How Do Hotels Disable Lost/Stolen Key Cards?

A recent article in the Washington Post, You asked: Do hotel key cards store my personal data?, assured people that no personal data is stored on hotel key cards, but that wasn't what interested me.Citing an industry expert, the article said that hotel property management systems are not integrated with guest reservation systems, and so guest information has no pathway for ending up on a keycard.The reference to "hotel property management systems" led me to believe that the door locks are connected to a central property management computer. I imagined a conceptually simple system where key cards have only a unique ID number, and when swiped across the door lock the door lock would check that ID in the central computer to see if it should open the door. I posted a few comments based on that assumption.But I was referred to an earlier comment that explained how such systems actually work and said that they are not connected to a central computer. I realized that though the article had implied there was a central computer, it hadn't actually clearly stated it.Looking up hotel door locks on line I confirmed what this person said about them being standalone, but I'm pretty sure his information is dated, especially since he said he'd left the business back in the 90's. Searching a little more I found that the technology has changed. Yes, keyless door locks used to be standalone, and many, maybe even most, hotels might still have this type, but hotel door lock systems today are increasingly wireless.For instance there's SALTO, which markets a wireless keyless access system for hotels and businesses that communicates with a central system using WiFi. It works with key cards and also with cell phones using either bluetooth or NFC. And of course SALTO has competitors. I just returned from a stay at a Marriott with keyless door locks that accepted both key cards and cell phones, and while there was no way to tell the door lock type, my guess is that they were wireless.So disabling a lost/stolen hotel key card in a wireless system is easy. Just tell the central computer that the card has been lost or stolen. But I'm still wondering about the older technology, especially since there's probably a lot of it still out there. How do hotels with standalone door locks disable key cards?Not that physical keys don't have problems, too, but they sure are a lot simpler.--Percy

I did some reading around and it seems that at least some systems have “lost key cards”. If a card has been lost, swipe a lost key card in the lock and it won’t accept the missing card.

My guess is that even standalone door locks have a way to teach new cards to them or reset them to default (accepting no cards.)
This could be something like your garage door opener where you hold a (mostly hidden) button down for a few seconds.
Or it could be something like having a "master teaching" card that all stand-alones recognize as a "reset/teaching" card and then there's a minor procedure that may need to be followed (hold the card for 10 seconds... wait until light flashes... flash new card - ta-daa! all taught!)I worked with some RFID techology in the early 2000s... and it worked similar to that. No central system, but there was definitely a way to "teach new codes" to receivers.So - they may not have had a central computer where they could reset new cards at the comfort of the lobby desk.
They just would have had to walk up to the room and do the reset in front of the physical stand-alone unit, is all.

Yes, precisely, there must be a way to do it, and you describe some good approaches. I originally had a couple suggestions of my own that ended up on the cutting room floor, such as a little device, perhaps even a phone with an app, that could plug into a USB port to update the door lock.But I'm hoping to go beyond speculation and find someone who actually knows how they disable key cards, or at least one or two of the ways that they do it.A simple test of whether cards actually get disabled could be done if a hotel is found that uses standalone door locks. You check into a hotel room and are given a key card. You then report it lost but still actually have it. After the new key card is issued then you check if the old key card still works.To be honest I'm strongly suspicious that the old key card will work just fine. I think it likely that whatever approaches were originally put in place for dealing with lost cards, in many places the methods and equipment have long since been forgotten or broken and were a hassle anyway, particularly as hotel staffing has become more and more barebones. I bet they rely on hope that the fact that the lost key card has no room number on it is sufficient.It isn't, of course, but it helps that thieves keeping track of who is in which room and lingering in lobbies and kitchen areas looking for opportunities to lift cards would become obvious, and hopefully there are surveillance cameras. But thieves who spend only a single day at any hotel and then move on could probably make a pretty good living.In reading about this I discovered that hotel thefts are rarely reported to police (hotel staff encourages guests to let the hotel deal with it), and those that are reported to police are recorded not as hotel thefts but as normal thefts, so the statistics on hotel theft are kind of murky.--Percy

The way I’d do it is to have a newly issued keycard reprogram the lock. So you issue a new keycard for the room, and tell the customer to go use it.

