Staying Safe on the Road: Infosec for Smart Travelers

It is a war for your data when you travel.

The irony is that many, many pages are filled with advice on how to avoid pickpockets in Rome, muggers in Manhattan, and crooked taxi drivers in Rio.  But bad as those threats to your safety and wealth may be, you have a lot more exposure to real – and huge – risks that arise with theft of your information, your identity, your banking specifics.  And all that can easily happen to the unwary traveler who may not even realize he has been victimized until long after the theft.

Risks may be worst for vacationers.  That’s because business travelers, using company gear, often travel with substantial built-in protections.  A VPN that encrypts traffic may automatically kick in when the business traveler goes online.  Access to risky sites also may be denied. Many companies – most big ones – build in layers of protection into the devices they issue.

The vacationer on the other hand has his/her guard down – they are having a good time! – and they also may not be using the company gear and if they are, they may have turned off things like VPN.

They are prime targets.

So are small business executives and especially owners. Those companies usually skrimp on IT security and crooks know it.

Our inattentiveness makes us easy pickings. When Credant Technologies – a data security company now owned by Dell – wanted to know how many laptops and phones are lost at airports, it contacted seven big US airports and got numbers for just one year.

Guess how many devices were left behind.

Over 8000.  Few were reclaimed.

Most were left behind at TSA checkpoints, presumably by a distracted, frazzled passenger.

This is all the more stunning when we acknowledge that for most of us our lives are on our devices, at least on our smartphones.  Everything a criminal needs to know to be you is on your phone.

That is why it has become so crucial to protect our data on the road.  We are our devices.

But we don’t act that way.

Another question: how many mobile phones are stolen at TSA checkpoints?  Keep in mind that even when the system is working smoothly, there is a minute or three when a phone passes out of the owner’s eyesight.

First

Nobody knows how many phones vanish at checkpoints but guesses from multiple experts is that a significant number of phones do in fact disappear at TSA checkpoints, quite possibly in focused attacks intended to steal this phone because its owner works at target company XYZ or otherwise is a high profile person.

Don’t snicker. It wasn’t a phone, but a laptop, however the CEO of Qualcomm’s laptop was in fact stolen some years ago at a conference where he was a presenter. He took his eyes off his laptop for maybe 10 minutes as he chatted with audience members one on one after his presentation and when he looked back, poof, the laptop was gone.

Some believe this was a case of very high level industrial espionage.  That is belief, not fact, but it may be true.

A lot of crooks want your devices. Sometimes it’s industrial espionage. Sometimes identity theft. Often it’s just criminals who deal in stolen hardware.

Theft happens.  Be prepared for it.

Next question: when you leave your laptop in your hotel room to go out for breakfast, who’s guarding it?

Right. Nobody.

One more question: when you log onto a conference’s WiFi – or in-flight Gogo – who may be listening to your traffic?  Right, you don’t know, but know this: any of dozens of bad actors may be listening whenever you log onto public WiFi and that also includes hotel in-room WiFi.

Getting the message? It really is a war out there.  But smart travelers know what they need to do to stay safer.

This is your cheat sheet on staying safe on the road.

None of this is hard. Harder by far is straightening out your life when you fail to do the obvious and a crook capitalizes on your laziness.

First step: “Make sure your devices have updated software,” said  Robert Siciliano, security expert with BestCompanys.com.  That matters because often updates are security patches and criminals, often, scan their environment hunting for unpatched devices. When they find one, they unleash a known exploit that gives them control of the device. It happens that quickly.

Make it part of your routine. As you pack, set any devices you plan to bring with you to update, both the OS and any/all apps.

Second step: set PINs on smartphones and tablets. On iPhone, tap SETTINGS, tap Touch ID and passcode. Follow the prompts.

Similarly, set up PINs on iPads and Android phones and tablets.

A plus of setting a PIN on an Apple device is that when you do, by default all data is encrypted. That’s an extra level of security.

Table

On Android, go to SETTINGS, SECURITY, and enable encryption.

Really smart hackers can get around security – see the FBI’s efforts to read the contents on the infamous San Bernardino iPhone – but for most of us there is no need to fret about that level of skill.  Simple barriers will keep most crooks at bay.

