Shark Bait

Knowledge Centers

Operating Systems

Networking & Internet

Mobile & Wireless

Security

Storage

Business Intelligence

Servers & Data Center

Computerworld Reports

Industry

See your link here

Robert L. Mitchell

Reality Check

Hotel card reader facts and fiction

10 comments

IT TOPICS:Security

The earlier report in this blog that a director of IT equipped with a card reader found his personal information stored on his hotel key on several occasions has been met with much concern - and more than a bit of skepticism.

Readers point to the Snopes.com Card Sharks article as proof that this story is an urban legend. But a Slashdot user cautions that the Snopes article may not be the whole story.

Others have pointed to Jane Ann Morrison's 2003 article, Hotels can't erase myth about credit card information on room keys.

I have been in touch with Peter Wallace, the director of IT who made the statements to me a few days ago. His comments on hotel keys came up as an interesting aside during our discussion on a different subject. Wallace stated that, using a card reader, he has on several occasions swiped a hotel card key in a reader and discovered his personal information. The information Wallace says he has read from hotel keys has included his credit card number, name and address.

Wallace began receiving feedback from my initial posting at 6:00 a.m. this morning. He stated in an e-mail that he would like to respond, but is awaiting clearance from his organization's legal dept. before he can do so.

What's interesting to me is that while everyone has an opinion as to whether its possible that hotels would - either knowingly or unknowingly - store such information on a card key, only one person who posted here claims to have tried this at several hotels (without success). Given past discussions and all of the news stories going back to at least 2003, I am surprised that no one else among this tech savvy group has tried this and reported in.

Perhaps Wallace's additional comments on his observations, when the come, will clarify things a bit.

Follow up: Summary of 'Net responses in today's IT Blogwatch

Email this

Digg this

What People Are Saying

Add new comment

This hysteria began when a

Submitted by R. Rebhan on September 24, 2005 - 1:14 P.M.

This hysteria began when a certain detective from a not-so-big city, arrested a credit card fraudster and while sorting through the evidence, found (in addition to counterfeit and stolen credit cards)"white plastic" and hotel room, key cards. The mag strip on all cards is essentially real-to-real recording tape. Obviously, this tape can have information recorded on it. When a thief with "skimmed" account numbers needs a vehicle to carry a stolen account number into a store, the number can be encoded overriding the original information on any card. The detective, who in the case started this fear, had a card reader and found credit card information on a hotel key card. It was put on the card by the arrestee who had been encoding his miscellaneous plastic with his own equipment. A district attorney in the detective's city went public with this and you see the result.
I have been been involved with the credit card industry and law enforcement for many years, and have analyzed POS ops for the lodging industry for almost twenty, and to my knowledge there is no link between authorization terminals and access key terminals (other than resorts that have a link for guest expense accounts to the guest room)
Hope this helps.

Report this comment

Actually this is quite true

Submitted by Anonymous on September 23, 2005 - 1:48 P.M.

Actually this is quite true of some hotels. I have been doing this for a couple years and have noticed that things are actually getting better. A number of hotels have ceased the practice. The types of hotels that I found this info on usually range from the 3-star to 5-star hotels - usually the lower quality hotels did not bother spending the money on newer systems that would enable this 'feature'.

Personally I do not understand what the major fuss is considering how many times people hand that same credit card to some unknown clerk or waitress and the card is taken our of their line of site for various periods of time. To me that is as big as or bigger risk than the hotel key. At least you can take the key with you for disposal - it is much harder to keep site of that credit card you surrender for payment.

Report this comment

Until Peter's process is

Submitted by Anonymous on September 23, 2005 - 10:13 A.M.

Until Peter's process is duplicated, we have to look at his results with skepticism. Forget the legal department, if we know what kind of card reader he used, then we could all get one and try it for ourselves. And tell us about the hotel as well. Was it a 1 star "no-tell-motel" or a 5 star Marriott? Scientific Process is a beautiful thing unless you're trying to perpetrate a hoax.

Report this comment

It's BS until you name the

Submitted by Anonymous on September 21, 2005 - 9:51 A.M.

It's BS until you name the hotel chains. Give them a chance to respond.

Report this comment

RE: "[Peter Wallace]

Submitted by Anonymous on September 21, 2005 - 9:38 A.M.

RE: "[Peter Wallace] stated...that he would like to respond, but is awaiting clearance from his organization's legal dept. before he can do so."

This is a pretty strong indication that it's all cr_p. Wallace hasn't named his employer anywhere, or said they were involved in any way, so they have no liability or business interest in this matter. I think he made the whole thing up. Ask him what brand of card reader he used.

Report this comment

Yes, Peter Wallace DID in

Submitted by Anonymous on September 22, 2005 - 8:22 A.M.

Yes, Peter Wallace DID in fact, name his employer. "IT director at AAA Reading-Berks in Wyomissing, Penn" What difference does it make WHAT kind of card reader he used?

Report this comment

While I would like to

Submitted by Anonymous on September 21, 2005 - 9:24 A.M.

While I would like to believe that the information contained on a room key is strictly the key code for my room, I have no way of knowing for sure. I would think that with the prevalance of phishing now, that we would have heard more about these 'dangers' in the media.

I tend to beleive that there really isn't any truly valuable info on my room key, or some unscrupulous person would have had it already.

Report this comment

I've been a CIO in the

Submitted by Anonymous on September 21, 2005 - 12:33 A.M.

I've been a CIO in the hospitality industry for over 12 years (including, most recently, over eight years in a large Las Vegas hotel/casino), and no system I've come in contact with has ever written credit card info to a room key. Some systems allow the hotel to encode other information on other tracks, but not credit card info. For instance, in addition to room key info, some casinos encode their slot club or frequent guest number on a separate track so the customer can use their room key in slot machines or for ratings on table games. Hotels can also encode room charge info on the keys to allow the customer easier access to room charges while in their various restaurants and retail outlets. There really is no reason for a hotel to encode a credit card number on a key that I can see.

Report this comment

"I am surprised that no one

Submitted by David Hakala on September 20, 2005 - 11:32 P.M.

"I am surprised that no one else among this tech savvy group has tried this and reported in."

Especially not the guy who "reported" this BS in the first place! :q

Report this comment

Virtually all hotels card

Submitted by Anonymous on September 20, 2005 - 8:42 P.M.

Virtually all hotels card key system is seperate from the billing computer. There is no cross over of personnel data, only a room number that the key will unlock.

Report this comment