Happy Memorial Day: Tips for a Safe Summer Travel Season
Readers of my blog know that I often cite Bruce Schneier’s famous quote “Attacks only get worse; they never get better.” The United States is once again unofficially kicking off the summer travel season with the holiday of Memorial Day, where we take a moment to remember those who paid the ultimate price to secure our freedoms. The Automobile Association of America (AAA) estimates that 43 million Americans will be traveling for a weekend getaway over the Memorial Day holiday. While the US State Department issues travel advisories for regions of the world where Americans are at a heightened risk of abduction or violence, the US-CERT (Computer Emergency Response Team) is issuing a warning to practice Safe Cyber while vacationing. With Americans hitting the road in record number for vacations, this also sets the stage for attackers to target unsuspecting vacation-goers who temporarily let their guard down while trying to enjoy some time off with their families. Last year, I wrote a post about how to stay safe from an information security perspective while traveling away from home. Attackers never take a vacation, and neither should information security awareness. It is with regret that I must update this blog each year due to new and emerging threats targeting vulnerable travelers who are away from their home and corporate networks. The same tips I gave last year still apply, so last year’s post is still a worthwhile read.
Imagine kicking back at the hotel pool with a cold Mai Thai in one hand and your smartphone in the other, ready to post the latest selfie or cute kid photo to social media. Are you connected to Hotel Wi-Fi? Are you using a cellular LTE connection? Where do those bytes go after you click “post”? Who is going to see my post and know I’m traveling? Many attackers take advantage of relaxed travelers who lower their guard while on vacation. However, proper security practitioners will tell you that it is essential to maintain the same OpSec (Operational Security) whether you are at a desk in the office or on a beach in Bora Bora. Smartphones and mobile computing devices such as laptops and tablets, contain untold amounts of information, including very personal data, corporate intellectual property, and even a connection back to the corporate office (VPN).
Here are a few tips to stay safe while traveling this summer.
Beware of vacation rental scams
The “Wire me money to secure your reservation” scam has been around as long as vacation bookings were a thing. However, new tools allow attackers to replicate this scam at scale with minimal effort. With the proliferation of vacation rental services such as Airbnb, VRBO, and Craiglist, finding that perfect vacation condo, vacation house, or island experience has never been more accessible with a few clicks of the keyboard and mouse. With the ease of access also comes the ease of being scammed. There are two popular methods for scammers to separate unsuspecting users from their hard-earned cash. The first method involves copying complete listings for vacation properties and advertising them as their own. Vacation properties often require a deposit up front to secure the reservation. The scammers collect this deposit and are never heard from again. The second method involves creating entirely fictitious listings for properties that do not exist and listing descriptions for attractive sounding amenities that will never see the light of day. In either case, the scammers get their money (typically by wire transfer or money order, where there is no buyer protection) and vacation goers are left without their dream property.
Scammer services such as Land Lordz has made this even more accessible by offering an Airbnb scam-as-a-service. The Land Lordz platform allows subscribers to clone legitimate Airbnb listings at scale and with ease to lure unsuspecting vacationers into sending deposits for bookings and reservations that do not exist. When the unsuspecting user contacts the file listing owner, they are redirected to a payment portal and instructed to wire the deposit or enter their personal and credit card information. The “payment portal” is a phishing page meant to look like a legitimate Airbnb page, where the scammer can request almost any information including e-mail credentials, personally identifiable information, dates where the victim will not be home, and credit card data.
Whenever possible, use a credit card. In the United States, credit card holders are not responsible for fraudulent charges made without their authorization, even with phishing attacks in most cases. Wire transfers, personal check, and money orders have very limited if any recourse in the event of fraud. Debit cards are somewhere in between where there may not be a liability, but since debit cards withdraw directly from the owners’ bank account, the funds may not be available for quite some time.
Using reputable websites and travel booking services will significantly reduce the incidence of fraud and always do proper research to ensure the booking service is legitimate. Common sense dictates that if a deal is too good to be true, it probably is.
Practice Safe Cyber While Traveling
Do not use public Wi-Fi networks if at all possible. Many mobile carriers now offer free international roaming or make it available at a low cost. Public Wi-Fi is ripe for exploitation from evil twin attacks, TLS strip, reconnaissance, and these are especially important on unsecured public Wi-Fi. Even if Wi-Fi is on and users do not actively join a Wi-Fi network, an evil twin attack can exploit the “Auto-join” feature of most wireless-enabled devices and force a device to connect to a compromised access point. Minimize the attack surface by disabling Wi-Fi and Bluetooth while not in use. If Wi-Fi must be used, do not access sensitive information such as financial records, banking, or health records. Always use a VPN service that encrypts the traffic; there are many free services available to accomplish this. I use the paid version of ProtonVPN.
Be cautious while charging. While Apple and Android have introduced measures to ensure a user must proactively accept a prompt to connect their phone to a computer, be aware of public charging stations and USB ports. Always use a USB data blocker, commonly referred to as a USB condom to ensure that only a phone’s power ports are connected and not the data ports.
If a breach does occur, victims should notify the bank, store, or credit card company immediately. Reporting the incident can limit the exposure and damage and lesson the victim’s liability. In the event of a breach, it is likely the password to the affected account has been compromised. With the prevalence of password reuse today, it would be a good idea if the victim changed any other accounts that utilize the same password. Victims of suspected identity theft should contact the governing body of their respective country immediately.
Keep mobile devices up to date with the latest application and OS updates to patch known vulnerabilities. Lock devices when not in use and use complex PIN codes to unlock mobile phones. Many users forget about physical security and lower their guard while on vacation. If a device is left unlocked and unattended, it must be treated as a compromised device.
Attackers do not go on vacation and neither should security awareness. Following a few security best practices will allow you to travel safely and keep secret things secret. When traveling for work or securing corporate assets, it is essential to have the same level of protection, whether that device is on or off the corporate network. Security starts with the user and a relaxed or vacationing user should not let their guard down. Stay safe this summer and please take a moment to remember the fallen. We are free because of the brave.