What's On Your Hotel Keycard

Lam1969 writes "From Robert Mitchell's blog on Computerworld: '... Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what's on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.' " Update: 09/20 19:10 GMT by J : Snopes, as of two months ago, says this is false.

Illegal?

[AndreiK]

You would think that actually using the reader would be illegal

And they DO erase them after you check out, don't they? It could be a precaution telling you not to lose it :P

This is why...

[Shkuey]

You always keep your keycards, and you always destroy them. I've yet to have an issue with a hotel wanting it back.

Really a big deal?

[DeadSea]

Your credit card contains your name and credit card number on it in an unencrypted form. If your key card does as well, you should treat it like a credit card.

1. It certainly would be nice for the hotel to tell you what they put on the card
2. They should tell you to report your credit card as stolen if you lose your key card.
3. They should securely erase or destroy key cards when you check out

I generally trust the hotel staff with my credit card number, and I generally acknoledge that there is info about me on the magnetic stripes in my wallet. Is this anything to get upset about?

Re:Illegal?

[JadeNB]

And they DO erase them after you check out, don't they?

Although this seems suspicious to me (it's hard to believe that as highly-motivated a work force as the desk personnel at a hotel won't slip up and forget from time to time), I guess it's true that the keys are then kept in a reasonably safe place until they are re-encoded for the next visitor. (Is this true? Is there a way to recover old information from a magnetic stripe even after it's been overwritten?)

Why do they need that?

[VisceralLogic]

Why do they even have that information on the card in the first place? The card is just to open your door, isn't it? It seems all it should need is some password that the door lock will recognize. It's not like the door charges your credit card, after all.

Re:Illegal?

[Lord Dimwit Flathead]

they DO erase them after you check out, don't they?

I'd be willing to bet that most of them simply put them back on the stack behind the front desk, to be overwritten if and when they get reused. This, of course, raises another interesting question - can the information of prior users of the card be obtained with data recovery techniques? How many generations of data could one conceivably extract from a single keycard?

Re:Illegal?

[servicemaster]

Hotel cards aren't for your convenience, they are for the hotel's convenience. An easy way to create and distribute keys to rooms, keeping out only the most simple theives...
Easy to distribute master cards to maids, easy for them to tell how to bill you by just the card.

Think about it, if your computers went down, and all you had were your customers keycards... they want to be able to bill you no matter what.

They don't care about your security/safety, it's just the convenience for the hotels.

Re:Really a big deal?

[stuckinarut]

You often hear about people that have had their ATM cards wiped by the magnets used to disable the security tags in stores. Many stores have 'Don't place cards here' signs to prevent this. If the hotels had 'Please place keycards here' on a similar magnet when you sign out then that would wipe them and problem solved.

bought a $39 card reader at a local retail store..

[randomErr]

I want one, where can I order it from?

Paranoia?

[-Grover]

Maybe I'm just a skeptic, but I'd really enjoy to see some sort of facts, or even a sentence or two about what sorts of places he actually tested, and what % of them came back with discernable information. The fact that he found it in 3 chains hardly means that things are worth panicing about.

      Granted, I've never checked, but I'd find it hard to believe that the large national chains (Marriott, Hilton, Accor, etc.) put your credit card number on your room key, and nobody has made a giant fuss about it yet. Guess it's time to go check my latest Courtyard key and see for myself.

Re:Snopes claims this to be false

[InfiniteWisdom]

All snopes claims is that this isn't a widespread phenomenon. Presumably different hotels have different policies, and it's entirely possible the the hotel mentioned here does it while others don't.

Urban myth?

[RapmasterT]

this article reads almost word for word like an urban myth email chain letter that went around a while back, it sounds like this guy is just repeating it and putting himself in the story.

Sure it's possible to put any kind of data you want on a magnetic strip, but you might as well worry the hotel is printing your PII data on sheets of paper and tossing them out the back windows. What possibly reason would they have to put info like that on the keycard??

I'm not buying this story, not even a little.

Re:Illegal?

[Cerdic]

I saw an episode of 20/20 or a similar show on one of the networks some years back. They tried keeping an old key and then they had someone check into the same room they had. They found that the code wasn't changed and that the old key could be used to gain entry into the room after someone else had checked in with a supposedly new key code.

Knowing that, it's not far fetched to assume that they are sloppy about erasing data on the cards. Then again, it seems that people throw them on the ground most of the time anyway. I guess stolen credit card info would count as a harsh fine for littering ;)

Re:Necessary data

[Fishstick]

Sounds like a good premise for a MythBusters episode.

They had one a while back where the myth was that credit cards could be 'erased' by things like refrigerator magnets and magnetic money clips.

They got a reader/writer, hooked it up to a laptop, programmed a bunch of blank cards and then tested various magnetic sources to see what it took to make the card to lose its information and/or become unreadable/unusable. Not surprisingly, it took a fairly strong field to mess things up.

