I met a guy at the lobby of one hotel who cautioned me on the use of my hotel key card because other people, especially the hotel staff, can use it as a credit card. He claims to be in the security profession and shared with me the security alerts that he read in his email. The email he was referring to pertains to hotel key cards encoded with personal information.
For several years now, there has been this circulating email about the dangers of personal information encoded in the magnetic key cards of most hotels. Almost every six months, I get the same message in my inbox. This story started to thrive when hotels switched from traditional metal room keys to computerized plastic key cards. Paranoid hotel guest thought that hotels encode credit-card details on the magnetic stripe of the key cards; then, once a guest checks out and surrenders the key card to the front desk, the hotel staff clones a credit-card number and go on spending sprees.
This matter has been classified false, urban legend, a myth–but let me share some background on this one.
How this urban legend or myth originated
When investigating security related and suspected myths, we should trace the origin of the story. This one has its roots from the Pasadena Police Department (California). Incidentally and ironically, the origin of this was a group of police detectives who organized a fraud investigation network thru the Internet. On October 6, 2003, one member shared to the group that while actively participating in an investigation, he came across a plastic hotel card key from a major hotel chain that had personal information like names, addresses, length of stay, and credit card numbers. Motivated to take precautionary measures, he notified his fellow detectives in the newly organized network without checking more about his findings and the risks.
The shared news took a life of its own which is typical when shared to internet networks or e-groups. With the same fervor of sharing security tips and warnings, this news spread worldwide not like a nuclear explosion but a faster and recurring virus infection. People open their email and usually, by reflex, forward to all their e-groups and everyone else in their contact lists without actually verifying the facts. Even if they did, where can they find the facts to counter the claims?
A lot of people think of credit card each time they see magnetic stripes in a card.
About key cards and hotel guestrooms locks
Typical keycards have magnetic stripe or magstripes which make them appear as credit cards. It’s not only the credit card that uses magstripes but also tickets and driver’s licenses. Magnetic stripes can basically store any data within the bounds it is designed for. They are extensively used in hotels, resorts, and large lodging houses around the world. Their practical security features makes them the preferred choice.
Hotel guestroom door locks nowadays may also use smart card, radio frequency identification (RFID), or other contact-less technology which were not yet available in the open market when the Pasadena Police shared fraud investigation notes.
As of today, as started by Pasadena detectives, hundreds more of detectives and security consultants continue to believe that personal and credit card information are still included on the hotel keycards. Embarrassingly, a number of security officers still forward emails of this content.
Some say that the card singled out in 2003 was an antiquated sample and replaced by technology. I suspect that the Pasadena detective mistook a credit card for a hotel keycard or he saw a magstripe prototype card that has that information embedded.
Granting it was the latter, the detective still need a special card reader to know the card’s information details. Did he have that opportunity to verify the contents himself or he may heard a briefing that magstripes can contain information like what he quoted: name, address, length of stay, credit card information? I certainly doubt if he investigated further because if he thought of verifying, he would not have considered the key card to have credit card details in the first place.
Why the fear for Identity theft?
Most people assume that once the personal details and credit card are encoded in keycard, they are more open to identity theft. Unfortunately, some law enforcers and security officers carry the same belief that spurned false credence to the fear. Identity thief is more likely to happen at point of sale or at restaurants where one can’t see what is being done to his credit card. I once caught red-handed a cashier cloning credit cards of guest in a fine dining outlet. The clone cards are not key cards but blank credit cards.
Some people thought that any hotel employee could get credit card information by using your hotel keycard, or taking out some key cards and use them on a shopping spree. This could not happen because there is no credit card information on the magstripe. It does not even contain the name of the guest but scrambled information on room number and check-out time which is also the expiration date and time of the card.
In the first place, how can a hotel employee get your credit card details if you don’t give to them such details? Granting you use your credit card at check-in and the front office staff tries to clone your credit card to your key card, then you should be thankful that you got two credit cards. However, you’ll be frustrated only because key cards use only one of the 3 tracks of the mag-stripe. Key cards cannot accommodate the credit card details. Moreso, the only device to read the hotel key card is the proprietary reading device installed in restricted areas of the hotel. (Note: I am just assuming that hotels are securingsuch machines just like in my previous hotel)
Hotel front office staff are generally composed of honest and competent gentlemen and ladies.There is no reason for hotels to store personal or credit card information on a key card. The key cards are designed to store only the encrypted data on check out date and time, and the encrypted data of the door locking mechanism paired to it. The data in the card automatically expires when check-out time is reached. This is not only a security measure but also to prevent guests from entering their room when they are supposed to have checked out already.
Why no reason to be scared of
Computerworld magazine also investigated this story. Their staff collected more than 100 key cards and tried to extract any information off them. Even with the use of sophisticated card reading devices, they did not find any identifiable information on any of the cards. SecurityMatters Magazine tried to verify all my collection of key cards for the past ten years from more than 40 hotels in several countries. But the cost of card reader is far more expensive than any credit card limit. So why would someone invest on a crime with lower returns?
What to do
If you are still not convinced, then do not return the card. Destroy it. If you want it as souvenir, demagnetize it by running a magnet over the stripe. This is enough to disable the card. But if you are convinced, return the card for reuse. It is good for the environment.