In the past weeks, an email warning has been circulating describing alleged identity thefts occurring from information stored on hotel key cards. The warning claims that personal information stored on room keys can, if discarded improperly, enable a criminal to access your credit card number and use it for unauthorized charges. This is absolutely not true and is merely an “urban legend” spread via well meaning members of the Internet community.

Likely, you have received some version of the message. In an informal poll of CR80News staff members and contributors, we found that nearly every one had received the message at least once–one person reporting more than 15 occurrences.

Campuses have expressed concern regarding this reported threat as well because the same or a variation of the hotel style door locking systems are widely used for securing dormitory rooms and other campus facilities around the country. Let’s get to the facts.

To learn just what information is stored on the hotel keys and in the key creation system, CR80News spoke with Henry Fell, Technical Services Manager for Persona, a leader in the manufacture of these offline electronic locking systems. “This email warning is absolutely untrue–for our system and every other manufacturer’s system that we are aware of,” stresses Mr. Fell. “We store a numeric data string that tells the lock whether to accept or deny entry for that card. It is not based on any personally identifiable data.”

When pressed to find if there is any truth, any ‘under the covers’ type of data that might have led to this concern, again Mr. Fell is firm. It seems that the only part of the warning that has any substance is that some manufacturers use the date of checkout as a component in the numeric string stored on the card. Say Mr. Fell, “it is sometimes used to create the numeric code that tells the lock when to stop accepting a given card.”

Obviously, an unknown person’s checkout date would hardly facilitate an identity theft. Further, in cases where the checkout date is used as a part of the code, it is only one part of the equation and the resultant code is encrypted. Says Mr. Fell, “every company encrypts the data string. There may be a date or even a lock number involved but it is never a free read.” Thus, if someone were to read the card in a magnetic stripe reader, they would see only a meaningless string of characters and symbols.

Flashing back to the basics of magnetic stripe technology, remember that the key to most bankcard, campus card, and other card systems is standardization. By agreeing on a standardized character set, different cards can be read in different systems. But in the case of offline door locking systems, the goal is not standardization but rather security. Manufacturers don’t want their cards to be read in different systems. So the use of the standardized schemes
for encoding data onto cards is not required–or even desired. When a card is read via a standard magnetic stripe reader, the resulting string of zeros and ones (bits) do not necessarily even form recognizable alphanumeric characters.

Obviously, there is no security breach or cause for concern. There is no personal information tied to the checkout date and thus no problems with the card. Speaking on behalf of the industry, Mr. Fell confirms that he knows not a single provider of these systems that stores name, bankcard, or other personally identifiable data on the card.

Calls to several other manufacturers of this technology echo Mr. Fell’s comments. It seems that this is simply a rumor. Like the long-standing myth that the electric properties contained in eelskin wallets can damage magnetic stripe cards, the ‘hotel key identity theft myth’ can be added to the list of ID technology urban legends.

Sample of the ‘urban legend’ email
* Note: this message is inaccurate and presented only for background purposes. **

Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used through-out the industry.

Although room keys differ from hotel to hotel, a key obtained from (a hotel) that was being used for a regional Identity Theft Presentation was found to contain the following the information: Customer name; Home address; Hotel room number; Check in/out dates; Credit card number and expiration date.

When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!! The bottom line is, keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.

Special thanks go to Henry Fell and Persona for their assistance in the compilation of this article. Persona provides offline access control to the educational, corporate, and other markets, based on the Vingcard hotel locking system. Mr. Fell can be reached via email at [email protected].