By Chad Upton | Editor
I’ve been saving hotel key cards for years because I want to see exactly what is on them.
Years ago, somebody told me that hotel room access cards contained personal info and credit card data. The rumor was that this info was necessary for you to charge items to your room during your stay.
I recently got my hands on a magnetic card reader and started swiping all my old cards. The results fit into three categories.
1. 77% of all the cards could not be read at all. This should not be a surprise to anyone who has ever stayed in a hotel with magnetic card keys; some are notoriously poor at holding their magnetic charge. Another reason they may appear blank is that some systems use non-standard data encoding which make it difficult for an ISO card reader to extract information. Whether the charge is weak, distorted or proprietary, specialized card readers may be able to extract data from these cards. Still, that data would likely fall into one of the two following categories.
2. The information on the card is encrypted or written in a proprietary format. 8% of the cards did yield data of this sort. This makes it extremely difficult to see the meaningful data. Even if you could decode the data, it would still likely fall into category three.
3. Most of the data on the card is unreadable to humans. The other 15% of cards were in this group. The only numbers that could be recognized on any given hotel card were the expiration date, which I was able to match up with my checkout dates from old travel confirmation emails. The expiration date is used by the door lock to ignore your card after you’re supposed to be checked out. If you’ve ever tried to get back into your room after checkout time, you have seen this in action.
Here’s what the data on a hotel card looks like. I highlighted the expiration date which is in yy/mm/dd format:
1122725628023063=1012051500001742
From my research, the remaining numbers on the card can include the room number itself, although I didn’t see any cards where this number was evident, along with a code the door lock uses to grant access to the room and sometimes a code used for billing charges to your room. Generally, the door locks are battery powered and don’t have a link to the reservation computer — the key cards are the only external source of data used to unlock the door.
In many cases, if you watch the hotel employee program your card at check-in they use a standalone device that is completely separate from their computer system. The room number, nights of stay and number of cards being issued are punched in before they program your card. If the card programer is integrated with the computer system then it’s likely just to improve speed and reduce human error since the agent wouldn’t have to manually enter your room data.
Card programmers that integrate with the computer system are also popular at resorts where the key card can be used to make room charges. Your actual credit card info is not on the card. That is against the policy of most credit card companies, not to mention it’s unnecessary. As long as the card identifies you, the charges can be added to your bill. I scanned a couple resort cards which could be used for room charges and found no personal data.
The door locks themselves often store a log of which keys accessed the room and when. So, you should still treat your card with care and let the staff know if it’s lost or stolen. You wouldn’t want somebody else to access your room with your key since the log just knows which key was used, not who used it. The hotel staff typically have a unique key so they can be differentiated from you in the log.
The idea that these cards do contain personal info seems to be a myth perpetuated by a misunderstanding of a credit card fraud presentation that suggested any type of magnetic card could be programmed with stolen credit card info. That said, there are some specific claims of personal info being found on hotel key cards. The Pasadena, California police department mentioned one case in it’s retraction about a previous email indicating hotel key cards could be an identity theft risk. The other case was reported by Robert L Mitchell at Computerworld. For legal and business reasons, his source could not provide proof or indicate the names of the hotels where he claimed to find personal info on the key cards.
There is truth to the idea that the cards could have personal data written to them. Technically, you could write any type of data to magnetic cards. In fact, I scanned every magnetic card I could find: credit, debit, loyalty club, membership, etc. All of my bank related cards and one of my airline loyalty cards did have my full name programmed into the magnetic strip.
I wasn’t too worried about that since my name is also on the front of these cards for anyone to read. I shred anything personally identifiable before I throw it out and these cards would be no different. I didn’t find any cards with any personal info magnetically programmed on them that wasn’t also on the front.
All of my results, including the exact percentage of readable cards, match up with Robert L Mitchell’s findings at Computerworld.com. Robert interviewed a number of industry experts and they stated that it is extremely unlikely that any travelers in the US would find personal private information on their hotel key cards. That’s not to say it’s impossible, but they weren’t convinced the probability was high enough for anybody to worry about it.
While most experts agree that current systems are likely very secure, there is suspicion in the industry that very old card key access systems from years past may not have been as secure and these systems may have included personal information on the cards. Although there are a couple unproven claims to the contrary, I cannot find any demonstrable proof that hotel key cards have any personal info on them.
Broken Secrets | Facebook | Twitter | Email | Kindle
Sources: nytimes, consumer affairs, Computerworld (2005, 2006), snopes.com
