A few years ago, a rumor made the rounds on e-mail and the Web that hotels were encoding room key cards with guests' personal information, and that any prospective identity thief with a card reader could gain access to your most essential private data.
The reports were debunked at the time by self-proclaimed mythbuster Snopes.com, which claimed that hotels didn't encode anything more than the guest's name and duration of their stay on the card.
"Even in cases where a hotel keycard can be used to purchase goods and services (e.g., at a resort complex such as Walt Disney World), guests' credit card information is not encoded on the cards themselves," Snopes.com said with its customary assurance.
"The cards simply contain a flag indicating that the guest has a credit card on file with the resort and is authorized to charge purchases to his room," explained Snopes.
In a slightly more authoritative debunking, Computerworld, an information technology trade journal challenged a top maker of magnetic card readers to find personal data on 100 room-card keys -- from Hilton, Holiday Inn, Sheraton, Westin and other major chains. The keys had been collected by staff members in their travels.
The cards yielded only strings of numbers and letters, according to Terry Benson, engineering group leader for MagTek Inc. in Carson, who did the tests, the Los Angeles Times reported. The magazine conceded that its sample was small and confined to the U.S., however.
The great hotel key mystery began on October 6, 2003, when Detective Sergeant Kathryn Jorge of the Pasadena, California, Police Department received information from a group of Southern California detectives who had formed a fraud investigations network.
One of the detectives said that during an investigaton, he came across a plastic hotel card key from a major hotel that had personal information -- name, length of stay and credit card number -- that could lead to identify theft and fraud.
The police sleuths now say that hotel executives have assured them that personal information is not included on their key cards.
But it's not necessarily the end of the story.
Snopes itself conceded tbat the report about hotels encoding key cards with personal information was confused with another, much more legitimate story -- that of identity thieves stealing key cards and turning them into "clone" credit cards using personal data that had been taken from other sources.
Seeing Is Believing
Adding more fuel to the fire, since the rumors regarding hotel keys were first supposedly debunked, instances have shown up around the country of hotel card keys actually containing personal information encoded by the hotel.
In Nevada, Deputy Attorney General Tracey Brierly saw some evidence with her own eyes. Brierly, a deputy attorney general in the state AG's Bureau of Consumer Protection, attended a High Technology Crime Investigation Association conference in South Lake Tahoe.
The speaker asked for volunteers to provide their credit-card style room keys, the ones with the magnetic stripe. Five or six people provided their keys, and the speaker swiped them through a credit card reader.
"Two of the keys brought up a name and partial address, and another one brought up a name, address and credit card number," Brierly said. "I had no idea this was even a possibility."
Brierly said she didn't know which hotel keys had the embedded information, saying she typically leaves the key in the room upon checkout, but won't any more. All of the hotels denied that such information is on their keys, but said guests were free to keep the keys at check-out.
In fact, at least one major hotel chain concedes it formerly stored credit card information on its keys but says it no longer does so, according to Janet Pope, spokeswoman for the Pasadena Police Department.
But Pope rejected the "urban myth" tag making the rounds about the keys. "It's not an urban myth; it can potentially happen," she told the Las Vegas Review-Journal.
Far from being a total debunking, the Computerworld story was sparked by an incident in which Peter Wallace, information technology director for AAA Reading-Berks in Wyomissing, Pa., reported finding personal information on magnetic hotel key cards when visiting three major hotel chains.
His curiosity piqued, Wallace said he carries a small card reader with him when he travels.
At one resort, he said, his card key contained credit card information, his address and his name. He said hotel officials expressed surprise when he showed them the results. Wallace told ComputerWorld travelers should take their access card with them and shred it when they get home.
Hotels Murmur Reassurance
The hotel industry continues to deny that there's anything treacherous about the keys. Just last month, American Hotel & Lodging Association president Joe McInerney issued a statement reiterating that hotels did not encode guests' personal information on their key cards.
Instead, the cards typically contain an identifying code that ties back into the guest information -- name, address, credit card, etc. -- that's taken at the front desk. However, when you get down to the pesky details level, a little backtracking occurs.
In some resorts or hotels, the systems used in the bar, restaurant or other concessions may not be tied back into the front-desk system that contains guest billing information. Those hotels might choose to encode credit card data directly onto the hotel key to allow credit charges to be made, Computerworld noted.
Information technology specialists insist that major hotel chains in the U.S. don't encode personal data on the card keys, but when pressed, admit that older systems are another story -- as are hotel systems outside the United States.
"There are locking systems in Europe that, when you check in, let you enter a credit card, guest name, everything [on the card]. But never in the States," Jocelynn Lane, vice president at VingCard AS, told Computerworld.
At the very least, the key cards can result in odd charges popping up on travelers' bills.
Those who blithely leave the keys in their rooms are counting on the front desk staff to quickly process their check-out and disable the account information that the cards link to. In larger resort complexes, where the cards can be used to make retail purchases in spas, shops and restaurants, the cards could be used to make some very expensive purchases in just a few minutes.
Besides their potential role in identity theft and unauthorized purchases, the key cards can get up to other mischief.
Brian Krebs, a security and technology columnist for Washingtonpost.com, related a story of Las Vegas police confiscating hotel keys from criminals, only to find they were encoded with data stolen from consumers.
The crooks would use them to buy goods at convenience stores and gas stations, as the low purchase levels were beneath the notice of most fraud-detection systems.
The still-unexplained data breach that led to a massive shutdown of debit cards issued from major banks, including Citibank, was attributed to identity thieves stealing data from a payment processor and encoding it on blank ATM cards. The thieves then proceeded to make withdrawals from victims' bank accounts, with no one the wiser.
What To Do
So what's a hapless hotel guest to do?
As Deputy AG Brierly suggests, your best bet is to take the card with you when you check out, then shred or destroy it when you get home. It costs you nothing to do so and the hotels don't care one way or the other.
Even Snopes.com, frequently quoted as "debunking" the threat, offers this advice: "[W]hen you check out of your hotel, you can retain or destroy your keycard" to eliminate the risk, however slight it may be.
The reassurances of hotel mouthpieces should be taken as the usual p.r. blather. After all, fraud, by its nature, is often committed by insiders who, understandably, conceal their activities from others within their organization, somewhat negating the soft-soap assurances of hotel executives who aren't likely to have any actual hands-on knowledge of how their systems work.
It takes only hotel employee who succumbs to temptation or intimidation to cause trouble.
The entire dust-up raised the ire of one consumer activist we contacted.
"Why is everyone so hellbent to assure consumers that their key cards are safe?" he fumed. "This is a little suspect, is it not? There is no risk involved in shredding your key card so why would anyone urge consumers to take the much bigger risk of relying on the honesty of everyone who has access to their personal information? Take the thing home and shred it."
Something to add? Tell us about it here.