Hotel Insecurities: How Safe Are We In Our Rooms?

rjmcgarvey01

 

The creepy video that has been making the rounds got me to wondering: Just how safe are we in hotels?

The video in question shows a security expert, Jim Stickley, breaking into a hotel safe – using a tiny screwdriver and a bit of wire – in a matter of fast seconds.

These are the very safes we are urged to stash our valuables in of course. (Note: I never use them, haven’t ever. There always are better places to hide stuff in rooms.)

If the safes aren’t safe, what else isn’t safe in today’s hotel room?

Let me count the ways. From faulty information security practices to much worse, hotels in fact create a lot of risk for every traveler.

For instance: we all know it is increasingly unsafe to use credit cards at hotel gift shops or restaurants.  Hilton, Trump, White Lodging, Destination, Mandarin Oriental – the list of breached hotels where hackers stole credit card data goes on and on.  

Maybe the poster child is Wyndham which, said the FTC, suffered three breaches in two years.  Hundreds of thousands of consumer accounts were compromised, per the FTC.

An obvious conclusion: as an industry hotels simply have not invested appropriately in cybersecurity and that is dumb because hotel guests are – almost definitionally – attractive targets to crooks. There may be some hotels that have got the message but the norm seems to be skinflint security that hackers make a mockery of.

One conclusion: never use a debit card at a hotel.  It just is unwise because protections are fewer than with credit cards. With the latter, generally, losses are capped at $50 (often $0 at many issuers). With debit cards losses can be much higher.

But my advice: pay with cash, or sign to your room, at hotel gift shops and restaurants – and really think about moving your business to places that take Apple Pay, where the tokenization of data will probably keep you safe in hotels.  Apple Pay thus far has limited availability at hotels but the numbers likely will grow, fast.  

Of course you also know: don’t trust hotel WiFi – it’s child’s play for a criminal to sniff all on the network and even to grab data out of thin air – and hotel business centers are petri dishes for malware. I won’t even print out boarding passes in business centers and, as for WiFi, I create my own hotspots because that is vastly safer.  

While we are at this, just don’t trust hotel room locks.  Break ins remain common, sometimes even while the victims are sleeping in the rooms.  

As for the door locks themselves, apparently many have known vulnerabilities that make them easy to pick.  In one well know gambit a dry eraser marker is used to pop open doors.  Oh, the chains too are typically easy to neutralize.

Hotels, too, attract petty criminals – such as the armed robber who made off with 3000 Euros from a money changer in New York’s Plaza Hotel.  

And sometimes slick, smart criminals such as the perpetrators of the $153 million jewelry heist at an Intercontinental in Cannes.  

And then there are the really big worries. Off and on – such as immediately after the 2008 takeover of the Taj Mahal Palace in Mumbai by murderous terrorists – there are fevered discussions of how hotels are tempting and obvious targets for terrorists. But in the US – certainly outside Manhattan and Washington DC – there does not appear to be much sophistication about security. Certainly nothing I would stake my life on.

All this said, when I do an inventory of my own losses at hotels over decades of travel it comes down to a few bucks in padded charges on bar bills. Never anything stolen from my room. Under $100 on total losses.

But still I will tell you this: I long ago ceased to have any confidence in hotel security. It just is not consistent and often it is no good. I do my own security and I suggest similar to you. Trust yourself and your preparations and your sleep – in whatever bed you find yourself – will indeed be safe and sound.

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress spam blocked by CleanTalk.