Network News

X My Profile
View More Activity

Street-Level Credit Card Fraud

Until recently, Las Vegas police officers couldn't figure out why some of the prostitutes and drug addicts they arrested were found carrying multiple hotel room keys and slot machine player's club cards. When confronted, the suspects said they kept them as souvenirs or found them on the sidewalk. The cops initially assumed that the cards were stolen, or -- in the case of the prostitutes -- perhaps belonged to some of their more frequent clients.

"It was getting fairly regular that in post-arrest inventory, we would find eight to 10 room key cards ... all from different hotels," said Dennis Cobb, deputy chief of the Las Vegas Metropolitan Police Department's Technical Services Division.

The mystery began to unravel when a LVMPD officer slid one of the keys through a machine that reads the data stored on the card's magnetic stripe. Each swipe revealed a 16-digit credit number, a date, a person's name and the name of a bank. That's right, the keys functioned exactly like credit cards, allowing the carrier to pay for merchandise at any store or market where customers do their own swiping.

"The people who had these cards on them were using them in transactions with local businesses," Cobb said.

The revelation is hardly a surprising one for a city that had the nation's second highest rate of identity-theft complaints to the Federal Trade Commission last year. Cobb said the stolen card data comes from a variety of sources, but he said it is not unusual for service-industry workers who owe money to a drug dealer or a bookie to be handed a handheld magnetic stripe "skimmer" and ordered to periodically collect up to 100 accounts as a means of erasing their debt.

The discovery led Cobb's division to team up with researchers from the Identity Theft and Financial Fraud Research and Operations Center (IFFROC) at the University of Nevada, Las Vegas to devise technologies that police could deploy in the field to detect various types of fraud.

Hal Berghel, the center's director, said the people who are usually caught with key cards use them primarily at convenience stores, gas stations and other places where purchases are less than $20, which is below the scrutiny threshold for most fraud-detection technologies.

"By the time the bottom feeders get the cards, the data on them has already been shared with the organized criminals, who will bang on a credit card though mail-order and Internet purchases," Berghel said. At that point the cards are "throwaways that can only be used a couple of times before they're canceled."

Last year, Berghel filed a patent application on behalf of IFFROC for a technology called "Cardsleuth," software he demoed for me when we met up last week in Washington. He hopes that one day a pen-sized device will be used to read magnetic stripes and alert the user when unexpected data is found. Berghel and his team are working on a prototype, which he said could be updated periodically via a USB-based docking station.

Berghel said the technology could be especially useful in the case of a 9/11-type emergency by helping authorities distinguish first responders from those individuals -- be they terrorists or merely looters -- who might take advantage of a chaotic environment.

"There is still a need for on-the-spot validation of credentials where you have a convergence of emergency workers, many of whom have never seen each other before," he said.

Update, 11:45 a.m. ET: Apparently, I didn't make it clear enough what is really going on here. This post is not suggesting that hotel room keys are being encoded with credit card information by the hotels, which has always been something of an urban legend/e-mail hoax (see Snopes and previous discussions on Slashdot.) The folks I interviewed for this piece said the encoding was being done by the criminals (or more specifically, fraud rings who sold them to street hustlers who would wring every last dollar out of the cards before they were cancelled). From the crooks' perspective, the idea behind this is to be able to anonymously use someone else's credit card at a physical location; someone who got arrested holding someone else's actual credit card would have a lot of explaining to do, but hotel room keys are likely to be overlooked or set aside for what they appear to be.

By Brian Krebs  |  March 6, 2006; 8:00 AM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Malware-Speak Spooks Symantec
Next: OMB: Modest Gains in Federal Cyber Security


I find this story surprising as the hotel room key as credit card belief was completely debunked by a recent article that examined hotel keys, card readers, and interviewed the makers of these systems just a few weeks ago. The items reported here are completely opposite as to what SANS reported just a few weeks ago.

Posted by: Chris | March 6, 2006 8:30 AM | Report abuse

Are you saying we should trash our room key cards instead of turning them in at the desk upon check-out?

Posted by: Bartolo | March 6, 2006 8:47 AM | Report abuse


It sounds like in this case the card was rewritten with the same data as a credit card, thus they are using any card with a compatable mag strip.

In the situation the SANS discussed, they concluded that a hotel key written by the hotel does not contain your credit card info. However, that doesn't mean someone can't take the card, erase the existing data, and rewrite any new data they want (but they have to supply the new data which would be different than what is already on the card). Presumably, as in the story above, this would pass as a stolen hotel key to the casual observer, not a stolen credit card.

Posted by: Jon | March 6, 2006 9:50 AM | Report abuse

Chris, You know, I meant to address that urban legend/e-mail hoax in the body of this blog post, b/c I thought it was kind of funny that there appears to be a grain of truth inside each of these legends.

But if you really examine what I'm writing about here, you'll see we're talking about two different things fundamentally.

Posted by: Bk | March 6, 2006 10:31 AM | Report abuse

I think the confusion comes from the fact that you didn't really explain the situation - I read your column as meaning that hotel key cards are routinely imprinted with my credit card information, while you're saying the thiefs are just using hotel key cards to hold credit card information that was stolen in the usual way, is that right? Confusing post, buddy.

Posted by: h3 | March 6, 2006 11:36 AM | Report abuse

H3 -- see the update to this post. Tx

Posted by: Bk | March 6, 2006 11:57 AM | Report abuse

Clearly the room keys are just being used by CRIMINALS as blank recording media. Many hotel room keys have the same form factor and magnetic strip as a credit card. The credit card reader doesn't care what the card LOOKS like, only that the magnetic strip is in the correct position.

