Campus ID News
Card, mobile credential, payment and security

The urban legend phenomenon strikes our card-based dorm and hotel keys

CampusIDNews Staff   ||   Nov 01, 2003  ||   ,

In the past weeks, an email warning has been circulating describing alleged identity thefts occurring from information stored on hotel key cards. The warning claims that personal information stored on room keys can, if discarded improperly, enable a criminal to access your credit card number and use it for unauthorized charges. This is absolutely not true and is merely an “urban legend” spread via well meaning members of the Internet community.

Likely, you have received some version of the message. In an informal poll of CR80News staff members and contributors, we found that nearly every one had received the message at least once–one person reporting more than 15 occurrences.

Campuses have expressed concern regarding this reported threat as well because the same or a variation of the hotel style door locking systems are widely used for securing dormitory rooms and other campus facilities around the country. Let’s get to the facts.

To learn just what information is stored on the hotel keys and in the key creation system, CR80News spoke with Henry Fell, Technical Services Manager for Persona, a leader in the manufacture of these offline electronic locking systems. “This email warning is absolutely untrue–for our system and every other manufacturer’s system that we are aware of,” stresses Mr. Fell. “We store a numeric data string that tells the lock whether to accept or deny entry for that card. It is not based on any personally identifiable data.”

When pressed to find if there is any truth, any ‘under the covers’ type of data that might have led to this concern, again Mr. Fell is firm. It seems that the only part of the warning that has any substance is that some manufacturers use the date of checkout as a component in the numeric string stored on the card. Say Mr. Fell, “it is sometimes used to create the numeric code that tells the lock when to stop accepting a given card.”

Obviously, an unknown person’s checkout date would hardly facilitate an identity theft. Further, in cases where the checkout date is used as a part of the code, it is only one part of the equation and the resultant code is encrypted. Says Mr. Fell, “every company encrypts the data string. There may be a date or even a lock number involved but it is never a free read.” Thus, if someone were to read the card in a magnetic stripe reader, they would see only a meaningless string of characters and symbols.

Flashing back to the basics of magnetic stripe technology, remember that the key to most bankcard, campus card, and other card systems is standardization. By agreeing on a standardized character set, different cards can be read in different systems. But in the case of offline door locking systems, the goal is not standardization but rather security. Manufacturers don’t want their cards to be read in different systems. So the use of the standardized schemes
for encoding data onto cards is not required–or even desired. When a card is read via a standard magnetic stripe reader, the resulting string of zeros and ones (bits) do not necessarily even form recognizable alphanumeric characters.

Obviously, there is no security breach or cause for concern. There is no personal information tied to the checkout date and thus no problems with the card. Speaking on behalf of the industry, Mr. Fell confirms that he knows not a single provider of these systems that stores name, bankcard, or other personally identifiable data on the card.

Calls to several other manufacturers of this technology echo Mr. Fell’s comments. It seems that this is simply a rumor. Like the long-standing myth that the electric properties contained in eelskin wallets can damage magnetic stripe cards, the ‘hotel key identity theft myth’ can be added to the list of ID technology urban legends.

Sample of the ‘urban legend’ email
* Note: this message is inaccurate and presented only for background purposes. **

Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used through-out the industry.

Although room keys differ from hotel to hotel, a key obtained from (a hotel) that was being used for a regional Identity Theft Presentation was found to contain the following the information: Customer name; Home address; Hotel room number; Check in/out dates; Credit card number and expiration date.

When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!! The bottom line is, keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.

Special thanks go to Henry Fell and Persona for their assistance in the compilation of this article. Persona provides offline access control to the educational, corporate, and other markets, based on the Vingcard hotel locking system. Mr. Fell can be reached via email at [email protected].

Related Posts

|| TAGS:
Subscribe to our weekly newsletter


Transact partners with Reusables containers
Jun 14, 24 / ,

New integration enables Transact clients to deploy Reusables’ container solution

This week, Transact announced a new partnership with Reusables, a platform that enables students to check out and return reusable containers using their campus cards or mobile credentials. The integration between the two companies requires no additional app downloads, allowing students to easily and quickly begin using the system. Reusables is a Vancouver-based company dedicated […]
Southern Illinois University ID card

Southern Illinois uses summer to upgrade from mag stripe to contactless

This summer, Southern Illinois University is launching a new contactless campus card for students, faculty, and staff. Along with the new ID technology, the card will also feature an updated design. The prior mag stripe card will continue to be supported, but existing cardholders will have the option to upgrade their card. In July through […]
Virginia Tech access control readers from Allegion

Virginia Tech's multi-year journey eliminates brass keys from campus

  At Virginia Tech, a strategically planned, multi-year process has eliminated physical keys from the campus. Brass keys have been replaced by card access in buildings and residence halls. The only remaining keys are stored in secure key boxes for security personnel and residence hall advisors to access in case of emergencies or after hours […]
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Attn: friends in the biometrics space. Nominations close Friday for the annual Women in Biometrics Awards. Take five minutes to recognize a colleague or even yourself.

Feb. 1 webinar explores how mobile ordering enhanced campus life, increased sales at UVA and Central Washington @Grubhub @CBORD

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2024 CampusIDNews. All rights reserved.