I don't know if this will satisfy your knoweldge, but according to the RFID readers I've played with, this is how it would have been done in detail:

1. Keys do not get coded to a room. That is, a key will not hold "Room 202" or even "202."
2. Keys get coded to a receiver ("lock"). That is, a lock will have a stored value - say "25348667" or something like that (perhaps even 16 or 32 digits long...). A key will then be taught that same value "25348667." When the receiver reads the same value it has in storage - it triggers the unlock command and the door opens.
3. Lost keys do not get reprogrammed, nor do they need to. When a key is lost or missing or not returned... the receiver's stored value is updated (can be done with a "Master Teach Key" or a "Reprogramming Technique" as I explained in the previous post.) That is, the receiver no longer stores "25348667" but now stores a new number... let's say... "88853476".
4. This way, if the old key ever comes back and is attempted to be used... it just won't work because it doesn't match the stored value in the receiver. The receiver doesn't even "know" that this was "Room 202." All it does is look for a match and then trigger "whatever event" is linked to it.
5. The value stored in the receiver can be very long, and also set to be unique. That is, perhaps the first 12 or 16 digits/characters are the receiver's manufactured serial number (unique) and the second 16 digits are a random value. This way there is a "random number generator" for this receiver that is also always going to be unique for this receiver so keys won't accidentally work on other receivers.

I can't say that these details are going to be exact or not - but hopefully it makes sense enough to see a pathway for how it could have been done.Also note: Keys do not have to store "just a value" as I described here. It is quite possible to program, specifically, something like "Room 202" onto a key. However, in practice, I always found it easier to leave those interpretations to other systems (like a PC program controlling the entire thing, or even a manually-updated excel list to keep track of everything.) Because it's easy to maniuplate what a random (but linking) value means for what you want to do but if you have "Room 202" you're pretty much stuck with that indicating "this key is for Room 202."Example: If you use "Room 202" on a key and a receiver... and there's building updates and this is no longer Room 202, it's now Room 2002.... you have to update the key and the receiver for it to "make sense." Not only that... but you would have to update every key and every matching receiver in the hotel to the "new system" for them all to make sense. But, if you had matching random values as I described above... you wouldn't have to do anything. Just change the physical "Room 202" sign above the door to "Room 2002" and the matching-random-values system on the keys and receivers will work just fine and still "make sense" in their implementation.

That all makes sense, but I'm wondering about the "receiver's stored value is updated" part. I'm wondering how they do it for standalone door locks that have no wired or wifi connection to a central computer. Hotel staff would have to manually update them in some way. Possibilities are an internal screen/keypad or a place for device like a phone with an app to plug in or a dedicated device.If a couple checks in and one of them loses their card, then in a centralized system they can disable just one of the cards as long as they know which spouse received which card, but I imagine that they go the easy/safe route and disable all cards to the room.In a standalone door lock system, changing the door lock code would invalidate all the cards, so that's a secure approach.But if they don't update that code then that's a security hole because the dates of stay are in the card.The standalone door locks would have to have a different code for maid service, security, etc. You wouldn't want to have to update all those cards every time one of the door lock codes changed. And if one of those cards were lost or stolen then it would require changing all the door lock codes in the hotel, as might happen if the chief of security lost his keycard. These are such horrible scenarios in terms of time and manpower that I wonder if changing lock codes is not the way things are done.--Percy

No, the older locks already include a card-reader, so there’s no need for a keypad or anything else. They can be reset with a smart card (as Stile and I have both already mentioned).

I can't say for sure, and it's likely that there's a few different methods for different systems.But what I'm envisioning is this:

1. Key and receiver both match and function normally.
2. Hotel wants to update receiver value (for whatever-reason.)
3. Hotel takes a key (any normal key) and updates the key to the new value they want.
4. Hotel also takes the "Master Teach Key" with them.
5. Hotel walks up to the receiver and puts the "Master Teach Key" in front of the reciver for 10 seconds until a small LED in the receiver starts to blink.
   -this places the receiver into "Learn Mode" for the next 60 seconds and whatever next key value is placed in front of it will then be stored into the receiver and overwrite whatever-used-to-be-there
6. While the LED on the receiver is blinking, the Hotel puts the key with the updated value on it in front of the receiver
7. Receiver reads the value from the key and updates it's stored value
   -LED on receiver stops blinking at this point
8. Receiver automatically resumes "normal functionality mode" with the new, updated key value
9. Hotel replaces the Master Teach Key back into a lock-box they use for their own access as needed
10. Hotel gives the normal key to a customer and customer can use their new key as required

