Computer, Mobile, & Internet Security Basics for Travelers
Today TPG Contributor Jason Steele explains why computer and mobile security are important considerations for all travelers, and how you can help prevent yourself from getting hacked.
Before I became a writer, I spent many years working as a computer systems administrator and technical support analyst at Boeing, IBM, and at state and federal government offices. Although I know quite a bit more about computer security than the average traveler, I recently had an interesting conversation with Imanuel Babadostov, who is a senior security consultant for OneWorld Labs, a computer security consulting firm in Denver. (He also happens to be my brother in law.)
Imanuel holds a masters degree in computer security as well as several certifications in the field. He also just returned from the Def Con Hacking Conference in Las Vegas, where all the leading "white hat" hackers share their secrets with each other. These are the computer security hobbyists and professionals who try to use their skills while staying within the law (although sometimes just barely).
Imanuel and I put our heads together in order to come up with the following advice on computer security for the traveling public.
Basic computer security for travelers
Business travelers need to work on the road, and vacationers now expect to be connected when they travel. Unfortunately, traveling leaves computer users far more vulnerable to security risks than when they're at home.
Here are some of the primary risks that travelers face, and some basic ways to counter these threats:
Since most web sites that you log into will encrypt data sent between your computer and the company's server, the easiest way for hackers to obtain your user name and passwords is to simply record your keystrokes. A keylogger is often a small program installed on a computer that records all of your keystrokes, and is almost impossible to find. Keyloggers could also be hardware based and embedded in the keyboard itself. Finally, someone could simply train a camera on the keyboard of a computer in a public place.
To defend yourself from keyloggers, you must be extremely cautious when using someone else's computer, such as one in an Internet cafe or hotel. It's astonishingly simple for someone to install a program or device and harvest the login information of hundreds of travelers. Once I understood how keyloggers worked, I never used a public computer for anything more than basic web surfing or printing a boarding pass (using only my name and reservation number). Now, anytime I have to log into anything, I always use my own personal laptop, tablet, or mobile phone.
Another important step towards defeating the threat of keyloggers is called two-factor authentication. This means that instead of supplying just a password (one factor), users need to supply a second authentication code. For example, Gmail offers users the option to enable two factor authentication, and the authorization codes can be retrieved via a text message, an authentication app, or simply by printing out a list of codes for one-time use.
Since all of these authentication codes expire when used, they are useless if intercepted by a keylogger. If your online email account or bank account offers the option of two factor authentication, enabling it may be the single most important step you can take to avoid being hacked. If your email system doesn't support two factor authentication, you can temporarily forward your mail to one that does when you travel.
When you use your hotel's WiFi, how do you know it's really from the hotel? Part of the fun of the hacker's conference was observing how all of the participants attempted to hack each other's devices (as well as the hotel elevators and other systems). When he browsed the hotel's WiFi, he noticed dozens of access points that had similar names designed to sound like the hotel's own service. So when you check into a hotel, it's a good idea to ask for the exact name of the WiFi service, not just its password, as it's pretty easy for a guest to set up their own bogus WiFi service with a similar name.
Yet even when using the correct WiFi router, travelers should be aware that when visiting any site that's not encrypted, anyone else in WiFi range could intercept their information. To ensure a site is encrypted, its address should begin with HTTPS rather than just HTTP. For more about using your browser to verify a web site is encrypted, see these explanations from Microsoft, Mozilla (FireFox), and Google (Chrome).
To remove any doubt about the security of your connection, you could use a Virtual Private Network (VPN), which simply encrypts all traffic. VPNs are provided to employees by many corporations, and individuals can subscribe to these services. For example, TOR is a free, private, and anonymous VPN service.
Another safe option is to just "tether" your WiFi to your laptop or tablet directly from your mobile phone, preferably with a USB cable rather than with a WiFi or Bluetooth signal.
Securing your mobile devices
Hopefully you already know that you should password protect your mobile phone and other devices. Beyond that, it's pretty easy to disable your WiFi and Bluetooth when you don't need it. In fact, you can do so simply by putting your device in airplane mode when you're not using it. As an added benefit, your battery will last far longer when you do. Anther good idea is to use apps (like Android Lost and others) that can remotely track and disable your devices if they're lost or stolen.
When it comes to your laptop, you can encrypt the entire device using a program such as Microsoft BitLocker Drive Encryption. Just be sure to turn your laptop off when not in use, rather than leave it in hibernation or sleep modes.
For the hackers convention, Imanuel left his laptop and mobile phone at home, and used an inexpensive "burner phone" purchased from Wal-Mart. These phones are pay-as-you-go, have a temporary number, and seem to be used by every criminal on television. These are extreme countermeasures, but they may be worth considering if you're headed somewhere that's a high-threat environment or if you have extremely sensitive information on your devices.
Securing your credit cards, bank account, and passport
Before I leave the country, I always notify my bank and credit card companies which countries I'm scheduled to visit, even if I'm just changing planes. This way, they won't place any false security holds on my account. I only need to do this for the credit cards that I take with me, which are always the ones with no foreign transactions fees and an EMV smart chip. Furthermore, American Express and some Chase cards no longer need to be notified of foreign travel.
ATMs are a great way to access cash when traveling, but you have to be careful when using them. One threat is called a skimmer, which is a fraudulent card reading device placed on the machine and camouflaged to look legitimate. Another method of attack is to observe the PIN number by looking over your shoulder or even by using binoculars. To avoid this threat, be discrete, and try to use the ATM machines inside a bank branch. This way you have the benefit of added security, and I find that many banks even have a small secure booth for ATM use after hours.
Another thing to consider is RFID, which is a wireless signal that can be emitted from your credit cards and passport. Basically, someone close to you in a line or an elevator can carry a device that can scan and read these documents. Granted, they can't get enough information to clone your credit card or your passport, but many travelers might still find this information to be sensitive. To counter this threat, look for a wallet or sleeve that has a built-in RFID shield.
Finally, no discussion of basic computer security would be complete without mentioning social engineering. This is the idea that hackers can gain access to your information by directly interacting with you, rather than though your machines.
For example, you could receive a call in your hotel room from the front desk, indicating that there was a problem running your credit card. Of course, the call is not really from the front desk, and the person you read the number to will quickly use it to make a fraudulent transaction. So anytime you receive a call purporting to be from your bank, ask for a name and extension, hang up, and then call back using the phone number from the back of your card. The same principle applies anytime you're contacted by text or email, or if a person claims to be from "technical support."
You face numerous threats to your data when you travel, but you don't have to be a computer security expert to counter most of them. By taking a few simple steps to enhance the security of your devices, you can give hackers every incentive to target someone else instead.