Can crooks use magnetically encoded hotel “key” cards to steal important personal information? That’s a question going around in travel circles these days.
As one concerned frequent traveler asked, “I heard that the newest form of identity theft is through the magnetic-stripe hotel door ‘keys’ that so many hotels use. Supposedly, those cards contain a lot of personal information, including name, address, and credit card number. Is this a real problem, and should I do anything about it?” Short answer: The preponderance of evidence suggests that key-card data theft is nothing more than an urban legend, but some travelers remain unconvinced.
Several outfits have tested the theory. Earlier this year, for example, the magazine Computerworld had more than 100 key cards tested: some collected by its own staff, some from employees of a professional testing organization. The overall conclusion was that the keys did not pose a security threat. Most of them contained only basic hotel data—name, departure date, and hotel folio number—that wouldn’t compromise anyone’s critical information. The cards that did include more were all encrypted in a way that couldn’t be read by a standard card reader. However, the publication found that a few older systems might not be so safe. Read Computerworld‘s report for full details.
The website TruthOrFiction.com looked into the situation and also labeled it an urban legend. Snopes.com, a website devoted to checking out all sorts of rumors, came to the same conclusion. Ditto the “Urban Legends” component of About.com. Additional sites coming down on the side of urban legend include BreakTheChain.org, Hoax-Slayer, and a bunch of others—if you’re interested, Google “hotel key card information” and you’ll see lots of other reports.
What probably happened
The websites indicated that all those key-card rumors probably originated with a single report, typically attributed to “Southern California law enforcement professionals.” That report was apparently leaked from the Pasadena, California, police department in October 2003, based on an observation of a single obsolete system. The Pasadena police department seemed surprised that a draft report, leaked unofficially, suddenly became a popular national chain message, seen by a large number of consumers. The department subsequently re-examined the question and issued an update, noting that its further investigations had revealed no security risks from the key cards.
Oddly enough, some of the sites that pronounced the rumor to be an urban legend nevertheless suggested travelers destroy their key cards when they check out rather than discarding them or returning them to the hotel desk. That’s like the old joke of the judge’s declaring the defendant innocent, then warning “but don’t to it again.”
Some risks are real
Even though key cards may not contain information useful to identity thieves, anyone who stays in a hotel runs some risks of identity theft, as do any travelers who use their credit cards anywhere else. Sadly, any employee of any organization that accepts credit cards can potentially steal your card data. You hear stories of waiters who have their own card readers and run your card through them as well as the restaurant’s machine. Hotel clerks, retail clerks, and others have similar opportunities to grab your numbers. Your protection lies not in keeping your card numbers secret—as long as you use the card, someone has those numbers—but instead in your personal vigilance and the verification systems used by merchants and banks.
As the final answer to the reader’s question, then, I’d say that hotel key cards probably aren’t a real threat to your personal identity data, and you probably needn’t do anything about them. But if you’re paranoid, destroy your key cards anyway.