The summer holiday season is upon us, and people are looking forward to trading their daily workplace grind for a new adventure – a favorite family resort or some other holiday. Traveling is always exciting, but it takes you out of your comfort zone, and that gives thieves and criminals opportunities to exploit you. F-Secure principal security consultant Tom Van de Wiele is back for Episode 9 of Cyber Security Sauna to tell us how we can keep our devices and data safe while enjoying a fabulous vacation.
Welcome back to the show, Tom.
Thanks for having me.
So let’s start with the threat model. I’m going on holidays. What should and shouldn’t I worry about?
Well, the real concern here is really the opportunistic thieves. People who are out to snatch your phone or grab your wallet. And it’s really about the choices we make to make sure that we can not only use our devices when we want them, but also keep them safe when we’re maybe at the pool, or not spending so much attention or focus on these kinds of devices, which are worth a lot of money.
OK, so I’m not worried about espionage or intelligence agencies coming after me.
No, not at all. This is more about the petty thieves, people who run around hotels trying to find easy people to pick on to be able to grab their device, grab that wallet or whatever they can get their hands on which they can easily sell.
So I don’t want to look like a victim. OK, I think everyone brings their mobile phones, tablets or maybe even laptops with them for vacation. But a lot of people have insurance that covers these devices, so why should I care?
Well, one aspect is the loss of the device itself. But the other aspect is privacy, in that if someone has your device they are able to access your data, your pictures, your email, but also they might be able to make purchases on your behalf. And as these vendors have certain security features in place to make it harder for thieves to resell your device, that means it increases the bar for a thief to be able to get that extra password to be able to unlock the device, and with that easily resell the device. Which means that your data might now be in the hands of someone unknown to you.
Speaking of leaking data, it’s common knowledge in the security industry that Wi-Fi networks aren’t really all that secure. But using them is kind of a necessary evil when you’re traveling. How do I know if a Wi-Fi network is OK to use or not?
Well, all Wi-Fi networks that are not your own home network should be considered as untrusted. So my recommendation is to enable a VPN client that you trust, preferably one that you’re paying for, because then you have a subscription, which can be renewed and has all kinds of features you can use. But the Wi-Fi network in a hotel, the airport, a lobby should always be regarded as untrusted, because you don’t have any knowledge about who set it up, who’s maintaining it, and what’s really happening on that network.
Right. So it’s not just the open networks. It’s also ones that have a password protection on them, so I should be wary of those as well.
Well, most Wi-Fi networks for convenience have some kind of captive portal where usually you have to log in with a social media account. Usually you can skip these, and you shouldn’t log in using a social media account. Maybe you want to make a vacation social media account and use that one as a throwaway account. But a lot of these Wi-Fi networks have a captive portal, do not have any encryption, and that means anything you do can be tracked and manipulated.
So ok, I’m on the airport Wi-Fi, but I have VPN on. Am I now completely secure?
Well it depends on what you’re doing. If it means that you are playing a lot of multiplayer games from one tablet to another, from one phone to another device, then you’re still on that network and people can see what you’re doing on the network itself. So there, my recommendation is to purchase a rather cheap Wi-Fi travel adaptor. They don’t have to cost that much. With that, if you prepare your devices at home to make sure that all your tablets and phones are hooked up to that special Wi-Fi adaptor, now you can have the benefits of having Wi-Fi. Your children can play their online games or their multiplayer games, and that way they’re not exposing any of their traffic to the hotel network, and they don’t have to interact with any kind of stranger that might be on the untrusted Wi-Fi network.
So what about paying for stuff? Is it better to use cash or credit? Credit cards have some obvious advantages, but sometimes I don’t really know if they’re safe to use at certain stores or restaurants.
Well it’s always a tradeoff. There’s no winning formula when it comes to cash versus credit cards. Credit cards are immensely convenient, but with it you risk that you could get skimmed, which means getting your credit card information stolen and reused somewhere without your consent. So of course introducing your credit card to anyone or anything, you should be very careful about what you’re giving it to, who you’re giving it to, what kind of devices you’re using your card on. When it comes to cash, you can bring a lot of cash and with that avoid that problem altogether, but now you’re carrying a lot of cash which can be lost, which can get stolen, and that’s of course a risk on its own.
