When Kristina Portillo was at Los Angeles International Airport recently, she briefly connected her laptop to the airport's free Wi-Fi network to get her email messages and information about her connecting flight. Portillo, the founder of BusinessTravelLife.com, said the entire process took only about 5 minutes.
But as soon as she turned her computer back on after takeoff, Portillo started having issues with loading speed and screen blackouts. Her computer was apparently infected with malware.
"I stopped using it immediately, and had to have the IT company that my office used to clean it off when I returned," Portillo said. "It took them over a day to get it working again."
Using public Wi-Fi is one of the most common, and most dangerous, information-security mistakes anyone can make. As Portillo's experience showed, it doesn't take much time for bad guys to infect your computer or mobile device. Fortunately, there are ways to make that public Wi-Fi safe — or to avoid it altogether.
You may be reading this and thinking, "I'm smart enough to not use free public Wi-Fi, especially when I'm traveling."
But what about when that public Wi-Fi comes with a password? It's easy to be lulled into believing that your connection will be safe when you are required to log in with a password, as in a hotel, or when you are paying a couple of bucks for a temporary connection, like at an airport.
"Passwords that are used are usually either shared or are easily guessable," said Daniel Miessler, director of advisory services at IOActive. "Also, many networks use encryption that can be broken even if you don't have the password."
Add to this the fact that it's trivial to spoof a Wi-Fi hotspot, meaning you may not even be connecting to the real thing, and you'll have quite an assortment of good reasons to be cautious of public wireless.
The truth is that vacation time is prime time for cybercriminals. Many people are already too lax about information-security practices in their everyday lives. But while they're on vacation, not only are they not doing enough to secure their devices, but they may also think their temporary accommodations are as safe as their homes.
Finish essential internet tasks before you leave
For travelers, the trick to securing information and devices is to understand where the dangers lurk and how to avoid them.
The best place to begin your secure vacation is at home. Meghan Kelly, content marketing manager at San Francisco-based mobile-security provider Lookout, suggests that travelers download movies, music and books, and conduct all necessary financial transactions, on their home networks before leaving for vacation.
If you do so, you'll be at much less risk of falling prey to a "man-in-the-middle" attack, in which a malicious intruder intercepts your Wi-Fi signals and injects fake or harmful data.
For the same reason, it might be best to fully update all mobile and laptop software and apps at home, and to avoid software updates while traveling. Stocking up on data before you leave will help curb the desire to connect to public Wi-Fi and will also save on cellular-data usage, allowing you more time for essential traffic on your more secure 4G network.
Bring your own Internet access, or pay for a VPN
Many business travelers use mobile Wi-Fi hotspots that they get from their offices, which connect to 3G or 4G cellular networks for fast Internet connections. If you're a frequent traveler, whether for business or pleasure, it might be worth investing in such a device, especially since some carriers now let you pay for service only when you use it.
Another option is to use your own smartphone as a hotspot, or to "tether" the phone to a laptop via a USB cable to get the laptop online. Not all phones allow you to do this, and some carriers still charge you an extra $10 or $20 per month for the feature. But for the peace of mind it offers, it might be worth the cost.
Unfortunately, mobile hotspots and smartphone tethering often won't work when traveling outside the United States, even sometimes in Canada or Mexico. That's when you have to consider the best of both worlds: a virtual private network (VPN) service.
A VPN will create an encrypted tunnel through the internet for your laptop or smartphone to use, even on public, password-free Wi-Fi. Hackers and snoops won't be able to get in.
You'll have to shop around and do a bit of research for a good VPN service, as prices and plans vary. Some charge for each device, while other have blanket plans. Most charge monthly, usually between $5 and $10, but discounts are sometimes available if you pay for a full year, and several services have generous free tiers.
We've evaluated more than a dozen popular VPN services, and Private Internet Access (PIA), which costs $39.95 per year, came out on top. PIA offers an easy setup, fast performance and strong encryption for an excellent price. Our second choice, Windscribe, lets you use up to 10GB of data per month for free.
