Hotel key cards can present a serious ID fraud risk - fact or urban legend?

(05/05/2009)

Hotel key cards could potentially hold sensitive personal information. And according to some companies, hotel keycards might present an ID fraud risk to holiday makers as we head towards the holiday season.

Equifax believes there could be a very real risk that someone could access the information and use it to commit identity fraud. They say that magnetic key cards might include the customer’s name, part of their home address, their room number, the check in and out dates, and most crucially their credit card number and expiry date. When a guest returns their key card to the front desk, their personal information could stay on the card and possibly not get wiped until the card is reused for another customer.

However, since we first published this article, a number of hotel security experts have come forward to refute this point of view. The main reason is that there is no need for the keycards to have detailed personal data. The huge majority of electronic keycards contain nothing more than room and time information, and no personal information whatsoever.

They simply contain data identifying the hotel, guest room or folio number, check in date & time, check out date & time, and card issue sequence number. Other information kept on these keys could include time and date the key is valid from and to, the id number of the desk agent who made the key and which terminal the key was made on - but NO personal data about the hotel guest. Hotels will not even print the guestroom number on the key card for security reasons.

A number of hotel security professionals believe that the notion that hotel keycards contain sensitive personal information is nothing more than a urban legend - for more details see http://www.snopes.com/crime/warnings/hotelkey.asp.

In most hotels, the keycard system is not even connected to the front desk system, therefore there are no risks that confidential information can be encoded on the card. And even when keycards can be used to purchase goods or services, the credit card information is not encoded on the keycard itself.

A number of tests have been conducted and so far no card tested was found to contain credit card information.

However, it would be theoritically possible to store personal information on hotel keycards: “Many holidaymakers do not realise that hotel key cards can contain their name, part of their address and their credit card number” said Neil Munroe, External Affairs Director, Equifax. “And, in the wrong hands, that could provide some really useful information to get an ID fraud scam going. If consumers’ hand the cards back in to the hotel reception, or throw them away when checking out, they could make themselves particularly vulnerable to this unseen crime.”

Hotels may not erase the information on these cards until an employee reissues the card to the next hotel guest. At that time, the new guest's information is electronically 'overwritten' on the card and the previous guest's information is erased. But until the card is rewritten for the next guest, it usually is kept in a drawer at the front desk with the previous information on it.

“Hotel companies cannot charge guests for cards that are not returned” concluded Neil Munroe. “So the best advice is to take the card with you when you check out and cut it up when you get home. And if you arrive at the airport and discover you still have the card key in your pocket, don’t throw it the airport rubbish bin!”

Related topics:  Crime and Fraud Prevention   Smart card 

Print version | Email to a friend | Related articles

Data breaches: Trends, costs and best practices gives you all the latest information on securing personal and corporate data, key recommendations for immediate action to improve data security, and how to respond to data breaches.

Other Security news and resources