This weekend I checked out of the hotel I stayed at in Boston. Thinking I wasn’t going back to my room, I left my keys and other miscellaneous (non-personally-identifiable) paperwork in the room. Among said paperwork were a few complimentary drink coupons, which I realized I could use for coffee at breakfast.
With my hotel receipt in hand, I approached the front desk. The woman behind the counter asked my room number, which I gave, and said “but I forgot something in my room and left the key there.” She very promptly made me a new key and gave it to me.
What’s wrong with that? I never showed her my receipt or any other sort of identification. From her perspective, I could have had any 8.5″x11″ piece of paper. The security ramifications should be obvious.
Conclusion: Social engineering win. Hotel security fail.