I was speaking with a friend when he told me something interesting. Apparently some hotels embed your personal information into your hotel room key-card. Things like your name, and phone are written to the magnetic strip that you use to unlock your hotel door. This is the same key-card that most people simply toss in the trash when they’re done with their stay. Talk about a HUGE privacy hole!
In other news: you can buy a USB mag stripe reader – for cheap! I went ahead and picked on up, and it just arrived today:
Time to get Swiping!
Notes:
-For obvious reasons, I’ve substituted actual values with their meanings (CA => STATE)
-I’ve added brackets[] that were not present in the scan to group the information visually.
-I used a lowercase ‘d’ to stand for “digit” (a number)
-I used a lowercase “a” to mean “alphanumeric” (mixed letters and numbers)
First up, my CA Driver’s License. Here’s what was embedded:
[WEIGHT][ddddd][DLNUMBER]=[dddddddddddd]?+!![ZIPCODE] [CLASS]
[SEX][HEIGHT][EYE][HAIR] [addddddddddd][aaaaaaaaa];<?
I suppose I was a bit suprised at just how much information was embedded. I expected just the DL number. Something interesting to note, that means that anyone who swipes your ID (say to buy alcohol or get into a nightclub) can store all of your personal information including your address, height and eye color!
I decided to round up every card I could find with a Mag Strip. Here’s a few results:
UCD ID Card:
UCD Gym Card:
IKEA Gift Card:
Safeway Club Card:
AAA Member Card:
[d][ACCOUNTNUMBER]=[dddddddddddddddddddd]?
And some Finance Cards:
Wells Debit Card:
[ACCOUNTNUMBER]=[EXPDATE][ddddddddddddd]?
REI Visa:
[ACCOUNTNUMBER]=[EXPDATE][dddddddddddddddd]?+==[REIMEMBER]=?
Conclusions:
Although I didn’t have any hotel cards around to test the original claim, the mag stipes of the cards I did have were interesting nonetheless. Club cards tend to be well-behaved and only showed your account number amongst other digits (what I suspect are store codes and such). Financial cards have plenty of sensitive data in the stripe, but that’s no suprise. I’ll keep the reader around, and I’ll update this post if I come across any cards with overly-sensitive data embedded.