Hotel cards: Holding ID key?

HERE’S an urban myth that refuses to die: Hotel card keys are gold mines for identity thieves, who extract credit card numbers and other personal nuggets from them.

This rumor, generating millions of Internet postings in recent years, is based on a thin premise at best.

Now it’s been convincingly debunked by Computerworld, a Framingham, Mass.-based weekly trade tabloid for information technology professionals.

The publication challenged a top maker of magnetic card readers to find personal data on 100 room-card keys -- from Hilton, Holiday Inn, Sheraton, Westin and other major chains -- collected by staff members in their travels.

The result? Nada.

Even when scrutinized by a scanner the size of a stove top, the cards yielded only indecipherable strings of numbers and letters, said Terry Benson, engineering group leader for MagTek Inc. in Carson, who did the tests.

Card-key systems at hotels do keep secrets. They can monitor the comings and goings of staff, bill guests for restaurant meals and spa treatments, operate slot machines in casinos and more.

And in the future, you may be able to open your room door remotely, perhaps by waving a card or pointing your Bluetooth-enabled cellphone at it. At the front desk, a clerk you’ve never met may greet you by name, gleaning your identity -- and room preferences -- from a wireless pickup of biometric data.

All this technology is being perfected; indeed, some of it already is in place at a few sites.

For now, the basic magnetic-stripe card reigns as the king of room keys, used by most of the hotel industry, said Brian Garavuso, chairman of the technology committee for the American Hotel & Lodging Assn. in Washington, D.C.

The cards are popular because they are cheap, Garavuso said, so there’s little incentive to find a substitute.

“We assume all the guests are going to walk off with them,” said Thomas Spitler, vice president of front-office operations and systems for Hilton Hotels Corp. in Beverly Hills. “If we get them back, it’s a bonus for us.”

Birth of a rumor

AND what happens if someone walks off with your card key?

That question has spun a web of anxiety that may stretch back to 2003, according to the Pasadena Police Department.

That fall, officials said, a Pasadena detective at a seminar was told that another agency’s investigators had found names, addresses and credit card numbers on hotel card keys. She alerted other detectives to the possible danger, causing a chain reaction of rumor.

Later investigation showed that such personal data were not coming from hotels, but possibly from crooks who loaded information onto the cards, said Janet Pope Givens, spokeswoman for the Pasadena Police.

What happened next testifies to the power of the Internet: The identity-theft rumor raced around the globe.

“For two weeks straight,” Pope Givens recalled, “we did nothing but answer calls about key cards worldwide.”

In response, the department posted an explanation on its website. (It’s still there). The furor died down, but Pope Givens says she still fields calls in spurts.

The rumor’s latest revival was last fall, when an IT director at a travel club in Wyomissing, Pa., told Computerworld that by using a standard swipe-card reader he had read personal information on hotel card keys.

When Robert L. Mitchell, Computerworld’s national correspondent, posted the report on his blog, it drew 50,000 page visits within a few days, he said.

That interest, plus e-mailed responses replete with conspiracy theories, Mitchell said, inspired him to enlist MagTek’s Benson to put the cards to the test. The results were published Jan. 16 in Computerworld.

The bottom line, according to Mitchell’s article: “Most key cards aren’t readable because electronic lock systems use proprietary encoders and readers.” Those that could be read yielded, at most, alphanumeric strings or binary data, all unintelligible.

Although experts say it’s technically possible to load personal data onto key cards, MagTek’s tests failed to detect it.

Even if you could decode the cards, industry experts say, you wouldn’t find much there.

Typically, Hilton’s Spitler said, a magnetic-stripe card key carries the combination for a room’s door lock and an expiration time based on your planned checkout. After that time, the lock won’t work until a new card, with new data, is inserted.

“There is no lock system safer than electronic locks,” Spitler said.

A card key may also contain your hotel-assigned account number or room number, said Garavuso, which allows food or other charges to be billed to you.

When the server swipes your card key, it transfers the account number to the hotel’s computer system, where your credit card number may be stored in encrypted form. But the card, Spitler and Garavuso said, doesn’t carry the credit card number.

Big casino hotels load many functions onto guest key cards, which may carry three stripes, each with a separate portfolio number for the room, the casino and restaurant-and-bar service.

Even on those cards, “There is no tracking or personal information whatsoever,” said Chris Lawrence, West Coast sales manager for TimeLox, which supplied locks to the Bellagio, Venetian and Wynn Las Vegas.

In fact, a magnetic-stripe card can’t contain much data. Typically, it can hold 100 or 200 characters, MagTek’s Benson said, compared with 1,000 or more characters on microprocessors embedded in so-called smart cards.

The latter, which Spitler said can store data on thousands of rooms, are often issued to hotel staff members, such as housekeepers or engineers. Among other functions, the cards record when employees enter rooms.

Using that information, the hotel can monitor performance. If a housekeeper moves from room to room every 10 minutes, Spitler said, the employer might wonder: “Are they performing services as we intended?”

The data might also exonerate, or implicate, an employee if a guest reports a missing valuable.

Most new locks that Hilton installs, Spitler said, are dual technology, accepting both magnetic cards for guests and smart cards for staff.

Why not use smart cards for guest keys?

Cost, Spitler said.

Although declining to say what Hilton pays, Spitler said smart cards are a lot more expensive than magnetic ones, which he priced at “pennies apiece.” Other experts say smart cards can cost $5 or more.

At that price, forgetful guests could inflict a heavy toll on a hotel’s budget. Several years ago, Hilton tried giving smart-card keys to customers at the Hilton New York, an experiment that cost the company tens of thousands of dollars. The locks were finally replaced in 2003.

Really smart cards

IN the future, hotel key systems may require very smart cards indeed.

For instance, Lawrence said, TimeLox is experimenting with radio-frequency identification readers at a Swedish hotel. Guests enter rooms by waving cards in front of door locks. If they want to change rooms, Lawrence said, this system can remotely reprogram a lock on another room, sparing them a trip to the front desk.

Hilton’s latest locks carry seeds of other new technology. Besides handling today’s cards, Spitler said, they can be upgraded to provide biometric room access, based on the fingerprints of guests. The devices would not store a guest’s fingerprints, he added, just take an electronic impression.

But don’t expect to see biometrics at your local Hilton or any other big chain hotel any time soon. The market isn’t ready yet, Spitler said.

“If people are squeamish about what may or may not be on a key card,” he said, “you can imagine how concerned they would be about us taking their fingerprints.”

*

Jane Engle welcomes comments but can’t respond individually to letters and calls. Write to Travel Insider, L.A. Times, 202 W. 1st St., L.A., CA 90012 or jane.engle@latimes.com.