Sep 29 2005
Unencrypted Information Stored on Hotel Key Cards
If Peter Wallace’s recent experience with hotel access cards is an indicator, leaving your electronic hotel room key behind when you check out could leave you open to identity theft.
Wallace, IT director at AAA Reading-Berks in Wyomissing, Penn. has been bringing a card reader with him on business trips to see what’s on the magnetic strips of his hotel room access cards. To his dismay, a surprising number have contained his name and credit card information - and in unencrypted form.
What’s scary is how easy it is for even a novice to steal this information. He says he bought a $39 card reader at a local retail store and plugged it into his laptop’s USB port. Now when he scans a card, the device inputs the data directly into an open Excel or Word document.
Wallace does mention that it isn’t all hotels that are doing this, and he declined to name the three that he discovered were, but just a word of caution for you travelling folks out there. You may want to carry a strong magnet with you in your travel bag to wipe out the card when you leave the hotel.
Source: Computerworld via Lifehacker
September 29th, 2005 at 10:34 am
Good tip Vinny. I stay in hotels almost every week and this is really alarming.
September 29th, 2005 at 1:19 pm
This is just incredible. I’d think they’d just have a unique ID, generated when you make your reservation, that would track any “swipes” back to their main system.
1. This is much more information than they need to store - a unique ID, coupled with the information about where the card was “swiped”, is all that’s needed.
2. It makes the system itself more complex than it needs to be.
-cjb-
September 29th, 2005 at 9:16 pm
I’m the Assistant Director of Security for 2 Holiday Inn hotels & 1 Four Points by Sheraton. No personal info is encoded onto our key cards. Just the room number, starting date & time & expiry date & time.
September 29th, 2005 at 10:49 pm
Thanks for that piece of information, Neil. I think I’m going to start having my readers send in used cards and I’ll start experimenting. I have a feeling we’ll be surprised what we find.
September 30th, 2005 at 9:34 am
Covererd in Detail at Snopes.com. Likely an urban legend as the two lines on the Mag strip doesn’t hold that much info.
September 30th, 2005 at 9:53 am
Except that the article on Snopes is a chain e-mail, and the article on Computer World actually contains a person’s name and such… I don’t doubt there are hotels who are doing this, and I don’t necessarily think it’s widespread, however, it is something to be aware of in the age of rampant identity theft.