My new journey into operational security. I’ll provide information that might or might not benefit anyone. In this short post, I’ll talk about Royal Caribbean Passes.

This card is used for everything on the ship. Some examples, buying drinks, food, shopping, basically think about your credit card that has nfc enabled. As for the actually technology. I can not confirm the specific nfc version.

Lets scan this card and get some results.

No Activity Name: [room] UID: [805BF4A2433704] Cycle: [1]

Based on the results, this looks like your room number is in a UID format. With this, you can scan some other cards and figure out the algotherm pattern.

What does this mean, you can use someone else’s drink package, you can go into someone else’s room, you can charge things to someone else.

What about security protocol, I haven’t looked into the limits of my scanner. Yes, there is a high possibility that using a Android device as a scanner doesn’t cover all the bases/tracks.

How hard is it to print this card. Not hard at all, the front and back have a gloss finish. The back is in black and white.

I would have provided my full account number but, you never want to expose yourself or someone else. In any case Royal Caribbean might not lock out charges. What am I talking about. The cruise ships run back and forth. With a very short time frame during the  onboard of new passengers. After one cruise, can you go onboard and use someone’s information from the last cruise. Most likely no, but when it comes to security lets be paranoid.

If this has helped or you’d like more information and testing. Comment Below.