SAN FRANCISCO — Every once in a while, an email or Facebook posting makes the rounds sounding alarms over the supposed danger of used hotel card keys. To stay safe, the reasoning goes, travelers must carefully dispose of them.
To test whether a lost hotel key contained valuable data, say the number of the credit card you used to pay for the room, USA TODAY took a stack of used hotel key cards to the Black Hat computer security conference in Las Vegas recently and had an expert see what exactly they contained.
“You’ve got nothing to worry about. There’s nothing on here at all except the room number and a date field,” said Mickey Shkatov, a security researcher at McAfee, after he methodically swiped them all through a card scanner he’d brought along. “All clear,” he said.
The origins of the scare go back to a notice sent out by a California police detective over 15 years ago claiming that hotel card keys could contain a hotel guest’s name, home address and credit card number and that the information stayed on the card until the hotel overwrote them for a new guest.
An investigation by Snopes.com found that the presentation the detective had seen actually featured a blank hotel card key which had been used by cybercriminals to store stolen information about a victim and was in no way connected to a hotel.
Not that hotel card keys should be left laying around where anyone can get to them. Next Shkatov asked to see the key for the hotel I was staying at during the conference.
“Now this I can do something with, I think,” he said.
He ran my key through the card reader, tapped a few keys and then ran one of the blank cards he’d brought on eBay through the machine.
“Try this when you get back to your hotel,” he told me.
The cloned key worked perfectly throughout my entire stay.
Least privilege, most security
The credit card-sized plastic keys used by most hotels today contain at most four pieces of information — which room the key is for, when the key can begin opening the door, when it should stop working, and, sometimes, a guest number.
When the desk clerk types furiously into their key coding machine and then swipes the card through, that information is being transferred to either the magnetic stripe on the back of the card or, in newer cards, the chip embedded in it.
When the guest inserts the key into the room’s door lock mechanism, the key tells the lock that it’s meant to open the door to that exact room, when the guest can begin occupying the room and when they have to have checked out, said Christopher Balch, with Maglocks, a lock system company based in Amsterdam, N.Y.
In many ways, hotel key cards are a great example of what the computer security world calls “least privilege,” the concept that to maintain security a system should have only enough privilege to access the information it needs to get its work done and no more, said Steve Grobman, McAfee’s chief technology officer.
“For a hotel key card, it should only have the data on it that it needs to do its job. For example a time stamp, so if you’re in the room from Monday to Thursday and you try to use that key on Friday, it doesn’t work,” said Grobman, who oversaw the card-testing.
Sometimes, systems also include a guest number that lets the software track who’s gone in and out of a room.
“It’s not really a name, it’s just an encoded guest number which maps back to the software for the lock system. It gives you an audit trail so you know who accessed the room,” said Balch.
Cheaper, better keys
Most hotels stopped using actual metal keys because programmable cards are cheaper and more versatile. With a metal key, a guest who forgets to return it could open the door to their room days or even weeks later, meaning the hotel might have to go to the expense of changing the room’s lock.
Metal keys are also expensive to replace, while the plastic key cards can go for as little as 10 cents if they’re magnetic stripe and around $1 per card if they contain a smart chip, said Balch.
They’re also pretty strong, which is a plus given that people tend to stick them in pockets, close them in suitcases and generally abuse them.
“They’re reusable to the point where we offer a lifetime warranty,” Balch said.
As for my cloned hotel room key, McAfee’s Grobman said all current cards should be treated just as you’d treat an old fashioned room key and not be left laying around where someone might make a copy.
In the old days, that might have meant making an impression in a bar of soap or spiriting it off to a key-cutting machine. These days it would require simply a quick swipe through a magnetic card reader/writer machine connected to a computer. These machines can go for as little as $100 on eBay. That said, copying chip cards, which are increasingly being used by hotels, is a much more expensive, time consuming and difficult process.
At the hacker conference, I kept it on my person and safe the entire time I was there.
“That’s just operational security, and common sense,” said Grobman.
By Elizabeth Weise, USATODAY