Travel documents, cash, mobile devices, cameras, jewellery and company documents – on holiday or on a business trip, tourists and business people alike often carry valuable objects in their luggage. For a small fee, many hotels offer a room safe for keeping important documents and valuables safe. However, these safes are not as secure as is often assumed. When looking at one popular safe model, G DATA SecurityLabs experts found serious security deficiencies. With a little technical effort, the safe can be hacked and cleared out in a very short time. If the safe has a magnetic card reader, it offers criminals the option of using skimming to access the data on the card and offering it for sale on the Internet or in special underground forums. G DATA is offering tips on what hotel guests should look out for when using safes.
The safe model investigated by the G DATA security experts could be opened using various methods. The safe can easily be opened using the master code provided by the manufacturer, which is only supposed to be used to open it in emergencies. Many hotel owners, however, do not bother to change the default code – making life easy for thieves. "We urgently advise hotel owners to change the master code in safes and to regularly check room safes for modifications," recommends Ralf Benzmüller, head of G DATA SecurityLabs.
What is skimming?
Skimming is illegally spying on data on credit or debit cards. This is done by modifying cashpoints, for example, so the contents of the card's magnetic strip can be read. In 2012 the Federal Criminal Police Office recorded 856 cases of skimming in Germany. Thieves can use this method to access credit card information and misuse it for criminal purposes. "Travellers should never use their credit card to lock a room safe, so that no personal information can be read from the card," reports Benzmüller.
Numerous ways to hack a safe
Another option for opening a safe is to hack the emergency lock. The hotel manager usually has an emergency key. However, after unscrewing a plate on the front of the safe, the lock underneath can also be opened using a false key. Alternatively, the code can be reset via a short circuit and a new one entered, which can then be used to open the safe. “A safe is not the worst place to store valuables. Their security, however, should not overestimated”, summarizes Ralf Benzmüller.
More at the G DATA Security Blog: https://blog.gdatasoftware.com/blog/article/hotel-safes-are-they-really-safe.html
Tips from the G DATA security experts on using hotel safes:
- Do not use credit cards: Hotel guests should never use their credit card when using a safe. If a safe is equipped with a magnetic card reader, the device may be able to read personal data.
- Do not take valuables: Before going away you should consider which valuables you will actually need on holiday. Expensive jewellery should preferably be left at home if possible.
- Activate anti-theft protection: Users should take precautions in case their mobile device is lost. Install security software on their mobile devices, including anti-theft protection. This enables the device to be located and locked remotely and all data stored on it to be deleted. With notebooks, the hard disk should be encrypted, leaving no opportunity for thieves to read the stolen data.
- Back up data: Before going away, create a backup copy of all data stored on an external storage medium.
- Note blocking numbers: Holidaymakers should note down the service numbers for their mobile phone operator and credit and debit card providers. The card, surf stick or mobile device concerned can be blocked immediately in the event of loss.
- Scan ID documents: Important documents such as identification papers, flight tickets, travel tickets and data on travel insurance should be copied before going away and kept separate from the originals during the trip. A digital scan of the documents can also be kept on a smartphone, laptop or USB stick. In the event of loss they will help when reporting an incident and replacing the documents.
- Note down the address of the embassy: When travelling abroad, travellers should note down the address and telephone number of the embassy or the nearest consulate. If your passport is stolen, the embassy can issue a replacement passport.
- Document losses: If the hotel safe is broken into, the traveller must notify the local police and document the losses. This might help the lost property to be reimbursed under the insurance in your own country.
G DATA_hotelsafe_front: The front of the model. In addition to a number pad to enter the security code, the safe also offers a magnetic stripe reader. Photo: G DATA
G DATA_hotelsafe_open: The open safe. It provides enough space for travel documents and valuables. Photo: G DATA
G DATA_hotelsafe_modification: The inner workings of the mechanism of the safe offers enough space to install hardware that intercept the credit card information, when used. Photo: G DATA
G DATA_hotelsafe_key: This is the emergency key, hotel manager have to open the safe in case of emergency. The lock is located behind a round plaque on the front of the safe. Photo: G DATA