Modern field guide to security and privacy

How to keep criminal hackers from ruining your vacation

Following basic security measures, like leaving extra devices at home and avoiding public Wi-Fi, could be enough to protect your information while you're traveling.

Jon Nazca/Reuters
Tourists taking a selfie in southern Spain.

There’s a million things to think about when planning a trip – tickets, transportation, socks. While you’ve probably got a section on your packing list for electronics (don’t forget your charger!), you might not have thought about your devices’ security for the trip ahead.

Especially in unfamiliar environments and on public Wi-Fi, it’s important to keep your digital security in mind.

“This all kind of boils down to knowing your surroundings,” said Lysa Myers, security researcher at the cybersecurity firm ESET. “You don’t know who’s on the network with you or what their intentions are, so it’s best to air on the side of caution.”

That advice is essential for people headed to the Olympics in Brazil, which has become something of a hotbed for internet fraud according to cybersecurity experts.

In fact, US intelligence officials have urged Americans traveling to Rio de Janeiro to bring devices that don’t contain any personal information. The National Counterintelligence and Security Center began a multimedia campaign Wednesday to raise awareness about the digital risk, saying the Olympics are a “great playground” for attackers because of the “sheer number of devices.”

But wherever you're traveling, it's not a bad idea to consider safeguarding your data. Here are eight steps for beefing up digital security both before you go.

1. Try to bring a phone without any personal information

Do some Googling before your big trip, especially if you’re hopping on a flight to China or another country known to engage in corporate espionage. Even if you’re just taking a vacation, consider deleting you work email account from your phone because your company’s communications are valuable.

In fact, mobile devices have proven to be irresistible surveillance targets for foreign spies, and both Russia and China prohibit travelers from visiting with encrypted devices. Scrub as many of your texts, photos and notes as possible. If that's too difficult, consider buying a pre-paid for cheap. 

2. Don’t bring extra tech or info

That includes extra USB sticks, unnecessary backup drives, and even spare business cards of your colleagues and friends that may be kicking around in your wallet. Any extra information someone has about you could be used to attempt to compromise your device or steal your information, said Garry McCracken, vice president of technology at disc encryption company WinMagic.

While you might not travel with USB sticks on vacation, you might for a business trip.

“If your bag gets stolen or somebody goes through it at an airport or at a hotel room, there’s no sense in giving them extra information. And you don’t even know what you’ve lost if you’ve got a two-year-old memory stick in the bottom of your bag,” said Mr. McCracken.

3. Use strong passwords

That means you need to a password in the first place. Setting a password prevents someone from gaining access to your device just by turning it on, ESET’s Ms. Myers said. Make sure, too, that your password is strong.

“If you have a passcode on [a device] or a biometric scan like a thumbprint,” she said, “that makes it a lot harder for criminals to be able to do anything with it.”

To go a step further, Myers recommends changing passwords again once you return from your trip.

“A smart security person will change their passcode to something that they don’t use anywhere else while they’re on that network, and change it again when they get back home again,” she said. This prevents someone from continuing to access the device if the password is compromised.

4. Update software

A quick way to bolster digital security is making sure you’re running the latest version of your device’s software. This prevents would-be attackers from exploiting any known vulnerabilities in older software and delivering malware through fake software updates. It’s important to do this step at home, Myers said.

“There are a lot of scams that are already out there where they will try to target people on hotel networks with what look like software updates,” she said. “If you’ve updated them at home, you can just ignore whether that’s real or not until you’re back home again.”

As a bonus incentive for doing this at home, Myers noted that the often-crowded public networks make downloading updates slower. Updating at home can make the process less painful.

5. Encryption is your friend

Encrypting your devices helps protect your information from being compromised if someone steals your device or has direct access to it without your knowledge. Even if they were to make off with your machine, any data they pull off of it would be unreadable because they don’t have the encryption password that you set.

“Encryption is always a good idea,” Myers said. “If you lose your device and it’s encrypted, that leaves much less useful info for the thief to get a hold of.”

For your computer, that can mean full-disk encryption, where all of the information stored on a hard drive is coded so that only the person with the encryption password can read it. Or, you can opt to encrypt select files. Learn more about encryption for your computer here. Your phone might already have encryption by default enabled if it’s a new iPhone. Otherwise, you’ll need to enable full-disc encryption on your Android or older iPhone.

6. Keep devices with you 

WinMagic’s McCracken recommends keeping your devices with you as often as possible to avoid what is known as an “evil maid” attack. According to McCracken, the attack can happen if someone has access to your device without your knowledge, loading keystroke-logging software onto your device to track what your encryption password is as you type it when you boot your machine back up.

The attacker can collect your password later by gaining access to your device again. It’s called an “evil maid” attack because someone could pose as a housekeeper in a hotel and pretend to clean your room while instead compromising your device.

“If you’re careful, then you can even thwart an evil maid attack,” McCracken said.

One way, he said, is to use self-encrypting drive software. This limits the available space on a hard drive to prevent an attacker from downloading software onto the computer. Another option is to use two-factor authentication.

Cryptographer Bruce Schneier wrote on his blog that secondary authentication to verify your identity creates an added layer of complexity. While this won’t entirely thwart this kind of attack, “it’s more work than just storing the password for later use,” he wrote.

7. Avoid public Wi-Fi

Public Wi-Fi is an easy place to carry out man-in-the-middle attacks, where a third-party eavesdrops or changes your Internet traffic. It’s especially a concern on public internet because anyone can connect to it. Myers recommends staying away from public Wi-Fi if possible, but if you must use it, make sure you’re connecting to the real network. That means enabling the “ask before connecting” setting on your device so you don’t automatically connect to an open network.

“Always select the option of having it ask you first,” she said, “because you don’t really know who’s going to be in charge of that Wi-Fi, if it’s an official Wi-Fi network or if it’s a rogue network that someone’s set up to look like an official network.”

What's the best way to tell the difference between a real network and a fake one?

“Ask,” she said. “If you’re not sure, there’s someone nearby like an information desk where they will know what the real network name is.”

8. Beware of Bluetooth connections

Finally, disable your device’s Bluetooth connection when you aren’t using it. Attackers can exploit an active Bluetooth connection to steal your contacts, listen in on your calls, and remotely access your phone. Especially when renting a car with wireless connectivity, your device could automatically pair with the vehicle, exposing your contact information, Myers said.

“If you can turn that off, it’ll save you a lot of potential heartache,” Myers said.

For more tips on upping your digital security, check out privacy nonprofit the Electronic Frontier Foundation’s “Surveillance Self Defense” and ProPublica reporter Julia Angwin’s tips for increasing your Internet security.


of 5 stories this month > Get unlimited stories
You've read 5 of 5 free stories

Only $1 for your first month.

Get unlimited Monitor journalism.