It is funny though. Some time ago, I happened upon an episode of "COPS" with the Las Vegas Metro Sheriff's Office, where deputies were arresting prostitutes and pimps and speculating why they had so many room keys. No one made the connection, and they just assumed they were actual room keys.

(Contrary to popular belief, prostitution is NOT legal in Clark County (Las Vegas and its surrounds), Nevada, nor is advertising it. The brothels are in other counties.)

Anyway, now we know WHY they had so many "room keys." You have to admit, criminals are not stupid.

Posted by: Bubba | March 6, 2006 2:36 PM | Report abuse

I thought the the article was pretty clear on how the data gets onto the cards.

What I don't get is, don't US shops need a signature for credit card transactions? We most certainly do in Australia. Sure, the shop keepers don't often scrutinise the signature but they would certainly be suspect and ask for the card if you swiped and then pocketed it.

Posted by: Jeremy | March 6, 2006 10:38 PM | Report abuse

Thanks for the update on your story. You had me confused as I was reading your article until I reached the update part. It all makes sense now.

You might want to move the update higher or make it part of the original story so that others are not confused.

Posted by: Brian Krebs | March 6, 2006 11:17 PM | Report abuse

Jeremy: No, signatures are not needed at many automated places like self serve petrol stations, you just swipe your card and put it back into you wallet then fill the car up. Even at places that should look at your signature, most do not, they just swipe your card and hand it back to you.

Posted by: Brett | March 6, 2006 11:38 PM | Report abuse

I used to work at a large midwest resort, which uses the VingCard system. And it very clearly had a credit card, name, room number, and various hotel property system gobbeldygook on it. Your best defense is to return all your keycards to the front desk, or to microwave them if you don't mind the smell of burning plastic.

A good way to find out the likelihood of identifying information being stored on your room key is to try and see if the key-making machine is connected in any way to the front desk computers. If so, it probably is encoding that information on to the card.

Posted by: Cory M | March 7, 2006 1:53 AM | Report abuse

"I think the confusion comes from the fact that you didn't really explain the situation - I read your column as meaning that hotel key cards are routinely imprinted with my credit card information, while you're saying the thiefs are just using hotel key cards to hold credit card information that was stolen in the usual way, is that right? Confusing post, buddy."

It was clear enough to me, brefore the update. Don't blame the author for your own poor reading comprehension.

Posted by: programming since before you were born | March 7, 2006 8:17 AM | Report abuse

no. the writing in this article sucks, which is a shame because it's an interesting story. just because some geek can figure out what he's really trying to describe is totally besides the point. why can't he say it himself?

Posted by: earwig | March 7, 2006 10:05 AM | Report abuse

How exciting for me - I posted a comment that raised controversy! I write news for a living, and I know (as does Mr. Krebs) that the whole point of writing is to communicate. To your audience. Not just to some members of your audience who are capable of reading between the lines. Thanks for the update - that clears it up!

Posted by: h3 | March 7, 2006 12:02 PM | Report abuse

One day a pen-sized device will be used to read magnetic stripes. Yeah, that will be very useful for all the criminals who want to stole my card info quickly.

Posted by: Fedor | March 7, 2006 5:33 PM | Report abuse

Guys this was a great article. There will always be differring views but the important thing is that we are all aware of the scam!

Posted by: Nyabereka | March 8, 2006 10:36 AM | Report abuse

I guess that the word privacy does not really apply in today's situation. It also shows what kind of performance internet security has done to countless number of people who became victims of such scams. If this kind of scam would continue, banks and other financial insitutions would lose their business and the "legal" consumers would be greatly affected by it.

Posted by: elaine | March 20, 2006 9:42 AM | Report abuse


Posted by: Anonymous | March 27, 2006 1:02 PM | Report abuse


Posted by: Anonymous | March 28, 2006 2:15 PM | Report abuse


Posted by: Anonymous | April 8, 2006 11:20 PM | Report abuse

i am having a problem where a job is claiming i am misusing my gas card now i just got fired i think that the gas attendent that i get my gas from stole my number as for my pin only me and him know the number but they put the blame on me can you guys help me? what can i say to people who will call me because they are appealling my case. i am innocent but they have me in a corner where i cant get out plz help thank you

Posted by: tony | April 25, 2006 4:52 PM | Report abuse

yeah when you have ripoff credit counseling organizations like delray you're gonna get ripped off!

"Delray Credit Counseling is a non-profit educational service that offers a variety of financial educational services. Ranging from non-profit free credit counseling, debt consolidation, budgeting, understanding credit reports and scores as well as understanding credit card charges."

Posted by: Laila | May 3, 2006 12:42 AM | Report abuse


Posted by: Anonymous | May 3, 2006 8:35 PM | Report abuse

I think the article has not communicated the risks and their origin. Apparently in this case all what was being done was that the Hotel key cards were being used as data carriers.
To explain this is like going to a staionery shop and buying a box of floppy disks and then copying data onto them.Now in this it is not feasible to puchase blank plastic magnetic stripe cards.
Hotel key cards are easily available and all such cards normally conform to
Iso -7810 the international standard for credit cards.A card reader responds to the physical card and the data that exists in the stripe[encoded]Thus it is simple to skim data from a live card and copy it onto a key card.So long as there is no physical verification of the card there would be no real way to detect this.
It is precisely because of this problem that the credit card industry is now migrating to the smart card standard.
I write this article as a person who has been in the industry for the last 20 years.
More details of different card types as well as personalisation can be had at

Posted by: Hemant Jain | July 11, 2006 7:17 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company