Consumer Reports has no financial relationship with advertisers on this site.
The holiday travel season kicks off in a couple weeks, when millions of people will hit the road over Thanksgiving weekend.
Whether you’re jumping on a plane for an exotic vacation abroad or just road-tripping to grandma’s house, data security experts say it’s important to think before you click—both when planning your journey and once you leave home.
People often don’t realize how much personal information they accidentally expose to potential criminals when they travel, says Etay Maor, chief security officer of IntSights, a cybersecurity company that specializes in threat intelligence.
For example, if you're rushing to grab your bags after a long flight, you may not realize that you've left your boarding pass in an airport bathroom.
That may not seem like a big deal, but boarding passes contain more information than just your name and flight information. If scanned by even the simplest smartphone bar-code reader, passes can reveal information like a traveler’s frequent-flyer number, which could help a hacker steal earned miles or access other personal information contained in an account.
“Treat these as if they’re your passport,” Maor says, referring to boarding passes. “You’d never leave your passport on a plane.”
Here are a few more tips that can help you protect your digital security when you travel.
Book Your Trip Safely
Secure travel starts with secure booking. And it’s up to consumers to make sure they’re booking through a reputable company, says Colin Sims, chief operating officer of Forter, a security company that specializes in e-commerce fraud prevention.
If you've never heard of the website you're about to book through, do some research to see how long it’s been around. If it just popped up a few weeks ago, skip it.
“We all want to support emerging sites and businesses," Sims says, "but when it comes to travel, it’s probably best to stick with the three or four sites you’ve used and trust.”
By now, all legitimate e-commerce sites should be using encryption. That protects your credit card number and other data by scrambling it in transit. How do you know whether a travel service uses encryption? Simply look for a lock symbol in the site's URL. Even if an otherwise trustworthy company's website isn't encrypted, you shouldn't use it.
Also, be wary of ads on social media touting super-cheap, last-minute deals. Don't click; the link could go to a fake website set up to lure the unwary. Instead, open a new browser tab, search for the site, and go directly to it, Sims advises.
And think twice before handing over personal information to a travel site. While most people would question a request from an online shoe store for a copy of a passport, they might not hesitate when booking a flight.
Protect Your Points and Miles
Legitimate travel sites make tempting targets for criminals.
According to Forter’s annual study of e-commerce fraud trends, online-fraud attacks against airlines are up 61 percent compared with a year ago. That's likely because of the rise in popularity of loyalty rewards programs, as well as recent data breaches that have exposed vast repositories of consumer data, including email addresses, passwords, and other information.
In addition, attacks involving land travel—including rail, bus, rental car, and ride-sharing companies—jumped 38 percent.
Sims says that like the airlines, there's not much consumer loyalty when it comes to land-travel companies. As a result, they try to draw customers by making purchases as easy as possible. But that can simplify things for criminals, too.
Forter says bus and train companies also make it easy to return tickets bought online for cash, boosting the appeal to criminals.
Sims says that regardless of what kind of travel you’re talking about, fraudsters will often use stolen credentials to log in to a consumer’s account and clear out frequent-flyer miles or book travel they didn’t pay for.
To protect themselves, Sims says travelers should keep an eye on their rewards accounts just like they do their credit card accounts. He notes that many people accumulate large balances but rarely log in to their accounts. And that makes it tough for online security systems to flag potential attempts to break in.
Lock Down Your Devices
Before hitting the road, make sure the software on your devices is up to date.
Why is this so important? When companies find security flaws, they issue a software patch to fix them. But if you don’t install the update, you're not protected.
The operating systems on your laptops and mobile devices should be your first priority. But web browsers are important, too, because that's where many people run into digital threats like malicious pop-up ads or fake websites. When using your browser on the road, don’t ignore warnings that pop up flagging potentially malicious websites.
Update any antivirus software you use as well. And don’t forget about your apps, especially those that could hold precious personal information such as banking and credit card numbers. They need to be updated, too.
Next, make sure that you have strong passwords for all of your accounts and that your laptop and mobile devices are secured with a password or PIN.
And if you haven’t done it already, make sure you have two-factor authentication enabled. This feature is now commonly used as an extra layer of security for everything from Gmail to credit card accounts. But sometimes you have to turn it on yourself.
Two-factor authentication basically requires you—or anyone else trying to access your account—to enter a second form of identification, such as a code texted to your smartphone, to access your account after you've input a password. Then, even if your password is stolen, a criminal probably won't be able to access your account.
And when you're on the road, make sure you keep your devices locked down. While it may be tempting to try to grab some free juice at a handy USB charging station at the airport or a hotel, it's best to avoid them.
While it's rare, these stations have occasionally been compromised by criminals using them to steal data. The scam, known as "juice jacking," sometimes involves cables that are loaded with malware and left in charging stations so that travelers who use them will infect their devices.
The Los Angeles County District Attorney's Office recently issued a warning urging travelers to avoid these charging stations, noting that traditional AC power outlets are safer.
Beware of Public WiFi
When you’re away from your home and work networks, it can be tempting to jump on any free WiFi you can, especially if you’re traveling overseas and trying to avoid hefty roaming charges.
But is that really a good idea? After all, there’s nothing stopping a hacker from jumping on the same network and intercepting the data going to and from your computer, right?
Many security experts say this isn’t as big a deal as it used to be. Criminals have much more efficient ways of stealing information these days. And, on top of that, most of the data you’d need to worry about is encrypted on most sites, making it unreadable and useless to anyone who might snatch it.
Richard Gold, a security researcher and head engineer for the cybersecurity firm Digital Shadows, says that in most cases the warnings of security professionals about the dangers of public WiFi amount to “doom mongering” and are based on outdated information.
“If you’re using the latest version of Android, iOS or MacOS, and you stick with modern applications, you should be fine," Gold says. “These companies expect their customers to be using public WiFi, and they’re going to stop those attacks.”
But that comes with some caveats. If you're using an old computer or phone that isn't running the latest operating system, you could be at risk. If you're using a browser, look for the lock symbol in the URL to make sure the site is encrypted. But there's no way to check if your favorite apps are encrypting all of your data.
If you have any doubts about the security of your device, Gold says you can always use a VPN, or virtual private network. Ideally, a VPN masks your location and encrypts the data sent to and from your device.
On the other hand, even if the danger is less than it used to be, why take the risk?
Gold says there’s nothing wrong with that point of view. When in doubt, just wait till you get home before you check your bank or credit card accounts. “You can’t steal what’s not there and you can’t intercept what’s not sent,” he says.
And if you have to go to a sensitive site, it's better to use your cellular network rather than public WiFi. Those signals are much harder for hackers to intercept and read.
Take Advantage of Tokenization
There’s nothing worse than finding out while you’re on vacation that your credit card or bank account number has been stolen. Though you aren’t on the hook for fraudulent charges, a compromised card will get shut down immediately and could leave you without cash or credit.
And even with the introduction of microchips, banking cards in the U.S. aren’t as secure as those in much of the world because they don’t require a PIN for transactions.
Skimmer devices placed in ATMs, which are designed to steal card information, also have become much more sophisticated and difficult to spot.
So what do you do? Consider using an app such as Apple Pay, Google Pay, or Samsung Pay instead of an actual credit card. Those services don't transmit your credit card number when you go to pay for something. Instead, they provide the vendor with a randomly generated token. That information is worthless to any hacker who might intercept it.
Smartphone Privacy Protection
A smartphone can be an incredibly useful device—but what do all those apps do with your information? On the "Consumer 101" TV show, Consumer Reports expert Justin Brookman explains how you can protect your privacy.
Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2019, Consumer Reports, Inc.