Does that make sense? Even in a centralized system, I think it would be easier to update a receiver instead of updating a keycard... but that doesn't really matter at that point as either would be acceptable.It is quite possible to have a stand-alone receiver that not only checks against one stored value, but has multiple stored values (let's say 10?) that it checks against. If a key matches any of those stored values then it can be used to unlock the door.
This would require 10 separate Master Teaching Keys or possibly 10 separate ways to use the same Master Teach Key (hold in front for 10 seconds or 15 seconds or 20 seconds or...) This will tell the receiver which of it's stored values you're about to update.Perhaps, while blinking, the LED on the receiver could even identify which stored number it's about to update. That is, something like a longer pause, followed by a few quick blinks and repeat... If you count the number of quick blinks - that's the stored value the receiver is in the correct mode for in order to update.This way, stored value #1 could be for customers - and get updated the most.
Stored value #2 could be for maids - and get updated rarely.
Stored value #3 could be for security - and get updated rarely.
...
Stored value #10 may even be un-updateable, and if any key ever matches this number it always unlocks the door. Like a failsafe just in case the unit gets hit by a kid playing with a larger magnet and that wipes-out all of the updateable data stored on the receiver (such a key would be locked away and almost never used, exept for such emergencies.) It's possible to have a more complicated receiver teaching process where the length of time the udpated value is viable is also taught into the receiver. Once that time is past, the receiver simply no longer checks against that stored value. Again - not much (other than a unique number) would be stored on the keycard itself... but any "control required data" (like keycards that can access the room or duration of viability...) are all stored and updated on the receiver itself.It seems to me that you keep identifying more comlicated scenarios - but refuse to imagine how the technology could be slightly more complicated in order to account for such scenarios as well.I am no RFID expert - I haven't touched the technology in 20 years, and only played with it for about 8 months back at the time. I did a pallet line where parts would shift from station to station. There were RFID tags on each pallet and readers at each station to identify exactly what pallet was where on the line (for part information tracking and eventual storage when the part was completed.)
My understanding and explanations are evolving as your issues/questions are updated... but I do think everyting I've described is easily within the abilities of RFID technology's early years.From what I remember... basic RFID could store "some" data... but not "a lot." We're talking... I don't know... 500 - 1000 characters in total? That's not a lot, but it's certainly plenty to have 10 (or even more) unique data storage locations. Once that's in place, it's more figuring out what you want to do with that capability than it is figuring out "what RFID can do."

In a centralised system I don’t think you’d update the card or the receiver - just the record which says that the card is authorised for access to the receiver.

I wasn't sure what this meant: Is the "receiver value" the door lock code and the "key value" the key card code? Wasn't sure, so I couldn't tell if this is just another way of describing what online articles say about how standalone door locks work, or something different. On-line descriptions of how standalone door locks work is that they have a unique door lock code and the current date, and that the key cards for them have the code of the door lock that they're for, and the dates of stay. I'm mainly wondering how they keep lost/stolen cards from creating security holes. Changing the door lock code would do it, but whenever I need a new card it's always just issued from the front desk, and I've always been able to go immediately to my room and didn't need hotel staff to first update the door lock code.--Percy

Yes, more specifically the "receiver value" is the number or string of characters stored in the receiver while the "key value" is the number or string of characters stored on the key card.Key cards are "writeable" from a special writer at the front desk.
Receivers are "writeable" using a special teaching technique similar to what's described. After I posted, I realized that this makes more sense.
If the receiver has the current date/time, and the card has a hard-coded "valid-until" date on it (changeable at the front desk) then the same functionality applies. This is simpler and more efficient than the explanation I provided for handling dates.The receiver will read the key card's code - and see if it matches any of the receiver's code(s) AND it will check the "valid-until" date on the key card and see if it's greater than the current date/time. I'm 75%-80% sure that what I'm describing is most likely how they function.
It just seems to fit so well and match up with the technology of the time.
Of course, I could still be wrong. Just because lobby staff should go change your receiver's code doesn't mean they will.
Laziness and poor pay are not excellent motivators. Especially if "they think" you'll be leaving shortly (one/two days...) and they have to change it again then anyway for company policy. Add in the possibility that the hotel you happened to be at wasn't experiencing a lot of theft at the moment (fairly likely)... and you'd get the situation you experienced.
I would assume the lobby staff simply gave you another key programmed to match your receiver and assumed that the lost card "wouldn't make a difference anyway" to them for a day or two or whatever your stay was.I used to travel a lot for work (different installations of automation across Canada and the US) - I do remember (only once) when a staff member came up to my room with me and "got my key to work" on the receiver. Then - I didn't really have any idea what he did. Now - I'm pretty sure he just did something like what I'm describing to the receiver. I believe I was having issues. Like - he had already given me two keys and neither of them had worked or something like that.ABE: Now that I was thinking a bit more on my past experiences... I think I remember that on some longer stays in some places I would have to go to the lobby and get new keys even though I wasn't switching rooms. Again - I didn't understand why at the time (and didn't care to ask.) But, this would make sense if they had an internal policy that all cards were only valid for 2 days or something like that... this way any key loss turning into possible theft would be minimized due to time-limit. One more reason why a lobby-staff may succumb to being lazy and not update your receiver.

