Recognizable Compromise - I was ROBBED!!!

Interesting experience this morning at my hotel in Boston.

I woke about 4:30 this morning with an upset stomach. I opened my door to see if the USA Today was there (it was). I read for maybe a half hour and went back to sleep. At 7:00 my alarm went off and I got up. About 7:40 I put my watch and wedding ring on the bathroom shelf to get into the shower. After my shower while getting dressed I looked for my watch and ring, but couldn't find them. Even though I was "sure" I put them on the bathroom shelf, I looked on the dresser, the desk, the bed, and all around wondering where I could have put them. I found a disposable coffee mug on the floor between the bed and the wall and thought how careless the cleaning staff must have been the day before to have left behind a coffee mug. I picked it up to throw it away, and it was nearly full of still warm coffee. I don't drink coffee.

I looked in the closet - nobody there. I went to the door (a few minutes before 8:00) and noticed the chain lock was not locked. I opened the door to see if anyone was still in the hallway - nope.

The hotel detective arrived perhaps 10 minutes after my call. He had a printout of all my door openings and closings. We saw my opening of the door at 4:30, but no closing of the door until ~7:57. I had noticed yesterday that the door sometimes sticks and I have to pull or push it to get it completely closed. In my early morning stupor, I was evidently not very thorough about closing the door.

The detective is now looking at surveillance tapes and records of other doors near mine that were opened near 7:57. Perhaps a crime of opportunity - an unlocked door with an audible shower on. Sadly there is no surveillance camera that can see my door; the only one is by the guest elevator. I don't think it can see the stairway exit from there either. Hopefully the thief passed within view of the elevator.

The desk is at the wall furthest from the door. I think I must have turned off the shower (scaring the thief away) before s/he made it that far into the room. My wallet was on the desk. My computer was on the desk, unlocked (hey - I was still in the room), and with my SecureBadge in the card reader. That's quite eerie, because my day job colleagues and I just recently had an email debate on whether a TPM chip in a notebook coupled with the TPM chip's PIN constitutes two-factor authentication. In comparing TPM to smart card, we considered this exact scenario and arrived at the conclusion that stealing a PC with a TPM chip and PIN is the same as if stealing a PC together with the user's smart card. If you use a smart card for Windows logon (like I do), do you leave your smart card in the hotel room when you go out to dinner? Or do you travel with your smart card in the same bag as your PC?

This experience highlights to me the importance of one consideration for assessing the strength of various authenticators; i.e., recognizable compromise. If the thief had not left their coffee mug, I'd still be scratching my head wondering where I put my watch and ring.