Unlocking Trouble: online key duplication a potential security risk
We wanted to try one of these new cyber locksmiths out, and assess any potential risk to people's security. Could we copy someone's keys without them knowing it? Could we enter someone's home using just a cell phone and a credit card?
Weekend anchor Bill Walsh walked through the CBS 58 building, and quickly found a potential \"victim.\" He saw a set of keys sitting on an unattended desk in the sales department. The owner of those keys was not in sight. Knowing the coast was clear, Walsh snapped photos of what looked like keys to a home. It took about 20 seconds to get these photos and leave undetected.
Next, Walsh uploaded the photos to keysduplicated.com. That same day, he received an email saying a key was on it's way.
Jordan Meyer, co-founder of Keys Duplicated, says there are many ways of copying keys without using his website. \"You could use a key mold, or what's called a key gauge, which is about $5 on eBay,\" Meyer said. Meyer said some keys also have a \"cut code\" stamped on them that would allow any locksmith to cut that specific key. Remember the code, you can get that key made.
Meyer says Keys Duplicated also has safeguards in place to make sure someone doesn't just walk by a set of keys and snap pictures. \"We manually review all of the orders,\" Meyer said.
That manual review actually worked on our experiment. Bill Walsh tried to order two keys from Keys Duplicated, and while they sent a copy of one order, the other order was denied.
Here's a transcript of the email Walsh received from Keys Duplicated:
Hi Bill. We cut this key and are ready to mail it to you. But it got flagged as suspicious.
Would you mind emailing me a photo of you holding this key in the palm of your hand? That'll prove to us you have physical access to the key. I'll send the key as soon as I get the email.
Sorry for this hassle. We have to do this sometimes for security.
Would these security measures thwart an auto mechanic, or valet, or a jealous girlfriend/boyfriend, someone with plenty of time to put keys \"in the palm of (their) hand?\" Meyer admits that \"ultimately is doesn't stop someone, but there is that barrier there.\" Along with demanding photos of the front and back of a key, plus requiring a valid non pre-paid credit card for payment, Meyer says there are \"too many hoops\" to jump through for a criminal to want to use his website.
The copy of the key that wasn't flagged took a few days to arrive in Walsh's mailbox. It was time to let the rightful owner of the key in on our experiment. A quick internet search revealed the address of CBS 58 account executive Kyle Stack-- he was a little surprised to learn that we could potentially enter his home without him knowing it, but he gave us his permission to try.
The key Walsh got in the mail was for the security door to Stack's apartment building, and using that copied key, Walsh entered Stack's building easily. Stack was shocked to see it happen \"that was almost better than the way my key works,\" Stack said.
Stack said this demonstration taught him an important lesson-- to treat his keys like he would his social security number or wallet. \"Now I've got them all tucked away,\" Stack said.