Is a lost hotel card key a financial risk? We found out

Is a lost hotel card key a financial risk? We found out

A hotel card key being swiped through a card reader to see what data is stored on it.

Is a lost hotel card key a financial risk? We found out

A hotel card key being swiped through a card reader.

A few key strokes and he ran one of the blank cards he’d brought on eBay through the machine.

“Try this when you get back to your hotel,” he told me.

The cloned key worked perfectly throughout my entire stay.

Least privilege, most security

The credit card-sized plastic keys used by most hotels today contain at most four pieces of information — which room the key is for, when the key can begin opening the door, when it should stop working, and, sometimes, a guest number.

When the desk clerk types furiously into their key coding machine and then swipes the card through, that information is being transferred to either the magnetic stripe on the back of the card or, in newer cards, the chip embedded in it.

When the guest inserts the key into the room's door lock mechanism, the key tells the lock that it’s meant to open the door to that exact room, when the guest can begin occupying the room and when they have to have checked out, said Christopher Balch, with Maglocks, a locking company based in Amsterdam, N.Y.

In many ways, hotel key cards are a great example of what the computer security world calls “least privilege,” the concept that to maintain security a system should have only enough privilege to access the information it needs to get its work done and no more, said Steve Grobman, McAfee’s chief technology officer.

“For a hotel key card, it should only have the data on it that it needs to do its job. For example a time stamp, so if you’re in the room from Monday to Thursday and you try to use that key on Friday, it doesn't work,” said Grobman, who oversaw the card-testing.

Sometimes, systems also include a guest number that lets the software track who’s gone in and out of a room.

“It’s not really a name, it’s just an encoded guest number which maps back to the software for the lock system. It gives you an audit trail so you know who accessed the room,” said Balch.

Cheaper, better keys

Most hotels stopped using actual metal keys because programmable cards are cheaper and more versatile. With a metal key, a guest who forgets to return it could open the door to their room days or even weeks later, meaning the hotel might have to go to the expense of changing the room’s lock.

Is a lost hotel card key a financial risk? We found out

A stack of hotel card keys.

Metal keys are also expensive to replace, while the plastic key cards can go for as little as 10 cents if they’re magnetic stripe and around $1 per card if they contain a smart chip, said Balch.

They’re also pretty strong, which is a plus given that people tend to stick them in pockets, close them in suitcases and generally abuse them.

“They’re reusable to the point where we offer a lifetime warranty,” Balch said.

As for my cloned hotel room key, McAfee's Grobman said all current cards should be treated just as you'd treat an old fashioned room key and not be left laying around where someone might make a copy.

In the old days, that might have meant making an impression in a bar of soap or spiriting it off to a key-cutting machine.

At the hacker conference, I kept it on my person and safe the entire time I was there.

"That's just operational security, and common sense," said Grobman.

 



Add Comment

all comments

  Other news

more
Rio Ferdinand continues to wear wedding ring in touching tribute to late wife

Rio Ferdinand continues to wear wedding ring in touching tribute to late wife..

18-Aug, 05:41

Rio Ferdinand continues to pay tribute to his late wife Rebecca Ellison...

Stacey Solomon reveals she saved her sons from overturned car - read the details

Stacey Solomon reveals she saved her sons from overturned car - read the details..

18-Aug, 13:00

VIEW GALLERY Stacey opened up about the car accident She continued: "'I...

20-plus health care stats that will blow you away

20-plus health care stats that will blow you away..

18-Aug, 16:50

5,564: There were recently 5,564 registered hospitals in the U.S., per...

NI golfer Joe Rooney scores two holes-in-one

NI golfer Joe Rooney scores two holes-in-one..

18-Aug, 03:30

An Armagh teenager has scored an amazing two holes-in-one in the same...

Lawmakers, armed forces, celebrate Take Your Dog to Work Day

Lawmakers, armed forces, celebrate Take Your Dog to Work Day..

24-Jun, 02:39

Woof! Lawmakers, branches of the armed forces and federal departments...

The Latest: Xi sightsees, talks trade in Alaska layover

The Latest: Xi sightsees, talks trade in Alaska layover..

08-Apr, 01:25

The Latest on Chinese President Xi Jinping's visit to Alaska (all times...

World's biggest shipper: cyberattack cost up to $300 million

World's biggest shipper: cyberattack cost up to $300 million..

16-Aug, 05:00

The June cyberattack that paralyzed the computer systems in companies...

Fox's James Murdoch slams Trump's Charlottesville response

Fox's James Murdoch slams Trump's Charlottesville response..

18-Aug, 10:50

The CEO of 21st Century Fox denounced racism and terrorists while...