You still fret? For you there are new encryption apps that essentially provide a level of protection beyond Apple or Android. Will they guarantee that a state agency cannot hack your phone? It is hard to make that promise. But, again, most of us will not encounter that level of interest and, for ordinary citizens, most encryption tools provide plenty of privacy protection.

While you are at this, make sure you have enabled “Find My iPhone” or similar on Android and also tablets and laptops.  Nuke a lost device’s contents remotely. That handles that worry when a device is lost or stolen.

If a device goes missing, nuke it. Don’t wait. That is the fatal mistake made by many wishful thinkers – “if I wait a few hours it will show up.” No, probably not.  Take no chances, nuke the contents.

Those three steps taken, you are way ahead of most travelers.  But travelers face a litany of threats, from public computers to public WiFi. Step by step below we go through what else needs to be done to stay safe wherever your travels take you.

 

Public Computers

Don’t even think about using a hotel business center computer.  Ditto for any other shared, public computers, in libraries, occasionally coffee shops, etc.

Said Cesar Cerrudo, CTO for IOActive, “travelers should avoid using public computers, such as those found at cyber cafes, kiosks and hotels, for accessing their email, social media accounts, or even business systems. These computers can be compromised with spy software (spyware, key loggers) and could capture all the data, such as usernames and passwords, personal information, etc. the traveller types into the computer.”

These attacks are so rampant that a couple years ago, the US government issued a warning about hotel business centers.

The problem with business centers in particular and public computers in general is that most are un-monitored and unstaffed. A crook needs only to walk in, activate a computer – probably with counterfeit credit card – then download malware to the computer.

The probability of that crook ever being caught is slim to none.

Just don’t use public computers at hotels, convention centers, airports, libraries, wherever.  Just don’t.

 

In-Room Devices

Leave a device in a room when you are out and you are inviting snoopers.

Should you put your devices in the room safe?

Hah. YouTube is filled with video showing how easy it is to open any room safe.  Think on it.  How often do travelers use the safe but forget the combination they set – so they need hotel help to open it.  Safes need an easy default path for opening and, it turns out, almost all have exactly that, such as a default password of 0000.

Don’t trust room safes.

Some travelers ask the front desk staff to stow their stuff in the hotel’s safe but then you are dependent on the honesty and diligence of the front desk staff.

Savvy travelers generally try to carry on themselves all the technology they have brought.  Go out to dinner with an iPhone in your pocket and an iPad in a rucksack and you have your security in your own hands.

What about your laptop? Some travelers have stopped bringing them at all. Others stow a laptop in their suitcase under a pile of dirty laundry – and some bring especially smelly socks just for this purpose.

By all means, set a PIN that’s needed to activate your laptop – or a biometric if that’s an option – but keep a device out of a crook’s hands is the better protection.

Accept this: leaving an exposed device in a hotel room is inviting trouble. Formal security procedures for CEOs at many Fortune 500 companies specifically prohibit leaving devices unattended.  CEOs of course have traveling assistants, maybe security, they can call upon to babysit a laptop during breakfast. You don’t. But know what the 1% do and that gives you a sense of what you need to do too.

Always guard your devices on the road. Always.

 

Crossing International Borders

Word of advice: you have no data safety when crossing international borders.

None.

This is true even for US citizens entering the US.  A border agent can access device data without a search warrant.

For some years, security consultants have told clients to assume all their devices are copied when entering China.

Russia and Israel are said by some experts to do likewise.

Still other countries copy data of at least some people crossing their borders.

This happens very fast. You will be separated from your devices and, a few minutes later, re-united but all have been copied.

Countries will insist this is a matter of state security. Cynics believe it often is old-fashioned industrial espionage.  Either way, expect more and more of this to happen.

How can you protect yourself?

In entering countries known to clone devices, the core security advice is to bring clean devices with no content.  Buy a $200 Google Chromebook, a cheap flip phone (under $50), and you are in business.

What about entering the US? First, the US is not known to copy that many devices.  But secondly if you are concerned, only bring clean devices cross border even if you are a U.S. citizen returning home.

