Interestingly I found myself in Dubai this past week, attending the GISEC security conference, one of the big tech conferences in the region. Now I am a fan of Dubai, the weather is warm, well bloody hot if I am honest, the hotels are the best on the planet for the money, and I always feel safe wandering around Dubai, even if I am wandering around at 3:00am because my body clock is still on UK time.
But here’s the thing, I went to check in to my hotel on Sheikh Zayed Al Nahyan Road, walking distance of Dubai World Trade Centre, where all the big exhibitions are, and as per usual with all hotels they asked me for my ID. Now being a technology, security and hacker aware person, I always carry an outdated Passport with me, one that expired a few years back, that I use when people want to hold my ID or take a copy of my ID.
Why? Because I know weakness in systems exists, in fact I am often hired to find weakness in systems and the last thing I want the hackers to get is a copy of my Passport. Hard Rock Hotel & Casino Las Vegas, is the latest hotel to announce, last Friday, that hackers breached their systems and exfiltrated sensitive customer data, including credit card details, one of many hotels over the years to get breached.
They wanted my passport so they could take a scan of the passport, what was interesting in this instance was that my expired passport was rejected by the hotel. I asked why, clearly it shows who I am, which is the point of asking for identification, everything on the passport matched my registration and payment method details. They were insistent that they needed a “valid” ID, so I offered my Drivers License, a full picture License, with all my details on it, date of birth, current address, which completely matched my passport. My logic being if this got hacked from the hotel it would do less damage than losing my passport to the bad guys.
At the end of the day they just need to prove I am who I say I am, so I could check in to a room and both of these forms of ID, on top of my credit card certainly meets that requirements. Right?
That’s where it gets interesting, apparently they were scanning my Passport and instantly checking it for validity, because of a requirement for the Dubai police. It was explained to me that the Dubai Police required a copy of my current passport, which is requirement for every hotel guest in Dubai! Every hotel guest in Dubai, WTF?
I asked how long they keep copies for, what were their disposal procedures, and how do I know this data is in safe keeping? My answer was a blank stare from the hotel desk clerk.
I had been on the road for 12 hours by this point, and was not in the mood to argue the point, especially with the hotel staff that almost certainly could do nothing about the Dubai Police policy. So I handed over my Passport to be scanned, for a copy to sit on some random hotel server somewhere, for some random period of time, maybe even to be centralized in to some big database on a server in some nondescript foreign intelligence service building on the outskirts of Dubai.
I don’t like the idea of trusting the hotel with a copy of my current passport, was I happy about it, no, could I do anything about it, no, not then and there. I could choose not to visit Dubai again, which would be a shame as I like the country, but to be honest that is not that realistic as I work in IT security and the gulf region is a growing market for us. A growing market because hackers are focusing that region more and more.
So I will just have to get use to this bad taste in my mouth, every time I think of Dubai.