Swipe here to steal ID

The potential for personal

The potential for personal information to be uploaded onto magnetic hotel key cards is increased if the card cutter is interfaced to the hotel's property management system (PMS). However, in my experience there have been no incidence of the PMS coding any other information than room number and the lock-out time noting the guest's stay. My suggestion is that hotel operators (1) verify that personal information is not coded on the key cards (2) request that guests destroy their own cards (3) provide a disclaimer on the registration cards that the protection and destruction of key cards is the responsibility of the guest.

Actually, there are two

Actually, there are two types of magnetic cards.
One is referred to as Hi-co (short for high coersive)meaning they require a high coersive magnetic force to write to them used mainly in credit cards. the other is Lo-co or low coersive cards used mainly in hotel room keycards and such. the Hi-co cards are nearly impossible to erase with an everyday magnet. A Lo-co card however is easily erasably with any sort of relatively weak magnetic field. I have personally verified however that personal information is not contained in hotel room keycards.

I managed to wipe a metro

I managed to wipe a metro card (paper with a mag strip to record the fare) with the magnet on my sunglasses holder. Actually wiped three of them by placing them in a pile next to the holder. Since they were all in my pocket, I guess the act of sliding the pile past the holder was enough to wipe the cards. Interestingly, it was a pile of about 10 cards. Only the three closest to the magnet were wiped.

I managed to wipe a metro

I managed to wipe a metro card (paper with a mag strip to record the fare) with the magnet on my sunglasses holder. Actually wiped three of them by placing them in a pile next to the holder. Since they were all in my pocket, I guess the act of sliding the pile past the holder was enough to wipe the cards. Interestingly, it was a pile of about 10 cards. Only the three closest to the magnet were wiped.

Look into a 3.5" floppy

Look into a 3.5" floppy drive and you'll find a strong magnet that keeps the floppy in place. Every time the floppy is inserted or removed the data passes through that magnetic field. Yet the floppy won't loose data because the tiny particals making up the magnetic data layer are much stronger than that magnet.

Follow-up: Summary of 'Net

Follow-up: Summary of 'Net responses to Robert Mitchell's post about hotel keycard security in today's IT Blogwatch

Back when radio stations

Back when radio stations used carts (like 8-tracks), the only way to erase them was to put them on a little electromagnet and press the button, then swipe it a couple of times on either side. This also works for audio tapes. You can probably get one of these things from a place that sells old radio equipment, or from your local radio station if they have any they're not using.

Protecting oneself from

Protecting oneself from those who would wish us harm should always be a factor in decisions made, however all should seek the truth before propagating gossip and unnecessarily frightening the majority of people. The following information was easily located at www.snopes.com.

Claim: Hotel room keycards are routinely encoded with personal information which can be easily harvested by thieves.

Status: False.

Examples:

[Collected on the Internet, 2003]

Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used through-out the industry.

Although room keys differ from hotel to hotel, a key obtained from the Double Tree chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:
Customers (your) name
Customers partial home address
Hotel room number
Check in date and check out date
Customers (your) credit card number and expiration date!
When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

The bottom line is, keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.

--------------------------------------------------------------------------------

[Collected on the Internet, 2005]

Just received this and thought it was worth sending around — with so much identity theft going around, makes sense!!

Remember this for the future:

You know how when you check out of a hotel that uses the credit-card-type room key, the clerk often will ask if you have your key(s) to turn in...or there is a box or slot on the Reception counter in which to put them? It's good for the hotel because they save money by re-using those cards. But, it's not good for you, as revealed below.

From the Colorado Bureau of Investigation:

"Southern California law enforcement professionals assigned to Detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used throughout the industry.

Although room keys differ from hotel to hotel, a key obtained from the "Double Tree" chain that was being used for a regional Identity Theft Presentation was found to contain the following the information:

a.. Customers (your) name
b.. Customers partial home address
c.. Hotel room number
d.. Check in date and check out date
e.. Customer's (your) credit card number and expiration date!