It does happen in the US. Ask San Diego businessman Idin Rafiee who in 2012 was boarding a plane from San Diego to London. A federal agent came up to him and told him all his devices – laptop, iPad, cellphone – were to be detained because the government suspected child pornography.

He was allowed to fly to London.

Eventually it was revealed child pornography was never an issue.  The government suspected he was selling goods to Iran, in defiance of US bans.

It happens even in the US.

 

Use the Cloud

Devices go missing on the road.  If you’ve encrypted, probably you are safe – but take one more step.  Keep as much data as possible off the devices and in the cloud.  Even if you lose your iPhone, if all the goodies are in iCloud, the lost phone is just hardware.

The value for you is in the data, not the hardware, which is easily replaced.

Apple, Google, Microsoft all over cloud data services at nominal prices (often free for small amounts).

Use them and in effect outsource that security to a tech giant.

 

Bluetooth Madness

“Don’t use Bluetooth,” said Danvers Ballieu, a London based VPN and computer privacy expert.

Many experts said likewise.

But many users are dependent on Bluetooth, to connect everything from earpieces to keyboards to phones and tablets.

The problem with Bluetooth is that it throws off a trail.  In its write up for a Windows utility called Bluetooth Viewer, the maker said:

“What can you do with BluetoothView ?

If you have neighbors or family members that use a cellular phone with Bluetooth turned on:

  • You can easily know when they come home and when they leave, by using the ‘First Detected On’ and ‘Last Detected On’ fields.
  • Each time that a new device is detected, BluetoothView automatically displays an alert as a balloon in your taskbar. This means that you can detect when your neighbors/friends/family members are coming even before they knock on your door”

There are many more utilities and even tiny handheld gadgets that sniff Bluetooth.

But just imagine if somebody is tracking your movements by following your Bluetooth trail.

The cure is simple: shut down Bluetooth unless you absolutely require it right now. Don’t leave it on by default.

 

Never Use Public WiFi

Last

From coffee shops to airports and hotel rooms, free public WiFi calls out to the traveler.  Don’t use it, said Jerry Irvine, a Chicago based information security expert.

Here’s the problem with public WiFi – it is rather easy for a skilled professional to hop into the network and grab packets of information. All that’s needed is a packet sniffer – for sale for as little as $100 – and this snoop is in business.

You cannot assume data sent over public WiFi is in fact safe from prying eyes.  Often it is not.

Travelers’ WiFi is especially tempting because, by definition, travelers have money. That makes them attractive targets.

“Use the personal hotspot on your phone,” said Irvine.

On iPhone, go to SETTINGS/Personal Hotspot.  Turn it on and you can link other devices to it and get online via a private channel.

Downsides are that a hotspot chews up battery life and also data plans.  But for security of data, it cannot be topped.

Understand that the ban on public WiFi networks is complete and even includes Gogo, the inflight service. A USA Today reporter has documented how his Gogo traffic was intercepted by a hacker.

It happens.

That is why more security conscious travelers are skipping Gogo and reading or watching movies on planes.

If you resolve not to use public WiFi on the road your data security will be dramatically stronger.

 

Beware of Fake WiFi

A favorite criminal ploy is to set up rogue WiFi in high traffic places such as airports and hotels and give them relevant names such as “Airport WiFi1.”  Sign on and the criminal can inspect the content on your device and may even download malware.

These rogue networks often look slick, with the criminal stealing appropriate logos from the real airport or hotel.

How to tell if it’s a rogue network? First off you shouldn’t be on it anyway – read the bit above about avoiding public WiFi.

But if you feel you must avoid that counsel, be especially wary of very slow WiFi – that is often a sign that something very bad is happening.

But – honestly – you just are much better off using your own hotspot.

 

Use a VPN

You absolutely need to use public WiFi? There are cases where that’s true.  In some basement meeting rooms, there’s no cellular reception and where there is no cellular, there are no hotspots.

Some resort hotels, far from big cities, have awful cellular.

But in almost all cases, public WiFi is on offer.