I could see Jamie and Adam checking into hotels and then taking the key cards back to the shop to see how hard it is to crack (though they should get Kari to pose as the hotel guest or something).

What my hotel encodes on its keys

[Chan Jav]

My existing lock system only encodes the check-in date, the check out date, the number of keys (1 of 2, 2 of 2) and a sequence number.

On the date of check out the key will stop working at 3:00 PM. If you check out early, your key will continue to work until 3:00 PM on your check out date. But if I check someone else into the room and create them a new key, when they open the door, they will advance the sequence register on the door lock and all prior keys will stop working.

My system has the ability to but the guests name on the card but in order to do this the card must be made directly by the key system. This only happens when I make master keys for employees. Guest keys are processed through an interface between my Front Office system and the key system. As a result no name is transmitted and when I read the key it will list the guest name as Guest.

Ironic: Debunking the Debunking

[Kadin2048]

It's sort of odd, that at first there was this urban myth saying you needed to worry, and then Snopes "debunked" it, and now we have good evidence from a person who actually took a card reader and checked some cards (as opposed to Snopes, who just called Doubletree, apparently), saying that the original hoax actually was on to something, after all.

None of this changes the Slashdot article at all, assuming that we trust the author to not be fabricating his results with the card reader completely (and I have no reason to believe that).

I think instead we just have a case where reality imitated art a little too closely -- the art in this case being that hoax, and reality being the stuff the hotels are putting on your card.

Think about this logically;

[Thumper_SVX]

Really. Despite the fact that this has already been identified as a probable urban legend by Snopes, I ask everyone on this site to think of this like an engineer.

Think about this. You're designing an electronic key-card system for a hotel. In order to do this you have to deal with lobby-monkeys who only occasionally swipe the card correctly through the machine when the customer's checking in. These cards are going to get shoved in pockets, scratched and generally abused.

Now, as an engineer are you going to create a solution that (a) writes to the magnetic strip for every person who checks into the hotel, running the risk that the card runs through skewed or otherwise renders the information unusable, or (b) are you going to assign each card a unique ID number similar to a credit card number that's permanently printed on the card repeatedly across the magnetic strip.

Talk amongst yourselves, but think about the fact that a mag-stripe WRITER costs more than a mag-stripe READER. If you control the locks from a central computer which only has to recognize that card (a) opens door (z), then how are you going to engineer that system for optimum efficiency and lowest cost?

While I don't doubt some droid might consider it a nice idea to have all the customer's info on the card, it doesn't make an awful lot of sense from an engineering perspective now, does it?

And yes, I've worked on hotel key card systems, and no I've never seen one that writes the cards in any way shape or form on check in.

URBAN MYTH ALERT

[Thurmont]

Here are sites detailing this myth...

http://www.truthorfiction.com/rumors/k/keycards.ht m [truthorfiction.com]
http://www.breakthechain.org/exclusives/keycards.h tml [breakthechain.org]
http://www.trendmicro.com/vinfo/hoaxes/hoaxDetails .asp?HName=Hotel+Key+Card+Hoax&Page=4 [trendmicro.com]

I'm surprised this one passed thru Slashdot's editorial staff.

Re:Thanks for the FALSE INFORMATION /.

[Khyber]

False information, nothing.

Having just called my buddy who's a manager at the Hampton Inn nearby, he told me "Yes, we do put all that info onto the card. It serves as a way to track the person who owns it, where it's been used in attempts to access areas, and as validation that the room is still open and the card is still valid to our computer systems. It also tells us when the card is used for entry, and allows us to contact the person if they're in the room."

So false information? For some hotels, possibly, but not for that particular one I just called. Perhaps you should call around hotels and just do a brief checkup on what they do/do not put on the card. I think I'll be doing this so I can determine a more secure hotel to stay at whenever I'm out of town.

About the Snopes update

[JourneyExpertApe]

What the Snopes article says is that personal information has been found on a few card keys in the past, but all of the hotel chains contacted by Snopes flatly denied putting any personal information on their cards. Furthermore, it states that according to the vendors contacted, the software to write the keys is not configured to allow hotel employees to include any personal info on the cards. So, basically, it's probably not a widespread problem, but it has happened. Also, there's no information that one of these cards has been used for identity theft. So this "urban legend" is "false" in the sense that information such as credit cards has been found on cards, but it shouldn't be a big concern (according to the non-paranoid author of the article.)

What I found more disturbing, however, was this passage by the Snopes article author:

Moreover, monitoring and logging how often (and exactly when) a particular room has been entered is much easier with a keycard system than with standard lock-and-key systems (a valuable feature when trying to investigate claims of theft from hotel rooms).

It never occurred to me that hotels might have a record of every time you opened your door.