When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase the information on these cards until an employee re-issues the card to the next hotel guest. At that time, the new guest's information is electronically "overwritten" on the card and the previous guest's information is erased in the overwriting process. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!!

The bottom line is: Keep the cards, take them home with you, or destroy them. NEVER leave them behind in the room or room wastebasket, and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card (it's illegal) and you'll be sure you are not leaving a lot of valuable personal information on it that could be easily lifted off with any simple scanning device card reader. For the same reason, if you arrive at the airport and discover you still have the card key in your pocket, do not toss it in an airport trash basket. Take it home and destroy it by cutting it up, especially through the electronic information strip!

Origins: One
of the difficulties in dealing with crime-related warnings is trying to distinguish between common occurrences to which the average person is likely to fall victim, and circumstances which are possible but have rarely (or never) played out in real life. For example, it's certainly possible that someone could kidnap a child by drugging the tot and altering its hair and clothing to disguise it as the opposite sex, but although urban legendry (echoed by movies and TV) would have us believe this is a frequent occurrence against which all parents should remain vigilant, there are no documented cases of its happening. Nonetheless, a basic warning to parents to keep constant watch over their children in open, public spaces is good advice, because the abduction of children is a real crime which occurs often enough to be worrisome.

A similar issue is involved here with the question of personal information and hotel keycards: distinguishing between that which is possible and that which is likely. In the interest of clarity we have split the status to reflect that although the warning quoted above describes a situation that is possible, no evidence has been proffered to demonstrate that it is a widespread or common occurrence, or that anyone has been victimized by criminals taking advantage of it.

Since about the mid-1980s the hotel industry has been moving away from traditional lock-and-key systems on guest room doors in favor of keycard locks: plastic cards about the size of credit cards which are encoded with information allowing them to open one (and only one) room. Keycards boost security by allowing each guest to receive a new key (the "combination" for each room is changed every time new guests check into that room) and therefore make duplicating keys pointless, and by eliminating the need to have the room number stamped on the keys themselves. (A found keycard does the finder no good, because he has no idea which room it opens. And if you lose your keycard, you can just have a desk clerk change the combination to your room lock and issue you new keycards.) Moreover, monitoring and logging how often (and exactly when) a particular room has been entered is much easier with a keycard system than with standard lock-and-key systems (a valuable feature when trying to investigate claims of theft from hotel rooms).

Now comes the warning quoted above that more than just a room number combination may be encoded on those keycards. None of the hotels we contacted (including the Doubletree chain) said they do (or even can) encode personal information on hotel keycards, nor could any of them offer a plausible explanation of how they would benefit from doing so. All of them have databases which store the very same customer information and can be accessed by using a room number as a lookup term, so they have no reason to encode anything more than basic information (e.g., room number, access code, activation and expiration dates) on the keycards themselves. (In fact, even that basic information isn't stored on the cards themselves — it's encoded as a serial number which the lock checks to determine whether or not the insert key is authorized to open it.)

According to a reader who contacted the Vice President of Loss Prevention for the Hilton hotel chain:

Certainly, modern security systems are sufficiently sophisticated that personal identifying information "could" be encoded onto hotel card-keys. To do so, however, would be pointless and would create additional work (and expense). Hotel card keys would, obviously, contain a "serial number" (to identify the individual physical card); a room number that the card is programmed to open; and the beginning and ending dates for which the card is valid. But there would be no basis whatsoever for the card to contain the occupant's name or credit card information. The VP has personally verified with their 3 access control system providers that their card keys do not contain personal identifying information.
Another reader informed us:

I have worked as a desk clerk for three hotels: Holiday Inn, Best Western and the Howard Johnson. In all cases, the TESA lock system (key-card) was not connected to the front desk computer in any way. To create a key for a guest, we typed the room number, the number of nights of the stay and how many keys we wanted to create. That's all the information that was recorded. There was no way of encoding any other information.

