Hotel smart cards: no key to personal data



Here's an urban myth that refuses to die: Hotel card keys are gold mines for identity thieves, who extract credit card numbers and other personal nuggets from them.

This rumor, generating millions of Internet postings in recent years, is based on a thin premise at best.

Now it's been convincingly debunked by Computerworld, a Framingham, Mass.-based weekly trade tabloid for information technology professionals.

The publication challenged a top maker of magnetic card readers to find personal data on 100 room-card keys -- from Hilton, Holiday Inn, Sheraton, Westin and other major chains -- collected by staff members in their travels.

The result? Nada.

Even when scrutinized by a scanner the size of a stove top, the cards yielded only indecipherable strings of numbers and letters, said Terry Benson, engineering group leader for MagTek Inc. in Carson, Calif., who did the tests.

Card-key systems at hotels keep secrets. They can monitor the comings and goings of staff, bill guests for restaurant meals and spa treatments, operate slot machines in casinos and more.

And in the future, you may be able to open your room door remotely, perhaps by waving a card or pointing your Bluetooth-enabled cell phone at it. At the front desk, a clerk you have never met may greet you by name, gleaning your identity -- and room preferences -- from a wireless pickup of biometric data.

All this technology is being perfected; indeed, some of it already is in place at a few sites.

For now, the basic magnetic-stripe card reigns as the king of room keys, used by most of the hotel industry, said Brian Garavuso, chairman of the technology committee for the American Hotel & Lodging Association in Washington, D.C.

The cards are popular because they are cheap, Garavuso said, so there's little incentive to find a substitute.

"We assume all the guests are going to walk off with them," said Thomas Spitler, vice president of front-office operations and systems for Hilton Hotels Corp. in Beverly Hills, Calif. "If we get them back, it's a bonus for us."

And what happens if someone walks off with your card key?

That question has spun a web of anxiety that may stretch back to 2003. That fall, a detective from Pasadena, Calif., attending a seminar was told that another agency's investigators had found names, addresses and credit card numbers on hotel card keys. She alerted other detectives to the possible danger, causing a chain reaction of rumor.

Later investigation showed that such personal data were not coming from hotels, but possibly from crooks who loaded information onto the cards, said Janet Pope Givens, spokeswoman for the Pasadena (Calif.) Police.

What happened next is a testament to the power of the Internet: The identity-theft rumor raced around the globe.

"For two weeks straight," Pope Givens said, "we did nothing but answer calls about key cards worldwide."

In response, the department posted an explanation on its Web site. (It's still there.) The furor died down, but Pope Givens says she still fields calls in spurts.

The rumor's latest revival was last fall, when an IT director at a travel club in Wyomissing, Pa., told Computerworld that by using a standard swipe-card reader he had read personal information on hotel card keys.

When Robert L. Mitchell, Computerworld's national correspondent, posted the report on his blog, it drew 50,000 page visits within a few days, he said.

That interest, plus e-mailed responses replete with conspiracy theories, Mitchell said, inspired him to enlist MagTek's Benson to put the cards to the test. The results were published Jan. 16 in Computerworld.

The bottom line, according to Mitchell's article: "Most key cards aren't readable because electronic lock systems use proprietary encoders and readers." Those that could be read yielded, at most, alphanumeric strings or binary data, all unintelligible.

Even if you could decode the cards, industry experts say, you wouldn't find much there.

Typically, Hilton's Spitler said, a magnetic-stripe card key carries the combination for a room's door lock and an expiration time based on your planned checkout.

A magnetic-stripe card can't contain much data. Typically, it can hold 100 or 200 characters, MagTek's Benson said, compared with 1,000 or more characters on microprocessors embedded in so-called smart cards.

Jane Engle writes for the Los Angeles Times.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.