http://www.computerworld.com/securitytopics/security/story/0,10801,107701,00.html By Robert L. Mitchell JANUARY 16, 2006 COMPUTERWORLD Warning: Hotel card keys may contain personally identifiable data on the magnetic stripe. Is it fact -- or fiction? "It's an urban legend. It doesn't work," says Joe McInerney, president of the American Hotel and Lodging Association (AHLA). Nonetheless, unsubstantiated reports keep surfacing every six months or so, he acknowledges. For example, last fall, an IT director at a travel club in Wyomissing, Pa., told Computerworld that he had found personal information on magnetic hotel key cards when visiting three major hotel chains. The IT professional said he read the cards using a commonly available ISO-standard swipe-card reader that plugs into any USB port. At one resort, he said, his card key contained credit card information, his address and his name. He said the hotel expressed surprise when he showed it the results. His comments, which appeared in a Computerworld blog in September, created a furor. He subsequently declined to comment for this story. As part of a Computerworld investigation into the allegations, reporters and other staff members who traveled last fall brought back 52 hotel card keys over a six-week period. The cards came from a wide range of hotels and resorts, from Motel 6 to Hyatt Regency and Disney World. We scanned them using an ISO-standard card reader from MagTek Inc. in Carson, Calif. -- the type anyone could buy online. We then sent the cards to Terry Benson, engineering group leader at MagTek, for a more in-depth examination using specialized equipment. MagTek also gathered cards from its own staff. In all, 100 cards were tested. Most cards were completely unreadable with an off-the-shelf card reader. Neither Benson nor Computerworld found any personally identifiable information on them. Based on these results, we think it's unlikely that hotel guests in the U.S. will find any personal information on their hotel card keys. There is, however, some debate among industry experts over whether some older systems could have been configured to store personal information under specific scenarios. To understand why personal information is unlikely to appear on hotel card keys, you must first understand how the technology works. Electronic locks that use magnetic cards were developed to address petty-theft problems associated with traditional keys. "Those problems have virtually gone away," says Brian Garavuso, CIO at Hilton Grand Vacations Co. in Orlando and chairman of the AHLA's technology committee. Most keys contain only a room number, a departure date and a "folio," or guest account code -- although other data may be stored on them as well. The door locks, which are stand-alone, battery-powered devices, each contain a sequence of lock codes. The sequence advances when an expired card is swiped or a new card inserted. The lock also logs when a guest, maid or other hotel employee has entered the room. Hotel door locks aren't wired back to the systems at the front desk. Therefore, if a card is lost and a new card is issued, the room remains unprotected until the new card is inserted into the lock and it resets. Hotels use card-key locks because they are relatively inexpensive, make rekeying easy, include a time limit and provide an audit trail of room access. Most card keys aren't readable because electronic lock systems use proprietary encoders and readers. While ISO-standard cards store data on three tracks on the magnetic strip, hotel lock systems use a proprietary encoding pattern and encrypt room-key data on Track 3, says Mark Goldberg, executive vice president and chief operating officer at magnetic card maker Plasticard-Locktech International LLP in Asheville, N.C. PLI's name appeared on many of the card keys Computerworld tested. Only 15% of the cards tested yielded any data using the USB card reader. The alphanumeric strings did not match any of the users' credit card numbers, nor was any intelligible text found. At MagTek, Benson was able to pull up strings of binary data from the cards but could not decode it. A specialized reader would be needed to decipher it, but "you won't be able to grab one of those off eBay very easily," he says. Even then, the data would be unreadable because it is encrypted, says Mike Scott, new products manager at Saflok, an electronic lock maker in Troy, Mich. On the Right Track? Most electronic lock systems include a card encoder, a user workstation and server software. That system interoperates with the property management system (PMS), the software that handles functions such as reservations, registration and guest billing. The PMS communicates with the electronic lock system to generate new card keys and sends billing data to the back-end systems. A point-of-sale system may also tie back into the PMS to allow the guest account code on the card key to be used to add charges for meals or other items to the room bill. In this situation, the account code exists within Track 2 on the card. This can be linked to the back-end billing system, where the customer's name, address and credit card information reside, allowing the guest to charge meals or bar tabs to the card as though it were a credit card. Resorts such as Universal Studios use Track 1 as an amusement park pass and Track 2 for other charges, according to Saflok. While neither track is encrypted, it typically includes only the folio code. On some cards, the guest name and folio code may also be printed on the front of the card itself. Could credit card data be embedded directly onto the card? "Technically it's possible, but why would you? It's not needed," says Garavuso. Individual hotel-chain properties are often franchised to other owners that may outsource management to a third party -- and may use a variety of back-end systems. However, although the back-end systems may vary, all hotel chains require that franchisees use their property management systems, Garavuso says. In some resorts or hotels, the systems used in the bar, restaurant or other concessions may not be tied back to the PMS that contains the customer billing data. In that scenario, the hotel could choose to encode credit card data directly onto the hotel key to allow credit charges to be made, rather than going to the trouble of modifying both systems. That type of arrangement could explain the experience the IT director reported to Computerworld. But is it likely? "If it were an older system, it's possible," acknowledges Louise Casamento, director of marketing at PMS vendor Micros Systems Inc. in Columbia, Md. In the past, people weren't as conscious of security, and ISO card readers weren't readily available on the Web, she says. But Saflok's Scott says it's not likely. "I've been doing this for 15 years, and I've never seen it," he says, adding that Saflok's system doesn't even have an option to allow the encoding of credit card data onto its key cards. "I would have to say that it [would have to be] a very old system -- and they are still out there -- that may still allow this," says Jocelynn Lane, vice president at VingCard AS, a vendor of electronic lock systems based in Norway. But, she adds, "we've never seen them compromised." Certainly no system would do it today, she adds. The only situation where Lane says travelers might find sensitive personal information on card keys is when they're abroad. "There are locking systems in Europe that, when you check in, let you enter a credit card, guest name, everything [on the card]. But never in the States," she says. "There are probably 60,000 hotels in the U.S. right now. To say no one has done it would be presumptuous on my part," says PLI's Goldberg. But the chances of guests running across the problem, if it exists at all, are slim. "I would never check into a Holiday Inn and worry about it," Goldberg says. -=- Sidebar: Testing the Card Keys http://www.computerworld.com/securitytopics/security/story/0,10801,107703,00.html Sidebar: Spraying for Data http://www.computerworld.com/securitytopics/security/story/0,10801,107702,00.html Sidebar: The Search for the Perfect Electronic Key http://www.computerworld.com/securitytopics/security/story/0,10801,107737,00.html Blog: What's not on your hotel card key http://www.computerworld.com/blogs/node/1577 Blog: Swipe here to steal ID http://www.computerworld.com/blogs/node/1016 _________________________________ InfoSec News v2.0 - Coming Soon! http://www.infosecnews.org
This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 22:57:17 PST