I would be most surprised to find out that any hotel encoded other information on the key-card. Current technology allows for guests to quick-checkout with the pay-per-view movie system on the TV, so there isn't any need to have more than the room number and length of stay on the key-card.
Even in cases where a hotel keycard can be used to purchase goods and services (e.g., at a resort complex such as Walt Disney World), guests' credit card information is not encoded on the cards themselves; the cards simply contain a flag indicating that the guest has a credit card on file with the resort and is authorized to charge purchases to his room.

This warning may have been confused with alerts about a related but distinctly different theft scheme, that of crooks stealing credit card information and then encoding that information onto hotel keycards:

It never fails. Emptying your pockets after a vacation or business trip, you fish out the hotel key you've forgotten to return. In fact, hotel key cards are unwittingly taken so often that thieves are taking advantage of public and industry complacency on the issue by storing stolen credit card information on the cards and using them like debit or credit cards.

It works like this: a thief gets his hands on a supply of key cards, either by having a hotel employee steal a batch or by buying them. The thief then uses a commercially available decoder/encoder to read information off a stolen credit card and transfer it to an innocent-looking hotel key card. Because the new generation of key cards is the same size as credit and debit cards, the key cards can then be used at ATMs and at point-of-sale swipe readers, where store clerks frequently do not watch patrons performing the transactions.

The scam recently came to light in southern California when police searched the hideouts of Armenian gang members and found a cache of key cards from a specific hotel. According to Larry Hanna, a detective in the Las Vegas Police Department's intelligence unit who works closely with Southern California police, authorities decided to read what was encoded on the cards. They came up with credit, ATM, and debit card numbers, but no room information.

Blair Abbott, a Phoenix-area detective who has been investigating this type of crime, notes that a few key cards found on a suspect will not raise the same suspicion as would several credit cards bearing different names. Having multiple hotel keys is neither illegal nor uncommon.

Abbott also believes that the scheme is causing a resurgence in the use of readers that steal information from bank and credit cards at ATM machines. His firm investigated a criminal group that devised a credit card reader that could be placed over the normal credit card slot in ATMs and other card readers. The device has all the appearances of a regular card reader, but it is distinguished by protruding from the face of the ATM by several inches. Abbott adds that clever criminals have even created their own bogus ATM machines.

When the card information is lifted and placed on hotel key cards, it can be used not only at point of sale and at ATMs but also in association with accomplices working at stores, banks, and credit card companies. Worse yet, the victim continues to use his or her credit card and will attest to having it when contacted by the credit card company, which delays detection of the fraud.

Law enforcement has had to rely on the laziness of criminals to spot the scheme, Abbott says. Carrying several cards from the same hotel arouses suspicion, says Abbott, as does punching holes in cards and attaching them to a key chain.

It is unclear how widespread the scam is, but Hanna points out that it is so well known in Glendale, California, that the police keep a reader at the booking desk to scan all confiscated hotel key cards. Abbott says that the ploy is making the rounds in New York and Chicago as well.
The same type of scheme shows up in a 2001 report on organized crime issued by the California Attorney General:

For example, a gas station in Fresno, California was being used to skim credit card information from the magnetic strips on the back of the cards during April 2001. A device was attached to skim the information from the card to another card with a magnetic strip, such as a hotel key card. An employee of the gas station was tied to an Armenian organized criminal group involved in credit card theft, extortion, counterfeit and Medi-Cal fraud.
And it also appears on the web site of the Burlingame (California) police department:

The Burlingame Police Department has received information about a new trend in the criminal atmosphere. Believe it or not, criminals are taking advantage of public and industry complacency of discarding electronic hotel card keys. Thieves have learned they can store credit card information on a key and use them like debit or credit cards.

Once the discarded hotel key is obtained, a thief uses a commercially available decoder/ encoder to read the information off a stolen credit card and transferring it on to the innocent looking hotel key. Because of the credit card size, criminals can use the altered hotel keys at ATMs and point-of -sale swipe readers where clerks do not check identification or watch patrons performing the transactions.

