Hotel safe(ty)
-
Off somewhere nice this summer? Like a lot of people traveling, Vivaldi security expert Yngve Pettersen brings along a number of valuable items. His laptop for starters. Are hotels and booking sites taking guest security seriously?
Click here to see the full blog post
-
I keep backups of important data on two USB Flash drives. These are so tiny that they are easily carried on a keyring. The data is stored in encrypted 7-Zip Archives.
I install Vivaldi and Opera 12.18 on an VeraCrypt encrypted drive. Any other potentially sensitive documents are also stored there.
-
Good that the insurance companies don't look too closely at the safes - because many of the hotel safes are unsafe. They may look more or less impressive but many models have "backdoors" which are known to the crooks.
-
@QuHno
The hotels do need the ability to open those safes, especially when the previous guest left the safe locked (I have had several such cases, the last one in just a few months ago), so while access to that kind of tools will be limited, there are limits to how secure the safes are. Security will always be a tradeoff between various factors, which is why, if the "evil maid" is a concern, you need to take different precautions than if it isn't that much of a concern. Short of packing your own safe in the (carry-on) luggage (good luck trying to get it though security and accepted by the airline), and securely mounting it in the hotel room, some tradeoffs have to be accepted. -
:knight:
Digital data is becoming one of the most valuable items a person has with them. -
@Chas4 You can have all my digital data, do whatever you want with it if you're able to do anything with it, but don't touch my wallet.
-
@iAN-CooG The digital data may be payroll info or other HR info (yes people sometimes travel with that info) so the data could be enough for security questions on sites or do even worse things)
-
That's why you encrypt your data.
-
@yngve said in Hotel safe(ty):
@QuHno
The hotels do need the ability to open those safes, especially when the previous guest left the safe locked (I have had several such cases, the last one in just a few months ago), so while access to that kind of tools will be limited, there are limits to how secure the safes are.Indeed. I always had my suspicions about those safes and had to call to get one opened once - it was easy. So I know that any staff who really want to get in (and want to risk it) probably can.
On holiday we only take small old gadgets - either the tablet with videos and music but no sensitive data, otherwise the (encrypted) netbook. Just have to risk it when leaving camera, passport and wallet. On business trips the laptop goes where I go.
-
It would also be nice to know in advance if the hotel actually has reasonably secure safes, and knows how to keep them secure.
For instance, some hotels use safes with electric push-button combination locks, which have a "Super User" or "Administrator" mode that allows a hotel employee to open the safe. If the hotel doesn't bother to change the default code set by the factory, then that could easily allow anyone who is aware of the default code to get into the safe:
https://www.youtube.com/watch?v=De0D7otNxME -
I work for hotels.com and have passed this feedback on to my colleagues in Product
-
@draki Fantastic! Thanks so much!
-
@mossman: It seems to be that a large part of this is about ticking boxes, so that insurance pays out.
I would argue that it is still (probably) a bit more secure. I would assume (perhaps completely incorrectly) that only a sub-selection of staff can open it, at least in bigger, more professional establishments.
Another assumption I could make is that it would be harder for non-staff to take things. A good con artist might be able to convince cleaning staff to let them into a room that is being cleaned (or just finished cleaning). It would be a harder social engineering task to get them to open the safe for you as well (albeit perhaps not always impossible).
But even if my assumptions are completely wrong, again you are still better off from an insurance perspective because they rate it is more secure in their T&C, thus you will be reimbursed.
-
@draki: Awesome!
-
@quhno: I am sure they are perfectly aware but don't care because it gives them a nice reason to refuse to pay (and thus more profit), that looks somewhat reasonable to the average person who reads their terms and conditions… after losing all their stuff.
Almost nobody reads them before, right?
-
@quhno: I also think that some level of security (albeit imperfect) is helpful. I mean it will still deter a sub-selection of potential criminals, e.g. many opportunists who found your room open or staff who do not know how to get into the safe.
Case in point for minimal security helping to block segments of the criminal population. I use pretty hefty locks on my bikes but when I am out on one of my a unicycles I take a lock with me that costs a few euros and looks not much better than a piece of string (super light and easy to carry though).
It is really only good enough to deter kids and trouble makers who might grab the unicycle as a joke and chuck it in the river, and that is all I need.
This is because unicycles have little resale value and any level of customisation makes them readily recognisable to the very small community of enthusiasts who might want to buy them. Thus no serious crook would bother, since you can't sell it. Another class of criminal, who might take it for themselves, could be interested in a bike but probably not a unicycle because, odds are, they can't ride it.
So it is a crappy lock but that doesn't mean it isn't useful.
-
@ruario said in Hotel safe(ty):
A good con artist might be able to convince cleaning staff to let them into a room that is being cleaned
No con artist needed for hotels with most electronic locks and some mechanical locks.
As investigations by penetrations testers even showed for new hotels, it was often only a matter of seconds to get into a room and it didn't take much longer to open the safe. The "backdoors" are the weak spot - similar to "backdoors" in encryptions - and they are known to professional crooks.
Both locks are only good for deterring the occasional thieve and to make sure the insurance pays. (I still wonder how they cover data loss ... err, right: Not at all.)
My first remark in this thread was only meant as:
If you want security on your vacation, don't take anything you don't need with you.*Business or high profile customers are a different matter - but they should secure their electronic data anyways. Even better do a complete wipe, install a clean system, pull the data in from their company server when they need it (while making sure that it is end to end encrypted - you can't trust "on-the-fly" transport encryption) and don't keep it stored afterwards.
Computers are replaceable, but the data on them often is not, or at least it doesn't belong into the public.
Benefit: Keeps nosy customs sniffers from
stealingputting a levy your data too.
(We are all terrorists, you know. The PATRIOTS act got only a new name as "freedom act" and several other countries have a similar legislation) -
Why is the headline photo changed? I liked the one with the corridor.
-
@solidsnake: It's 30C in Oslo, we suddenly remembered it was summer We still have the old image on social media
-