Baillieu said the solution is to use a VPN – his company offers one such – and that’s because a VPN (Virtual Private Network) encrypts the data as it goes into the Internet.

Even if a criminal intercepted it, “he would see only gobbledegook,” said Baillieu.

Word of advice from many travel security experts – use VPNs. Employees of big companies often are required to.  But the experts said that the rest of us should do similar.  More companies now offer low cost personal VPNs via apps – $3 to $5/month are common fees – and the payoff is a jump in personal information security.

This also means that public WiFi can be used in settings such as hotels.  Security experts still would not do sensitive work – such as logging into a bank account – via the shared WiFi, even one with VPN protection.  But for a lot of everyday Internet work, VPN provides a measure of safety.

Read that again: do not log into financial accounts using public WiFi even with a VPN shield.  Smarter is to access the account via the cellular network on your phone.  That will usually be vastly safer.

 

Don’t Sell – or Buy – Points or Miles

It’s tempting to buy 25,000 air miles – a free flight! – or maybe sell a similar amount except for this fact: airline terms of service explicitly prohibit this.

Another reason not to do it: You open yourself up to identity theft.

Said Jessica Coane at travel rewards site Pex+: “There’s a whole ‘underground’ marketplace of travelers buying and selling their miles and points. Aside from the fact that this is against the policy of these loyalty programs and can have you permanently banned, travelers often need to provide their account information to complete the sale. By providing that login information, travelers are giving easy access to their full name, passport number, various addresses and phone numbers, saved credit card data, and a slew of other personal information.”

Read that again. Completing the deal may involve giving the other party full access to your loyalty account and, from there, a hacker may be able to leap into your account at the airline – and that could mean buying tix and hotel rooms.

 

Still Not Enough

You are doing all of the above.  Know this: “All of the above tactics still aren’t enough,” said Siciliano. “‘Shoulder surfers’ could visually snatch your login credentials while you’re typing away at the airport lobby or coffee shop. ‘Visual hackers’ may also use binoculars and cameras. A privacy filter for your screen will conceal what’s on your screen. If they’re right behind you this technology will alert you. You should use a privacy filter even when your back is to a wall.”

Good privacy filters are plentiful but, said experts, few of us use them. You may not need one in your office – that might be excessive – but when traveling, good advice is to use a privacy filter wherever you go.

There are a lot of prying eyes on airplanes, in airports, and at busy conferences and conventions.  Don’t make it easy for them to know your business. Use a privacy filter.

The aim of a privacy filter is to show a sneak only a blackened screen.  That means your data stays safe.

You’re afraid you will look paranoid if you use a privacy filter? Probably you will. But you know the old joke: you are not paranoid if you think people are following you and they are.

When it comes to data theft, assuming it is happening is in fact the rational position to take.

 

The Bottomline: How Safe Can You Be?

Some security experts pessimistically shrug when asked how to stay safe on the road. “Don’t go,” said one with a chuckle.

That’s probably hyperbole however.

Sort through the threats and this is what you are up against:

  • Security lines at airports
  • Public WiFi
  • In-room insecurities
  • Bluetooth gone bad
  • Public computers
  • Stolen or lost devices

The remedies are simple.

Stay hyper alert in airports, especially in security lines.

Don’t use public WiFi. Create your own personal hotspot.

Don’t leave exposed devices in a hotel room when you are absent.

Turn off Bluetooth.

Never use public computers.

PIN protect and encrypt your phones and tablets.

Use a Virtual Private Network at all times.

Just take those precautions and probably you will be fine.

Do this and are you safeguarded against nation state security probes? No.  But if you follow our other advice – bring as little data with you as possible (leave the rest in the cloud) – you will likely do okay.

 

A Final Precaution

One last step: be especially vigilant about monitoring credit/debt charges after a trip.  Substantial credit card/debit card theft occurs in hotels – particularly in bars, restaurants and gift shops.

Question every suspicious charge.

You almost always will be reimbursed. But you have to question charges first.

So here’s the real secret to travel security: Realize that it’s up to you to take steps to stay secure and you probably will. Count on others to keep you secure and probably you won’t be.

It’s up to you.

We will be happy to hear your thoughts

      Leave a reply