[ISN] It's Just the Key to Your Room

From: InfoSec News (isn@private)
Date: Sun Jan 15 2006 - 22:27:35 PST


By Robert L. Mitchell 
JANUARY 16, 2006 

Warning: Hotel card keys may contain personally identifiable data on
the magnetic stripe. Is it fact -- or fiction?

"It's an urban legend. It doesn't work," says Joe McInerney, president
of the American Hotel and Lodging Association (AHLA). Nonetheless,
unsubstantiated reports keep surfacing every six months or so, he

For example, last fall, an IT director at a travel club in Wyomissing,
Pa., told Computerworld that he had found personal information on
magnetic hotel key cards when visiting three major hotel chains. The
IT professional said he read the cards using a commonly available
ISO-standard swipe-card reader that plugs into any USB port. At one
resort, he said, his card key contained credit card information, his
address and his name. He said the hotel expressed surprise when he
showed it the results. His comments, which appeared in a Computerworld
blog in September, created a furor. He subsequently declined to
comment for this story.

As part of a Computerworld investigation into the allegations,
reporters and other staff members who traveled last fall brought back
52 hotel card keys over a six-week period. The cards came from a wide
range of hotels and resorts, from Motel 6 to Hyatt Regency and Disney
World. We scanned them using an ISO-standard card reader from MagTek
Inc. in Carson, Calif. -- the type anyone could buy online.

We then sent the cards to Terry Benson, engineering group leader at
MagTek, for a more in-depth examination using specialized equipment.  
MagTek also gathered cards from its own staff. In all, 100 cards were

Most cards were completely unreadable with an off-the-shelf card
reader. Neither Benson nor Computerworld found any personally
identifiable information on them. Based on these results, we think
it's unlikely that hotel guests in the U.S. will find any personal
information on their hotel card keys. There is, however, some debate
among industry experts over whether some older systems could have been
configured to store personal information under specific scenarios.

To understand why personal information is unlikely to appear on hotel
card keys, you must first understand how the technology works.  
Electronic locks that use magnetic cards were developed to address
petty-theft problems associated with traditional keys. "Those problems
have virtually gone away," says Brian Garavuso, CIO at Hilton Grand
Vacations Co. in Orlando and chairman of the AHLA's technology
committee. Most keys contain only a room number, a departure date and
a "folio," or guest account code -- although other data may be stored
on them as well.

The door locks, which are stand-alone, battery-powered devices, each
contain a sequence of lock codes. The sequence advances when an
expired card is swiped or a new card inserted. The lock also logs when
a guest, maid or other hotel employee has entered the room. Hotel door
locks aren't wired back to the systems at the front desk. Therefore,
if a card is lost and a new card is issued, the room remains
unprotected until the new card is inserted into the lock and it
resets. Hotels use card-key locks because they are relatively
inexpensive, make rekeying easy, include a time limit and provide an
audit trail of room access.

Most card keys aren't readable because electronic lock systems use
proprietary encoders and readers. While ISO-standard cards store data
on three tracks on the magnetic strip, hotel lock systems use a
proprietary encoding pattern and encrypt room-key data on Track 3,
says Mark Goldberg, executive vice president and chief operating
officer at magnetic card maker Plasticard-Locktech International LLP
in Asheville, N.C. PLI's name appeared on many of the card keys
Computerworld tested.

Only 15% of the cards tested yielded any data using the USB card
reader. The alphanumeric strings did not match any of the users'
credit card numbers, nor was any intelligible text found. At MagTek,
Benson was able to pull up strings of binary data from the cards but
could not decode it. A specialized reader would be needed to decipher
it, but "you won't be able to grab one of those off eBay very easily,"  
he says.

Even then, the data would be unreadable because it is encrypted, says
Mike Scott, new products manager at Saflok, an electronic lock maker
in Troy, Mich.

On the Right Track?

Most electronic lock systems include a card encoder, a user
workstation and server software. That system interoperates with the
property management system (PMS), the software that handles functions
such as reservations, registration and guest billing. The PMS
communicates with the electronic lock system to generate new card keys
and sends billing data to the back-end systems.

A point-of-sale system may also tie back into the PMS to allow the
guest account code on the card key to be used to add charges for meals
or other items to the room bill. In this situation, the account code
exists within Track 2 on the card. This can be linked to the back-end
billing system, where the customer's name, address and credit card
information reside, allowing the guest to charge meals or bar tabs to
the card as though it were a credit card.

Resorts such as Universal Studios use Track 1 as an amusement park
pass and Track 2 for other charges, according to Saflok. While neither
track is encrypted, it typically includes only the folio code. On some
cards, the guest name and folio code may also be printed on the front
of the card itself.

Could credit card data be embedded directly onto the card?  
"Technically it's possible, but why would you? It's not needed," says

Individual hotel-chain properties are often franchised to other owners
that may outsource management to a third party -- and may use a
variety of back-end systems. However, although the back-end systems
may vary, all hotel chains require that franchisees use their property
management systems, Garavuso says.

In some resorts or hotels, the systems used in the bar, restaurant or
other concessions may not be tied back to the PMS that contains the
customer billing data. In that scenario, the hotel could choose to
encode credit card data directly onto the hotel key to allow credit
charges to be made, rather than going to the trouble of modifying both
systems. That type of arrangement could explain the experience the IT
director reported to Computerworld.

But is it likely? "If it were an older system, it's possible,"  
acknowledges Louise Casamento, director of marketing at PMS vendor
Micros Systems Inc. in Columbia, Md. In the past, people weren't as
conscious of security, and ISO card readers weren't readily available
on the Web, she says. But Saflok's Scott says it's not likely. "I've
been doing this for 15 years, and I've never seen it," he says, adding
that Saflok's system doesn't even have an option to allow the encoding
of credit card data onto its key cards.

"I would have to say that it [would have to be] a very old system --
and they are still out there -- that may still allow this," says
Jocelynn Lane, vice president at VingCard AS, a vendor of electronic
lock systems based in Norway. But, she adds, "we've never seen them
compromised." Certainly no system would do it today, she adds.

The only situation where Lane says travelers might find sensitive
personal information on card keys is when they're abroad. "There are
locking systems in Europe that, when you check in, let you enter a
credit card, guest name, everything [on the card]. But never in the
States," she says.

"There are probably 60,000 hotels in the U.S. right now. To say no one
has done it would be presumptuous on my part," says PLI's Goldberg.  
But the chances of guests running across the problem, if it exists at
all, are slim. "I would never check into a Holiday Inn and worry about
it," Goldberg says.


Sidebar: Testing the Card Keys 

Sidebar: Spraying for Data 

Sidebar: The Search for the Perfect Electronic Key 

Blog: What's not on your hotel card key 

Blog: Swipe here to steal ID

InfoSec News v2.0 - Coming Soon! 

This archive was generated by hypermail 2.1.3 : Sun Jan 15 2006 - 22:57:17 PST