Yeah, somebody sees you with a wad of cash, they’re going to be more interested in you.
They will, and you’re making yourself a target. There’s different kinds of travel tips you can read online, that, for example, say to bring a money wallet and try to store your cash in different places, but now you kind of introduced multiple problems to the solution that you were trying to go for, which is that now you have cash everywhere. And of course you will limit the damage when someone steals one of your cash wallets, but you still have cash everywhere.
Yeah, it’s not super convenient. Now when I read some OpSec advice, I get the feeling the advice is a little on the paranoid side, especially for opportunistic attackers. While I get why we need OpSec at work, I don’t really want to deal with this stuff when I’m on vacation. How can people protect themselves without going overboard with paranoia?
It doesn’t have to be paranoia. It’s all about taking away the opportunity. And with that you just need to have a few ground rules. For example, watch out where you charge your devices, don’t connect your devices to anything that just has a power outlet or a USB port, make sure you use VPN everywhere where there’s Wi-Fi, so you’re making sure that no one can see or manipulate your traffic. But also, when introducing passwords or passphrases when you’re installing that new game for your children, don’t use a single finger when introducing your password. Make sure that you look behind you when you’re getting cash out of an ATM machine. Just being generally aware of your surroundings and making sure you make the right decisions on where you put your devices, how you use them and where you store them, can make the difference between a really successful holiday or one where you have to go to the police, go to the insurance company, or maybe even have to contact the embassy. Making a few very simple choices can make all the difference, and making sure that you take away the opportunity for any kind of petty thief.
So it’s not about me. It’s about my valuables.
Exactly. It’s making sure that you know where your valuables are, that you don’t leave them in the hotel room, because at the end of the day the attacker is not interested in you. They’re interested in your valuables, and how fast they can get them away from you.
But isn’t it easier for them to get to it when I’m carrying everything with me at all times? Shouldn’t the hotel room be safe?
You cannot really trust the hotel room. Because when the cleaning crew is cleaning your room, the door is open, and it’s not the cleaner’s job to distinguish you from someone trying to snatch that tablet from your bed or from your nightstand. So it’s really about taking away the opportunity.
But even if you yourself are an OpSec pro, you’re traveling with kids or spouses who might not always be listening to all the advice you’re giving. How does that change things, what kind of situations might pop up with your kids that you should be prepared for?
Making sure you’re prepared always a good thing to ensure that your devices have all the content they need. You cannot count on the actual hotel network being able to facilitate your streaming content services or the installation of that new game you promised your son or daughter. And when there’s stress and when things go a little bit wrong, people start to make mistakes, in introducing their password into weird things, people start putting their password into the Netflix account in the smart TV. All these kinds of things can be avoided by a few simple preparations. For example, most hotels allow you to stream your content to the TV in the room just by using some kind of HDMI converter cable. And that way you stay off the Wi-Fi network, you’re able to see all the content or play all the games you want on the big screen, and you don’t have to rely on anything else that might cause harm to you, your devices or your information.
So instead of using AirDrop to stream your stuff on the TV, use a physical cable.
It’s always a recommendation to make sure that you turn off as much functionality that you don’t need. So if you can connect your tablet directly to the TV, than that’s what you should be doing, and that can be easily achieved by buying a converter cable that will stick into the HDMI connector of the television, for only a few euros.
If you had to give just three travel tips to a friend or a colleague, what would they be?
Number one, prepare your devices. Make sure you have all your maps, content, videos, and games already installed on your devices so you don’t have to use any kind of untrusted Wi-Fi. Buy that custom Wi-Fi adaptor to make sure that your kids are safe in their own Wi-Fi sandbox. Turn off what you don’t need (you don’t need file sharing services, you probably don’t need Bluetooth) to make sure that your devices are as hardened as possible. And last but not least, watch out what you connect your devices to and where you charge them. Always bring a few power banks and make sure that you don’t inadvertently sync your devices with smart TVs or rental car Bluetooth systems, to make sure that your data doesn’t leak onto those devices.
