Campus ID News
Card, mobile credential, payment and security

The urban legend phenomenon strikes our card-based dorm and hotel keys

CampusIDNews Staff   ||   Nov 01, 2003  ||   ,

In the past weeks, an email warning has been circulating describing alleged identity thefts occurring from information stored on hotel key cards. The warning claims that personal information stored on room keys can, if discarded improperly, enable a criminal to access your credit card number and use it for unauthorized charges. This is absolutely not true and is merely an “urban legend” spread via well meaning members of the Internet community.

Likely, you have received some version of the message. In an informal poll of CR80News staff members and contributors, we found that nearly every one had received the message at least once–one person reporting more than 15 occurrences.

Campuses have expressed concern regarding this reported threat as well because the same or a variation of the hotel style door locking systems are widely used for securing dormitory rooms and other campus facilities around the country. Let’s get to the facts.

To learn just what information is stored on the hotel keys and in the key creation system, CR80News spoke with Henry Fell, Technical Services Manager for Persona, a leader in the manufacture of these offline electronic locking systems. “This email warning is absolutely untrue–for our system and every other manufacturer’s system that we are aware of,” stresses Mr. Fell. “We store a numeric data string that tells the lock whether to accept or deny entry for that card. It is not based on any personally identifiable data.”

When pressed to find if there is any truth, any ‘under the covers’ type of data that might have led to this concern, again Mr. Fell is firm. It seems that the only part of the warning that has any substance is that some manufacturers use the date of checkout as a component in the numeric string stored on the card. Say Mr. Fell, “it is sometimes used to create the numeric code that tells the lock when to stop accepting a given card.”

Obviously, an unknown person’s checkout date would hardly facilitate an identity theft. Further, in cases where the checkout date is used as a part of the code, it is only one part of the equation and the resultant code is encrypted. Says Mr. Fell, “every company encrypts the data string. There may be a date or even a lock number involved but it is never a free read.” Thus, if someone were to read the card in a magnetic stripe reader, they would see only a meaningless string of characters and symbols.

Flashing back to the basics of magnetic stripe technology, remember that the key to most bankcard, campus card, and other card systems is standardization. By agreeing on a standardized character set, different cards can be read in different systems. But in the case of offline door locking systems, the goal is not standardization but rather security. Manufacturers don’t want their cards to be read in different systems. So the use of the standardized schemes
for encoding data onto cards is not required–or even desired. When a card is read via a standard magnetic stripe reader, the resulting string of zeros and ones (bits) do not necessarily even form recognizable alphanumeric characters.

Obviously, there is no security breach or cause for concern. There is no personal information tied to the checkout date and thus no problems with the card. Speaking on behalf of the industry, Mr. Fell confirms that he knows not a single provider of these systems that stores name, bankcard, or other personally identifiable data on the card.

Calls to several other manufacturers of this technology echo Mr. Fell’s comments. It seems that this is simply a rumor. Like the long-standing myth that the electric properties contained in eelskin wallets can damage magnetic stripe cards, the ‘hotel key identity theft myth’ can be added to the list of ID technology urban legends.

Sample of the ‘urban legend’ email
* Note: this message is inaccurate and presented only for background purposes. **

Southern California law enforcement professionals assigned to detect new threats to personal security issues, recently discovered what type of information is embedded in the credit card type hotel room keys used through-out the industry.

Although room keys differ from hotel to hotel, a key obtained from (a hotel) that was being used for a regional Identity Theft Presentation was found to contain the following the information: Customer name; Home address; Hotel room number; Check in/out dates; Credit card number and expiration date.

When you turn them in to the front desk your personal information is there for any employee to access by simply scanning the card in the hotel scanner. An employee can take a hand full of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.

Simply put, hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!! The bottom line is, keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.

Special thanks go to Henry Fell and Persona for their assistance in the compilation of this article. Persona provides offline access control to the educational, corporate, and other markets, based on the Vingcard hotel locking system. Mr. Fell can be reached via email at [email protected]

|| TAGS:
Subscribe to our weekly newsletter


May 26, 23 / ,

Penn State adds mobile ordering to campus app

Penn State has added a mobile ordering feature to its comprehensive campus mobile app, Penn State Go. The Penn State Eats Mobile function is available for use by students on the flagship University Park campus, as well as across the university's Commonwealth Campuses.
May 26, 23 / ,

NAU leverages delivery robots to support late-night dining

Northern Arizona is leveraging Starship delivery robots and the mobile ordering app in a clever way to prop up late night dining, and putting a twist on the ghost kitchen concept. The university has launched its Hole in the Wall dining window that now serves either pickup or robot delivery for students by offering a number of dining concepts all from a single, concession-style window.
May 25, 23 / ,

HID's Technology Partner Program helps companies develop mobile solutions

Trusted identity solutions provider, HID Global, has announced its HID Origo Technology Partner Program, the company’s first program dedicated to partners with a focus on mobile technologies. The Origo Technology Partner Program is designed to help technology partners by providing the ideal platform for organizations to design, test, and market products that integrate with HID Origo via APIs and SDKs.
CIDN logo reversed
The only publication dedicated to the use of campus cards, mobile credentials, identity and security technology in the education market. CampusIDNews – formerly CR80News – has served more than 6,500 subscribers for more than two decades.

Join us, @NACCUorg, and @TouchNet to explore how campus card programs can successfully navigate the sales and procurement process. Join the webinar on June 6, 2 pm EDT.

Webinar: Learn how the University of Arizona uses campus cards, mobile ordering, kiosks, lockers, and robots to revolutionize campus dining. April 7, 2-2:30 EDT. Register Now at

Load More...
CampusIDNews is published by AVISIAN Publishing
315 E. Georgia St.
Tallahassee, FL 32301[email protected]
Use our contact form to submit tips, corrections, or questions to our team.
©2023 CampusIDNews. All rights reserved.