Plastic hotel “key cards” with a mag-stripe are notoriously unreliable (at least 5% failure rate). They can easily be demagnetized and stop working, even by proximity to cell-phones and small fashion magnets (unlike payment cards, which are more resilient). I run mag-stripe payment card security tests and the hotel cards that sometimes use to calibrate and test my card reader (they usually have a 3 track .500″ stripe with the data stored on a very small spot on track 2) always have been the most prone to failure.
With that in mind I recently stayed at a chain hotel that issued me a generic key card. After a day or two the key stopped working. Maybe I was expecting it to stop working; but when it failed the first time I went straight to the front desk and asked that it be reprogrammed. To my surprise the hotel clerk, who I had not seen before, just asked me what room number I was in.
I said “I think it’s #305”
She ran the card hit a couple buttons and handed it back to me.
Then I said “Oh, sorry, it’s actually #302.”
She smiled, took the card back, ran the same procedure and handed it back to me.
At this point I was outraged and found my mind racing through a checklist of security controls. Laptop hard drive encrypted. Check. USB drives encrypted. Check. Laptop physically cabled to desk. Check…
I was amazed by this giant gaping hole in security procedure. Anyone, and I mean anyone, can get an old hotel key from any of their world-wide locations (they do not collect them — no revocation procedure) and just have it programmed by the front desk to get into my room.
I sent a formal complaint to the hotel management and then I heard nothing more about it…until I read a sad and shocking story in StlToday.
Hughes tried to enter a room on the same floor as his room at the Sheraton, and then went to the front desk to tell a clerk his key didn’t work. The clerk issued him a key for the room number he provided but failed to check to make sure it was the right room, Byrne said. The clerk has since resigned.
Hughes “really had it all screwed up on what his room number was,” Byrne said.
Thus, at least one hotel chain in America has security so lax you can walk in with an old key and they — no questions asked, no verification required — will program it for a free room for the night. You only have to give them a room number, which obviously is trivial to figure out, even if you’re “highly intoxicated”.
I would like to take this moment to point out that the problem is not with a clerk. Their resignation does not fix the vulnerability.
The St. Louis molestation case above has now publicly disclosed the danger of the exact vulnerability I reported to the hotel. A hotel’s key management policy and procedures may let anyone, and I mean anyone, else into your room.
The obvious, free and easy solution is for a key to be programmed for a door only after the front desk is able to perform a simple authentication check before authorization. There is no excuse for such poor key management. Firing a clerk is not a solution; this example casts a dark shadow over encryption as a solution for payment card security in the hospitality industry.
The cards fail often enough that hotels and their staff are probably under some pressure to reduce the cost of reprogramming them. Reasons for card error include the following:
- User — key used incorrectly
- Admin — wrong room number or check-out date
- Magnet — fields affected by static, cell phones, card cases, bags with magnets, metal clips
- Card material — sub-standard (non-compliant) keys, re-use of failed keys
- Lock mechanism not maintained
- Lock environment — dirty/humid
- Lock battery not maintained
- Software not maintained — encoders and locks out of sync
- Encoders not maintained
The entire list of reasons together is still not enough reason to remove validation from key management. Hotels should not be allowed to abandon the security of their rooms and guests just because the keys system often fails, especially given that the reasons for key failure are well known and the repairs are easy and inexpensive.