What if I just don’t bring my own stuff? What if I just use the computers in the hotel lobby?
I would recommend not using those terminals or lobby PCs because they are untrusted, and you don’t know who else has been on them. Which means, do not use any kind of personal information, credit card information, or any kind of credentials as simple as, for example, a Netflix or Spotify password. Because someone might already have access to those computers. Always use your own devices, and always make sure that you use a VPN to be able to connect to any kind of service that you want to connect to.
In your experience, what kind of scams or attacks are the most common against travelers?
Depending on where you go, a lot of the scams are the same, in that people will try to convince you that there’s a unique experience somewhere, a tour, or whatever it is, and they will send you an invitation, usually in perfect English. If someone is speaking perfect English in a region of the world where English is not the first language, you should always be a little bit suspicious. Because that means that they’re trying to influence you or manipulate you in a way that you will go on their tour, or you will go on their excursion. Which could be a lot of fun, but now you are allowing them to control your schedule. Which means they know you are away from your hotel room, and with that they might have more incentive in trying to get into your hotel room or getting to your valuables, knowing very well that you are sitting on a boat somewhere on a tour.
Another scam that gets used a lot is when someone is trying to distract you by either asking you where you’re from, or asking to take a picture, because street criminals love distractions. So always make sure you watch your valuables when talking to strangers. When going places, taxi services will try to overcharge you, because they know you don’t know the area and you don’t know the distances between certain points in that particular region. So make sure you agree on an amount before you go on a certain trip, or when traveling somewhere you don’t know. One of the things I like to do is always have a phone in my hand that shows Google maps, and shows the taxi driver that I have knowledge about where I am and how long it’s supposed to take.
So just waving it around.
Exactly. So they have an indication that you know how long it would take, and thus you have an estimation of the price, which means they are usually less inclined to try and overcharge you. At least you can limit the damage. On top of that, when paying with your credit cards, make sure the amount on the bill actually corresponds to what it says on the receipt, and when you get home, always make sure you check for double charging on your credit card. Because then you have a story towards your bank, and you can make sure you get the money back for charges that were double charged to your bill. Watch out for free gifts or anything that’s being given to you without you asking for it, because it could be a criminal trying to lure you away from a certain place, or trying to control the situation in a way that they have the advantage. For example, someone will ask you to break a $20 bill to see what’s in your wallet, just to be able to see if you are a valuable target to them.
What about social media? I want to share my happiness with my friends, so what should I be aware of?
It might not be the best idea to share your travel plans before you’re going on your trip. And when you’re sharing that kind of information, make sure you know who you’re sharing it to. Most people have a lot of friends on Facebook that maybe are not the closest friends. So when you’re posting these kinds of things, make sure you know who you’re exposing the information to, and if you really want to share pictures, maybe share them after you’ve gotten back from your trip.
Do you have a checklist of things to bring? What should I pack for my holidays?
I always like to bring power banks for short and longer trips, depending on where I’m going. A Wi-Fi travel access point to make sure any kind of online games can be paid in a safe way. I always like to bring an older phone that has all my music on it if I want to play music in the car or somewhere else. Do not bring your bank card PIN in written form but rather remember it, so that when your wallet gets stolen, the thief does not have direct access to your bank account. What I like to do is to store a Post-It note in my wallet that has a fake PIN on it so that hopefully, the thief will lock out the card and I have more chance of making sure that I don’t lose any money. On top of that, make sure you know what the PIN is to your SIM card, because sometimes your phone might have to restart or you will drop your phone somewhere where you need your PIN. And make sure you have access to your PUK unlock code either through family or friends, or store it somwhere in a safe place away from your phone.
That’s great advice. Happy holidays to all our listeners. Stay safe out there. Tom, thank you for being on the show. Always a pleasure.
Thanks for having me.