So your hotel stay has come to an end and its time for checkout. When it comes to the Internet, there are two schools of thought when it comes to those lovely little keycards and checkout. The first approach is classic: just leave your key at the reception. But there’s a second one, adepts of this approach flood social networks with messages like this:
“So you are going to return your card key on checkout or leave it in the room as you leave the room? Well, bad news for you! This card stores a plenty of critical data: your name, home address, room number, check in and out dates, and credit card number. So when you hand in your card, anyone can read that data! Your information remains recorded on the card until the next guest checks in and has his/her data is overwritten.”
“Never return your key card to the hotel. Keep it as a keepsake (there is no fee for this) or use a magnet to destroy information!”
These manifestos provoke equally vivid discussions: “Damn it, I just travelled to Cancun and handed the card key in. What shall I do now?” Typically the response threads to a comment like this can stretch several pages on forums.
To be fair, many readers would dismiss the topic as fake, but at times this voice of reason is not immediately heard. As a rule, some would note that it does not make sense to record such an array of data to a key card. And they would be totally right!
So, how did this myth originate?
Back in October 2003, the police department of Pasadena, CA received a letter from a group of detectives investigating a scam. One of the detectives shared his experience of finding a key card belonging to one of the major hotel chains.
That card contained a guest’s personal information (including address, duration of stay, and their credit card number). The detective warned about possible compromise and sought ways to investigate the case.
Is it true that hotel key cards store guests’ personal data? #travel #hotels #securityTweet
The letter eventually was disseminated throughout the Pasadena police officers. These officers then shared with their friends and families. The fact that key card contained sensitive data was never confirmed, yet the rumor spread among the public. In the end the police department had to publish a refutation.
A reasonable portion of offline paranoia may save money online: https://t.co/ZGkvthc12o
— Eugene Kaspersky (@e_kaspersky) December 18, 2014
Snopes.com, a popular website specializing on busting urban myths, stood by a different story. The correspondence between the departments, most likely, presupposed carders who frequently use hotel key cards as dummies to record compromised magnetic strip data (when raiding the scene, a police officer may just miss an innocently-looking key card as an evidence). Unfortunately, despite the mythbusting, this legend will live on in various iterations.
Watch before you ATM: 13 Indicted in $2M Bluetooth Skimmer Scam http://t.co/OsBSlBNeCU
— Eugene Kaspersky (@e_kaspersky) January 24, 2014
Many years have passed since then, and the whole factual story may never be fully recovered. The bottom line, though, is that the myth rooted in common unawareness and converted into a common knowledge. There were attempts to run practical tests in order to figure out whether the myth was at all feasible: for instance, Computerworld, an IT magazine, researched 100 key cards from different hotels exactly for this purpose.
In the end, they found no evidence any key card stored important personal data, apart from an encoded unique guest ID. This unique identifier serves a means of unlocking the doors or shopping on the hotel’s premises (where applicable).
— Eugene Kaspersky (@e_kaspersky) September 16, 2015
At the same time there are members of the media, who still think that the threat might be real and there used to be a method of recording additional information onto key cards – however, no one was able to confirm this assumption.
Anyway, no one would bother with such a tedious job as recording the data on key cards, as it’s utterly pointless, regardless of the recording technology used (a magnetic strip, a chip, or a contactless ASIC). That means, unless you are a passionate collector of hotel card keys, there is absolutely no reason to keep the key on checkout. At least, it’s way ‘greener’ and more efficient to return and thus reuse key cards to keep the amount of plastic at bay.
So, is the belief that hotel card keys store sensitive information a fact or fiction? Without a doubt, fiction