CRIME PREVENTION TIP: Always return your room keys to the front desk of the hotel.
However, the schemes described above don't involve harvesting personal information by reading it from returned hotel keycards; they involve obtaining personal information (such as credit card or ATM card numbers and PINs) through other methods and then using discarded hotel keycards as storage media for that information. The keycards are used as easy-to-obtain blanks, not for what they might already have coded into them. Loyalty cards issued by grocery stores (used to gain information about which products are selling at which locations to which groups of customers) or slot club cards issued by casinos (used to track the play of gamblers) could just as easily be used for this purpose.

Also, this hotel cardkey warning overlooks the plain fact that many hotel employees who have access to cardkey scanners already have the ability to look up all sorts of personal information about guests through their hotels' booking systems. Just about any hotel clerk can retrieve the records of guests and print out or write down their names, addresses, phone numbers, credit card numbers, etc. If personal information were truly encoded on hotel keycards that could be read by anyone, the biggest concern should be keeping those cards away from people who are not hotel employees. (Indeed, the warning from the Burlingame police quoted above says that hotel keycards should always be returned to the front desk, the very opposite of the advice given in the warning quoted at the top of this page.)

The Pasadena police detective who started this message has since muted the original dire warning and now maintains that personal information could have been put on keycards by mistake, and that this problem has largely been corrected:

In years past, existing software would prompt the user (employee) for information input. If the employee was unaware of hotel policy dictating that such information NOT be entered, it could have ended up on the card in error. Since this subject came up, experiments on newer cards have failed to duplicate the problem. It appears that the problem is not as widespread as it used to be in the larger chain hotels.
However, all of the hotel representatives and employees we spoke with maintained that encoding personal information on keycards is neither a former nor a current practice, and none of the access control system providers we contacted said their hotel keycard systems are configured to allow personal information to be encoded on keycards. In any event, turning up a single case of something that might have happened in the past by mistake under systems no longer in use hardly justifies a warning like the one issued, which suggests that the practice is current, ongoing, and widespread. This has since been acknowledged by the Pasadena police:

On October 6, 2003, Detective Sergeant Kathryn Jorge of the Pasadena Police Department received information from a group of Southern California fraud detectives who had formed a fraud investigations network through a local Internet carrier. One of the members of this group from another Valley agency reported that in an investigation that he was personally involved in, he came across a plastic hotel card key from a major hotel that had personal information that could potentially lead to identify theft and fraud. This information included names, addresses, length of stay, and credit card numbers. This detective took the precautionary measure of notifying the detectives in the network prior to seeing if this practice was standard in the industry.

As the investigation into this potential fraud risk continued, this information was shared with other members of the Pasadena Police Department and personnel chose to share this information with others before we could correctly evaluate the risk. This has caused a chain reaction of probably thousands of people being given this information before the risk was evaluated thoroughly.

As of today, detectives have contacted several large hotels and computer companies using plastic card key technology and they assure us that personal information, especially credit card information, is not included on their key cards. The one incident referred to appears to be several years old, and with today's newer technology, it would appear that no hotels engage in the practice of storing personal information on key cards. Please share this information with anyone who has a concern over the initial information send out to others as a precautionary measure.

There was never the intent of the Pasadena Police Department to forward this information to others before the risk was evaluated. Individuals forwarded the information as a possible precautionary note of interest only.
In many crime-related warnings, the issue is whether the activity warned against is a common occurrence, or whether it's something that is possible but not widespread. Every hotel or hotel chain contacted by those who have reported this story has affirmed that personal information is not encoded on their keycards, and even the one chain specifically mentioned in the warning (Doubletree) said they had corrected the issue:

Officials at Park Place Entertainment, Mandalay Bay Resorts, Harrah's Entertainment and MGM Mirage all said no credit card information is embedded in their cards.

