Shostack + Friends Blog Archive


Hotel Room Keys

For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At one resort, he said, his card key contained credit card information, his address and his name. He said the hotel expressed surprise when he showed it the results. His comments, which appeared in a Computerworld blog in September [QuickLink a7730], created a furor. He subsequently declined to comment for this story.

As part of a Computerworld investigation into the allegations, reporters and other staff members who traveled last fall brought back 52 hotel card keys over a six-week period. The cards came from a wide range of hotels and resorts, from Motel 6 to Hyatt Regency and Disney World. We scanned them using an ISO-standard card reader from MagTek Inc. in Carson, Calif. — the type anyone could buy online.

We then sent the cards to Terry Benson, engineering group leader at MagTek, for a more in-depth examination using specialized equipment. MagTek also gathered cards from its own staff. In all, 100 cards were tested.

From “It’s Just the Key to Your Room.” It’s a pretty darn good article that carefully reports on how hotel keys work, and what’s on them, but one thing jumped out at me: They couldn’t understand the data they read:

Only 15% of the cards tested yielded any data using the USB card reader. The alphanumeric strings did not match any of the users’ credit card numbers, nor was any intelligible text found. At MagTek, Benson was able to pull up strings of binary data from the cards but could not decode it…

Let me be absolutely clear: I don’t think your name or credit card is encoded on these cards. I think they use algorithms as described in the article. Anyone reading this blog will know that I and my co-bloggers take privacy very seriously. Nevertheless, I hate it when people say “the data is unintelligible.” So, Computerworld, why not put the raw data online? Let others follow up on your excellent analysis methods? If, as the companies say, there’s nothing interesting, then there’s not only no reason not to, there’s every reason to be open with the data. Maybe someone else can figure it out.