Is a lost hotel card key a financial risk? We found out
A hotel card key being swiped through a card reader to see what data is stored on it.
A hotel card key being swiped through a card reader.
A few key strokes and he ran one of the blank cards he’d brought on eBay through the machine.
“Try this when you get back to your hotel,” he told me.
The cloned key worked perfectly throughout my entire stay.
Least privilege, most security
The credit card-sized plastic keys used by most hotels today contain at most four pieces of information — which room the key is for, when the key can begin opening the door, when it should stop working, and, sometimes, a guest number.
When the desk clerk types furiously into their key coding machine and then swipes the card through, that information is being transferred to either the magnetic stripe on the back of the card or, in newer cards, the chip embedded in it.
When the guest inserts the key into the room's door lock mechanism, the key tells the lock that it’s meant to open the door to that exact room, when the guest can begin occupying the room and when they have to have checked out, said Christopher Balch, with Maglocks, a locking company based in Amsterdam, N.Y.
In many ways, hotel key cards are a great example of what the computer security world calls “least privilege,” the concept that to maintain security a system should have only enough privilege to access the information it needs to get its work done and no more, said Steve Grobman, McAfee’s chief technology officer.
“For a hotel key card, it should only have the data on it that it needs to do its job. For example a time stamp, so if you’re in the room from Monday to Thursday and you try to use that key on Friday, it doesn't work,” said Grobman, who oversaw the card-testing.
Sometimes, systems also include a guest number that lets the software track who’s gone in and out of a room.
“It’s not really a name, it’s just an encoded guest number which maps back to the software for the lock system. It gives you an audit trail so you know who accessed the room,” said Balch.
Cheaper, better keys
Most hotels stopped using actual metal keys because programmable cards are cheaper and more versatile. With a metal key, a guest who forgets to return it could open the door to their room days or even weeks later, meaning the hotel might have to go to the expense of changing the room’s lock.
A stack of hotel card keys.
Metal keys are also expensive to replace, while the plastic key cards can go for as little as 10 cents if they’re magnetic stripe and around $1 per card if they contain a smart chip, said Balch.
They’re also pretty strong, which is a plus given that people tend to stick them in pockets, close them in suitcases and generally abuse them.
“They’re reusable to the point where we offer a lifetime warranty,” Balch said.
As for my cloned hotel room key, McAfee's Grobman said all current cards should be treated just as you'd treat an old fashioned room key and not be left laying around where someone might make a copy.
In the old days, that might have meant making an impression in a bar of soap or spiriting it off to a key-cutting machine.
At the hacker conference, I kept it on my person and safe the entire time I was there.
"That's just operational security, and common sense," said Grobman.
Add Commentall comments
Rio Ferdinand continues to pay tribute to his late wife Rebecca Ellison...
VIEW GALLERY Stacey opened up about the car accident She continued: "'I...
5,564: There were recently 5,564 registered hospitals in the U.S., per...
Woof! Lawmakers, branches of the armed forces and federal departments...
The Latest on Chinese President Xi Jinping's visit to Alaska (all times...
The June cyberattack that paralyzed the computer systems in companies...