"At Caesars Palace, the key cards are keepsakes," said Michael Coldwell from Park Place Entertainment. Photos of Caesars Palace in 1967 and of motorcycle daredevil Evel Knievel are featured on some. "We encourage our guests to take the card."

But no credit card information is on those cards, he insisted. The cards contain the information to unlock the room but not even the name of the customer. "If someone loses a key card at a Park Place property, your identity wouldn't be known," Coldwell said.

Harrah's Entertainment's David Strow made the same assurance.

Alan Feldman of MGM Mirage said the key contains a room number and "the equivalent of a yes or no command" to identify whether the guest can charge food to the room. If customers decide to keep their keys for safety reasons, he said that won't be a problem.

Janet Pope, spokeswoman for the Pasadena Police Department, said Doubletree had put credit card information on their cards in the past.

"We've been assured by Doubletree they realized the glitch, and they no longer capture that information," she said.
Is it nevertheless possible that personal information could be encoded on hotel keycards? Certainly, especially at a non-chain hotel — an unaware (or unscrupulous) hotel operator might mishandle personal information provided by guests. As the Las Vegas Review-Journal reported:

Deputy Attorney General Tracey Brierly saw it with her own eyes in South Lake Tahoe last month.

Brierly, a deputy attorney general in the Bureau of Consumer Protection, attended a High Technology Crime Investigation Association conference in South Lake Tahoe in late October.

The speaker asked for volunteers to provide their credit-card style room keys, the ones with the magnetic stripe. Five or six people provided their keys, and the speaker swiped them through a credit card reader.

"Two of the keys brought up a name and partial address, and another one brought up a name, address and credit card number," Brierly said. "I had no idea this was even a possibility."

Brierly said she didn't know which hotel keys had the embedded information, saying she typically leaves the key in the room upon checkout, but won't any more.
But the issue of whether this is a routine and common occurrence hasn't been demonstrated — a few hotel keycards from one presentation, all taken from the same area (and possibly even from the same hotel) don't establish this as a widespread phenomenon, nor has anyone presented any cases where hotel guests have been victimized by criminals who harvested personal information from hotel keycards.

Nonetheless, those who are concerned that they may be discarding sensitive personal information with their hotel keys, the piece of advice offered at the end of the message quoted at the head of this page is generally sound: when you check out of your hotel, you can retain or destroy your keycard. Your former room's access code will be changed before the room is assigned to a new guest, and few (if any) hotels demand that keycards be returned or charge customers who fail to do so. Just be sure that you are the one who retains or destroys the card.

Additional information:
Local Hotels Debunk Keycard ID Theft Risk
(Bend.com)

Last updated: 20 July 2005

I checked the mag strip on

I checked the mag strip on my multi-pass? Guess what! It's got PORNO on it! Yeah, man, a whole 3 millisecond blast of Nebrufarian romance! Wow, was I blown away. Oh, and a PGGB will wipe one of the strips, no questions asked. I was stirring my drink with my room key before I gave it to this hottie at -- anyway, she couldn't get into my room later on. Major bummer, woke me up and everything. You guys traveling around with stripe readers, you need to spend more time in hotels with some major babe-age, and less time with your swipe cards.

I work in a hotel and I know

I work in a hotel and I know our key computer has no connection to our main hotel computer, where the guest info is, including names, addresses and c/c info. We reuse the key cards when guests check out, so they're automatically wiped and replaced with new data. As a security measure, also, each time a key is made for a room it over-rides the previous key card once it's used in the room door. That's the way we lock-out guests who owe us money. The room keys are also coded to expire on the day of the current guest's departure at check out time. So, with the Choice hotel chain, I don't think you have any worries on that account. Like all commercial establishments, an insider with access to the guest computer has carte blanche, but unless he's quite careful, a alert manager would eventually catch him at it. I've yet to have a guest question me about this, but with so much misinformation going about, be skeptical of anyone's cries about security. They may be crying wolf.