I don’t have specifics, but a friend of mine who used to work in the hotel industry had mentioned that by sticking the new key in the lock, it makes the old key unusable.This was brought up by a business trip I had taken to Hawaii. I had been issued a keycard and when I entered the room, I walked in on someone in the room who clearly was not expecting someone to come into his room at the time. Oops! Back down to registration. Assigned a new room.When I told him about it, he had mentioned that the problems didn’t end with me getting my new room since, “When you put your key in the lock, you canceled his. When he left and tried to get back in, his key wouldn’t work.”This was back in the mid-to-late 2000s. The hotel was huge (the Hilton Hawaiian Village) and the tower I was in was not part of the registration complex. So while I cannot guarantee that they didn’t have some way of connecting the locks to a central system, I doubt it given the state of technology at the time.Thus, my guess is that for locks that don’t have a centralized system is that there is information on the key itself that indicates that it is the “active” key, overriding any previous keys. When it is inserted in the lock, the lock reads that information and cancels any previous key that was active. It may be something as simple as a mathematical sequence (possibly with a formula to encrypt the sequence so that it isn’t easily duplicated) that the lock reads and thus can determine that this is the “next active key.” While reservation information might be included, hotels do have people who want to extend their stay or cut it short. Those who extend usually aren’t given new keys but continue to use their current ones, so I doubt it (unless there is some metadata reason to include it). And those who cut it short will have their keys become unusable when the next guest uses the room, even if they don’t return the key.I had originally thought that the cleaning crew might have something to do with it since they are supposed to clean the room before the next reservation. They might have special keys that reset the lock. But the fact that I was able to get into the room while it was still occupied and my friend’s comment about my key canceling theirs makes me think that if there is something about the cleaning crew’s access to the room, that is a secondary option.

A simple sequence number would be sufficient (the simplistic protocol I dreamed up would use that).For cryptography you’d probably want to use a digital signature rather than encryption unless you’re storing information that needs to be kept secret on the card. But I wouldn’t want to promise that the locks do the sensible thing, and older locks might not use anything much in the way of cryptography (I’d hope that those systems would be replaced by now, though)

It would also have to handle when there's more than one guest in a room and each are provided key cards. And there's the case where guests who will be staying in the same room don't arrive on the same day. Let me see if I can find that reply someone posted to me about this...Okay, found it. There had been an article in WAPO assuring people that key cards do not contain personal data (You asked: Do hotel key cards store my personal data?) I posted a comment saying that I doubted that key cards needed to contain anything more than a unique ID code since everything would be figured out by the central computer that all door locks are connected to.I later realized that the key cards still have to work even if the computer or wifi or bluetooth or whatever they use goes down, so modern key cards must have all the same information as old style key cards, and modern door locks must have a "home base not accessible" mode that operates pretty much as the old style locks that had no central computer to talk to.But someone named lasios noticed my assumption about connection to central computers and replied in a way that made it seem as if door locks had all the information needed, no central computer required. But he was active in the industry way back in the early 1990's when the connection of door locks to central computers was probably rare to non-existent 's. But it made me wonder how the old systems worked. Here's what lasios said about them:

lasios:

---

I worked in programming of security systems, that include International Hotels (door locks and Key cards) in 1993/94.

​

This is what the system was in international hotel chains in 1993:

​

Every key card is programmable individually.
And every door lock is also programmable individually.

​

The Key card has the following information:
Card holder type, Floor No., Room No., Room Type, Validity from/to Date and time, Security access level

​

The Door Lock has the information:
Door Lock Type, Floor No., Room No., Room Type, Current Date and time, Security access level

​

If a hotel has a hierarchy of 5 security levels it would be a number between 1 and 5, and so on...

​

So when a guest checks in, the key card will only work for the room they have taken for those days, and the facilities they have paid for.

​

If a hotel security guard is in charge of floors 6 to 10, their key will open all locks of floors 6 to 10.

​

If a room cleaner is in charge of floor 7 their key will open all rooms on floor 7, but the phone/TV/Fan Etc. won't work.

​

A lock on the door to the common swimming pool is programmed so that any key can open that door (or it may be kept unlocked all the time).

​

I have since changed my field, but I am sure no card or lock has any personal or credit card or bank details.

​

However, they know that you used the swimming pool at what time, and on what days or what time you had breakfast, for improving their service or customer feedback.

​

The most vulnerable and informative thing is your cell phone, and your habits.

​

P.S. I don't own or use a smart phone, never did. Social media is a waste of time (my opinion).

---

Interesting PS. He doesn't consider participation in a comments section a form of social media.His comment also seemed inconsistent since if the door lock doesn't have a home base then how can the system know when you were at the swimming pool unless it puts it on your card where the information wouldn't be very useful to the hotel.Anyway, there's still open questions. There isn't much online information about the old systems, but modern systems have to continue functioning even when home base is offline, and under those circumstances they might work pretty much the same as the old-style locks. SALTO Systems website has a nice video somewhere on their site describing how their locks and key cards keep functioning even when the central computer is down or inaccessible.--Percy