FIF-tee cents all electronics reader [allelectronics.com] then use stripesnoop (.sf.net) and you can figureout how to hook them up to a gameport/whatever on their forum check their forum [sourceforge.net]

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.