IT security is always a big deal. We’ve heard of a lot of data breaches, and all sorts of different attacks (e.g. phishing, ransomware, etc) over the years. A security incident can cost a company its reputation and threaten its survival. But how much worse is it when IT security puts the very safety of your home at risk?
Contactless Check-In: Intro
Over the past year or so, I’ve stayed at some apartments and hotels in the DACH region that were “contactless”. They had no reception; they send you a code and you let yourself in. I’m not sure whether this practice was popularised by the COVID19 pandemic or was already well in force earlier, but I do understand the appeal:
- It minimises the risk of catching contagious virus for both staff and guests
- It reduces expenses for the company by not needing to pay reception staff
However, it also has some serious flaws:
- If there’s any problem with the accommodation, it’s a huge hassle to get someone to fix it.
- Even worse, if the entry code doesn’t work for whatever reason, you’re basically screwed.
- Still worse, having an entry code sitting in your mailbox is a security accident waiting to happen.
Let’s talk a bit more about that third point.
Don’t Send Passwords via Email
If you work in IT or have at least a basic understanding of the internet, it should be common knowledge at this point that sending passwords via email is a bad idea. Email is not a secure channel; each email message can go through a number of devices and servers, unencrypted by default, and can be compromised at any point during that journey.
That’s why every bank seems to invent its own secure messaging mechanism. They have to deal with enough fraud and security incidents already, and email is a relatively easy attack vector. And yet, I’ve written about cases of passwords being sent by email in the past, e.g. “The Shameful Web of April 2017 (Part 1)“, “The Pitiful State of the Web in May 2017 (Part 2)“.
Beyond the danger of being intercepted in transit, a bigger problem with email is that it can stick around for a long time. So if you have an email that contains a password, someone could obtain illegal access to your email on a server or on one of your own devices at some point in the future and, unless you’ve been diligently changing your passwords regularly, would still be able to use that password nefariously.
Nowadays, when you sign up for a new account, the best practice is for the service to send you a limited-time activation link that then lets you choose your own password via their web interface (securely over HTTPS, of course). It’s still risky, but there is a limited time window so an attacker would have to gain access to that email in the short time before the link either is consumed or expires. Using multi-factor authentication further reduces the risk considerably.
Contactless Check-In: Codes
If it’s so risky to send a password via email, how much worse is it to send a code that gives access to your hotel room or apartment?
There are a couple of places I’ve been to that send you a code for either the apartment or a key box that is valid for the first day. When you arrive, you use that code and get a key, which you then have to use for the remainder of your stay. This is similar to sending an activation link via email, so there’s a limited time window for an attacker. But I’d argue that the risk of someone getting into your room or apartment and robbing you is much higher than some prankster setting your Facebook profile picture to that of a horse, so I don’t think this approach is acceptable.
It gets worse. Vision Apartments send you a code that remains active for the duration of your stay (potentially several weeks or months), is the only way to access your ‘apartment’, and gives access to the front door of the building, your ‘apartment’, and your mailbox. That code remains active and is available to Vision’s staff as well as potentially anyone who gains access to your email during the entire duration of your stay.
- Did you accidentally forward the email to the authorities? Oops. They technically now have access to your ‘apartment’.
- Did you leave your home laptop or mobile phone unprotected while guests were around? Not great either.
- Did you accidentally fall for a social engineering scam and reveal your email password?
- Did someone brute force your email account’s password?
- Did someone intercept the email on one of the servers it went through while it was being sent?
Some of the above cases might sound stupid, but people do fall for scams all the time, and they are subject to identity theft, fraud, and other crimes. That’s bad enough. You wouldn’t want to leave your house keys hanging where anyone can just pick them up.
If someone manages to get hold of that email and code, they basically have control over your living space, your physical mail, your belongings, and your life. That’s pretty scary.
Note: I’ve already mentioned in “Surviving in Canton Zurich” that I had a terrible experience with Vision Apartments. The security aspect is one of many things that bothered me, and it would take a whole long article just to explain all of them. If you’re considering staying with Vision, do yourself a favour and don’t, or at least read some reviews first.
Conclusion
Whatever the reason behind contactless check-in, it’s a terrible idea. It’s both bad service and bad security. In fact, it’s a security accident waiting to happen. It might also possibly be in breach of data protection laws.
It’s not worth the risk. So before you stay at an accommodation, always make sure they do actually have a reception.