What's On Your Hotel Keycard

Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.

Snopes claims this to be false

[Anonymous Coward]

http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com] Who is right?

Re:Illegal?

[Evil W1zard]

I have to wonder if they do erase them. I mean most ppl just keep the key or toss it after they check out. And because its a simple magnetic strip the data will be resident on it unless someone physically demagnitizes it or deguasses it.

Re:This is why...

[Bensel]

I've yet to have an issue with a hotel wanting it back.

That's because it's illegal (can't remember where I found this out, sorry) for the hotel to make you give it back.

Wrong (Re:Snopes claims this to be false)

[JLavezzo]

Wrong. Snopes says that while it's true the information is on the card, there is no significant trend relating this to criminal activity.

I call BS...

[Julius X]

I've worked in a number of hotels for the past seven years- and all of them used electronic key systems, either the card type, or an electronic microchip key.

In EVERY case, the key system is a seperate box not tied into the main computer, and only contains your room number, and length of your stay. The device is ONLY a key coder - it does not tie-in to the main network or the hotel's database in any way.

This story is spreading FUD, do we really need more of that going around?

Magnetic Money Clip

[Loether]

I have a magnetic Money clip I use. If I put a hotel keycard even in the same pocket it wipes it completely. Whereas my credit card has never been a problem. Hotel cards use a different technology that is more easily wipable than standard credit cards.

Urban Legend?

[nonsense28sal]

I have to admit, I'm a little suspicious. I've heard this story [snopes.com] before and it was labeled false. Add to the situation that the author "declined to name specific hotels" and it only adds to my doubts. Why not name names???

Re:This is why...

[Bensel]

Aha... here's the email I heard this from:

From the Colorado Bureau of Investigation:

"Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry.

Although room keys differ from hotel to hotel, a key obtained from the "Double Tree" chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:

a.. Customers (your) name b.. Customers partial home address c.. Hotel room number d.. Check in date and check out date e.. Customer's (your) credit card number and expiration date!

When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest's information is electronically "overwritten" on the card and the previous guest's information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it's illegal) and you'll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!

Information courtesy of: Sergeant K. Jorge, Detective Sergeant, Pasadena Police Department

Re:Illegal?

[mintshows]

Having worked at a motel before, I can attest that it is NOT policy to erase the cards after use. The cards are usually given an expiration date (usually the checkout date). The expiration date only serves as data for the card reader on the door. The key will not be erased at this date...it will only be unable to open the door.

$1.50 card reader

[Anonymous Coward]

you can get one from all electronics corp for 1.50 yes one dollar and FIF-tee cents all electronics reader [allelectronics.com] then use stripesnoop (.sf.net) and you can figureout how to hook them up to a gameport/whatever on their forum check their forum [sourceforge.net]

Re:Wrong (Re:Snopes claims this to be false)

[millennial]

Let's keep reading, shall we? Snopes ACTUALLY says that none of the hotel chains they contacted put sensitive information on the cards. One reader who works at a hotel said that the only thing that goes on there is the room number, the number of nights in the stay, and the number of keys issued.

This looks like a hoax

[Matt Perry]

This looks like a hoax accroding to snopes: http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com]

I remember this hoax . . .

[Rob the Bold]

It was a good one, too.

Here's the link: http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com]

Thanks for the FALSE INFORMATION /.

[greymond]

Thanks you made me laugh with this article.
http://www.snopes.com/crime/warnings/hotelkey.asp [snopes.com]

The key cards at hotels don't hold anything but the room number and number of nights it needs to work.

Hay since I can check out in the mornings using the television does that mean the TV holds all my CC info too?

Read up and use some common sense before posting an article. kthx bye.

Sigh...

[JLavezzo]

1. Article is about a hotel that DOES this. Therefore, we're talking about it happening.

2. Snopes article has been revised a few times over the last several years. So, some of the information is older than other parts of the information.

3. "One of the difficulties in dealing with crime-related warnings is trying to distinguish between common occurrences to which the average person is likely to fall victim, and circumstances which are possible but have rarely (or never) played out in real life." from the Snopes article.

4. The Snopes article quotes a security expert who tested 6 cards at a security conference. 3 contained personal information, including one with a credit card number.

My experience at Walt Disney World is that the room key can be used in a credit card swiper and charges the card used to reserve the room. I still have this key card. If I ever get a stripe reader, I'll check.

The point of the Snopes article isn't that you will never find a CC number on a key card. The point is that they are not aware of this as an ACTUAL security threat. There's no reason that can't change in the near future, of course.

This "news" is bogus

[janoc]

An internet myth: Snopes [snopes.com]

Re:This is why...

[bedroll]

Let's have a reality check here.

First, I want to say that I've worked at a hotel (night auditor/clerk). We had a VingCard system when I was there and at no point did any personal information hit these cards. I know people who work at hotels with slightly more advanced systems, and none of them store any personal information. They just store the room and duration.

I won't say that such cards with personal information don't exist. I will say that they aren't the norm. Let's look at this from a realistic standpoint though:

• If your hotel doesn't allow you to use your card to charge things to your account then you probably have nothing to worry about. Why would they include any personal information if you can't use that card for anything but entry to the building and your room?
• Even if your hotel does allow this, what benefit do they gain from having your information (more than your room) on the card? Obviously the payment system must be hooked into the registry somehow, so why wouldn't they just store the room number/unique id to make the link? Wouldn't it be MORE work for them to link it back if they use your information instead of theirs?
• Let us say that these cards are in a lot of places, why are we worried about them when folios are normally plain text and stored in paper format somewhere on the premises? You don't know what happens to these records. Normally they just get locked in a storage closet for a while until they get thrown out.
• I hope you don't ever buy anything online. I'd venture to guess that it's much more common for poor security practices to be used on billing databases for e-comm than it is for hotels to embed your billing info on your keycard. For that matter, if you have a CC you probably use it all over the place. The receipts are normally poorly handled and not very secure. Point being that your CC information is rarely secure, and that includes places that also get your address.

This seems like much ado about nothing. It's a fairly low risk scenario when compared to all the other ways to get at this information. Who's going to sit around at these hotels and swipe cards looking for embedded information? If they did, don't you think the CC companies would eventually catch onto how it was happening, or at least that it was just a few hotels?

I'd ask how my information was being shared if they said that I could use my keycard to pay for things. If there's nothing like that, I wouldn't worry about it. Depending on the situation, I might keep the card. Normally I just turn it into the clerk, who has access to all the information on it anyway.

If you do keep your card, perhaps you should consider keeping it under your tinfoil hat.