Unencrypted Information Stored on Hotel Key Cards

If Peter Wallace’s recent experience with hotel access cards is an indicator, leaving your electronic hotel room key behind when you check out could leave you open to identity theft.

Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what’s on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information – and in unencrypted form.

What’s scary is how easy it is for even a novice to steal this information. He says he bought a $39 card reader at a local retail store and plugged it into his laptop’s USB port. Now when he scans a card, the device inputs the data directly into an open Excel or Word document.

Wallace does mention that it isn’t all hotels that are doing this, and he declined to name the three that he discovered were, but just a word of caution for you travelling folks out there. You may want to carry a strong magnet with you in your travel bag to wipe out the card when you leave the hotel.

Source: Computerworld via Lifehacker

This entry was posted in Scary. Bookmark the permalink.
  • Treehugger

    Good tip Vinny. I stay in hotels almost every week and this is really alarming.

  • http://www.hauntedparsonage.us/blog/ Chuck

    This is just incredible. I’d think they’d just have a unique ID, generated when you make your reservation, that would track any “swipes” back to their main system.

    1. This is much more information than they need to store – a unique ID, coupled with the information about where the card was “swiped”, is all that’s needed.

    2. It makes the system itself more complex than it needs to be.

    -cjb-

  • Neil

    I’m the Assistant Director of Security for 2 Holiday Inn hotels & 1 Four Points by Sheraton. No personal info is encoded onto our key cards. Just the room number, starting date & time & expiry date & time.

  • http://www.insignificantthoughts.com Vinny

    Thanks for that piece of information, Neil. I think I’m going to start having my readers send in used cards and I’ll start experimenting. I have a feeling we’ll be surprised what we find. :shock:

  • http://www.epyon-1.com/blog S.D.

    Covererd in Detail at Snopes.com. Likely an urban legend as the two lines on the Mag strip doesn’t hold that much info.

  • http://www.insignificantthoughts.com Vinny

    Except that the article on Snopes is a chain e-mail, and the article on Computer World actually contains a person’s name and such… I don’t doubt there are hotels who are doing this, and I don’t necessarily think it’s widespread, however, it is something to be aware of in the age of rampant identity theft.

  • Treehugger

    Good tip Vinny. I stay in hotels almost every week and this is really alarming.

  • http://www.hauntedparsonage.us/blog/ Chuck

    This is just incredible. I’d think they’d just have a unique ID, generated when you make your reservation, that would track any “swipes” back to their main system.

    1. This is much more information than they need to store – a unique ID, coupled with the information about where the card was “swiped”, is all that’s needed.

    2. It makes the system itself more complex than it needs to be.

    -cjb-

  • Neil

    I’m the Assistant Director of Security for 2 Holiday Inn hotels & 1 Four Points by Sheraton. No personal info is encoded onto our key cards. Just the room number, starting date & time & expiry date & time.

  • http://www.insignificantthoughts.com/ Vinny

    Thanks for that piece of information, Neil. I think I’m going to start having my readers send in used cards and I’ll start experimenting. I have a feeling we’ll be surprised what we find. :shock:

  • http://www.epyon-1.com/blog S.D.

    Covererd in Detail at Snopes.com. Likely an urban legend as the two lines on the Mag strip doesn’t hold that much info.

  • http://www.insignificantthoughts.com/ Vinny

    Except that the article on Snopes is a chain e-mail, and the article on Computer World actually contains a person’s name and such… I don’t doubt there are hotels who are doing this, and I don’t necessarily think it’s widespread, however, it is something to be aware of in the age of rampant identity theft.

  • ascot

    the answer is yes and no. Not all cards will contain personal data. However some cards may contain personal data. This depends on what the hotels system has been designed to do. In the normal course there is no reason to have any extraneous data in the stripe but the room nos. However for the sake of convenience some systems simply copy the credit card data on the keycard stripe and then the sytem is designed to link up the room nos. this is a bad practise and is a risky propsition and it exposes secret data and the key card when returned can be misused. It is hence safe not to return key cards to the front desk on check out.that way there is no chance of data being compromised.
    I am a hotel key cards manufacturer and hence can say this with authority.
    http://www.hotel-keycards.com
    http://www.plasticcards-india.com