Also, make sure that you learn the difference between a proxy service, useful for watching Netflix while overseas, and a VPN service. Both will bounce your data around the internet and mask your geographic location, but only a VPN service will encrypt that data and keep you safe.
Remember that your hotel is not your home
When you arrive at your destination, consider your hotel or rental property as nothing more than a place to shower and sleep. Don't use it as a remote office.
"Travelers are specifically targeted in hotels, where there are a few vectors being used by hackers," said Stu Sjouwerman, founder and CEO of KnowBe4, an information-security firm in Clearwater, Florida.
Sjouwerman explained that malicious hackers can imitate free hotel Wi-Fi with networks that sniff all content going over the air and pick out passwords and other confidential data. Free workstations, often found in the "business lodges" of hotels, are often infected with keyloggers that grab login credentials, which can then be used to take over email, social networking and bank accounts.
More sophisticated social-engineering attacks, Sjouwerman explained, use "coupons" or "menus" that are slipped under hotel-room doors. Some of these flyers encourage hotel guests to visit a website to get a special deal; the website infects the visitor's computer. Others steal credit-card data used when calling for a takeout order that never arrives.
Remember that you aren't the only person with access to your hotel room. An "evil maid" (an all-too-real risk in certain countries where foreign business travelers are often spied upon) could easily tamper with your electronic devices. Most travelers carry their smartphones when leaving the room, but devices left behind should be stored in the room's safe.
Leave the laptop at home, or take a Chromebook instead
Unfortunately, those safes tend to be small, and larger devices, such a laptop, might not fit. You could ask the front desk to hold a laptop, which would prevent theft, but there's no guarantee the laptop wouldn't be tampered with.
If you don't need your laptop while on vacation, then leave it at home. Doing so will also lessen the temptation to work while you are supposed to be playing.
If you absolutely must take your laptop on the trip, either take it with you on your excursions out of the room, or keep it well out of sight from maids, repair personnel or anyone else who may come into your room while you're gone. (Hiding it will protect it only from a casual thief, not a determined attacker.)
And, of course, your laptop should be passcode-protected and have minimal sensitive data stored on it. If you've got any sensitive data, consider encrypting the hard drive so that only you can access it.
A better option would be to bring a Chromebook instead of a regular laptop. Just be sure to carry it with you, or put it in the safe, like a regular laptop. Also, you should log off and completely shut down the Chromebook when you're not using it so that it doesn't give up any of your private data if it falls into the wrong hands. (By design, Chromebooks don't retain much user data from one reboot to the next.)
Before you cross an international border, PowerWash (factory-reset) the Chromebook so that border guards can get absolutely nothing off it -- and so that you have a brand-new machine, free of anything it might have picked up when abroad, when you get home.
Keep your privacy private
Every year brings more internet-connected devices, which means more devices to break into remotely. Vacations often involve a lot of walking or other extra exercise, and people who wear fitness trackers love seeing those steps add up.
But using Bluetooth to sync the data to your smartphone may open you up to potential intruders. Many fitness bands don't even ask for a PIN to pair with a phone, meaning that anyone can connect to the band.
There haven’t been many reported cases of fitness trackers being hacked. But if a recent report detailing the security weaknesses of fitness trackers is any indication, breaking into some of them is so easy that it might be hard to tell. If possible, wait to connect to your tracker until you get back home.
Finally, always be aware of your surroundings, no matter where you are.
"Be cautious of shoulder-surfers while traveling," said Miessler, "All the digital security in the world won't help you if the person in the airport or coffee shop next to you is watching you enter your password or type your Social Security number."
Best VPN Services and Apps
Private Internet Access VPN
Private Internet Access covers the basics of a VPN, and it does this well. For those who value the anonymity of the service it is a good choice, but it has less servers than some competitors, which gives us pause for thought.
Windscribe is a strong player in the VPN space, with a range of affordable plans, plus a free tier. Those who step up to one of the paid plans are rewarded with access to a much larger choice of servers, with additional features such as Windflix to facilitate Netflix streaming.
CyberGhost’s VPN offering is a good service, with affordable long term plans, and up to 7 connected devices. Misses for the service include the lower number of platforms supported, and the super short 24-hour trial period.