Ahhhhh, summer. It’s officially here. The sun is shining, the birds are chirping and would-be fraudsters are eager to launch their latest cyberattacks against relaxed, unsuspecting vacationers. Their newest tools can compromise your identity faster than your email can send an “Out of Office” response.
Whether you’re hitting the same old beach town or taking a cycling tour of Provence, follow these Top Five steps to stay cyber secure while soaking up the sun.
1. Card skimmers are chameleons
Former Los Angeles street gang members are moving into cybercrime using gas pump skimmers
The favorite tool of hackers and fraudsters is the card skimmer. Embedded into an ATM or gas pumps, this slender device captures card data in the middle of your transaction. Then it either stores the data until the hacker comes to retrieve it, or sends it all off on-demand via a Bluetooth connection. Many casual users expect a skimmer to be obvious — after all, it’s not a part of the original machine – but they’re surprisingly non-descript. This is especially true of the newest low-profile devices called shimmers, that a hacker can install on a grocery point-of-sale terminal in seconds while an accomplice distracts the checker.
Look for any hardware that’s a different color than the surrounding device, or any connections that are loose when you shake or jostle them. Look for anything shiny within the lip of the card slot. If there’s more than one machine, make sure all the card slots look the same. Gas stations, chain restaurants, and pop-up ATMS like those used in festivals are the most likely places to find skimmers, but they can be anywhere. This video that shows how they’re configured.
2. Be wary of public wifi
Not everyone’s got a roaming data plan and hackers know it. They’ll set up their own hot spots in the vicinity of large, well-known public networks – especially airports or restaurants – often using a network name that’s close to the original. Blissful vacationers take the bait and just like that, are providing hackers with easy access to their passwords and credit card numbers.
What to do? Stick with established wifi networks, or better yet, use your own hot spot. Many carriers provide international travel plans that allow you to use their own hot spots free of charge, so download their app before you go abroad. Avoid connecting to your finance and banking sites unless you’ve got a bona-fide connection. Turn off any auto-join features, and always inspect the page you’ve landed at for typos or obvious naming errors. Enterprise mobile security suites like SkyCure and NowSecure often have free versions for individual usage that allow your iPhone or Android to highlight suspicious networks.
3. Go new-school (or old-school) on payments
According to iovation, travel transactions from a mobile device were 16% higher during 2016’s summer months compared to the rest of the year. In addition, online fraud originating from a mobile device increased by 8.75% during an average summer month in 2016. And while it’s understandable that vacations should be as effortless as possible, fraudsters take advantage of this mobile surge and shape their scams to take advantage of quick purchases.
There are at least two routes that can protect you: pay for the sunset cruise with cash; or make sure you use an EMV-enabled credit card and not an older non-chip card. You’ll get more security and less exposure to liability. Avoid the middle route, which is using non-chip, mag-stripe-only cards.
4. Share cocktails, not computers
Your goal is going off the grid, but you’ve found yourself device-less, with emails needing to be answered and boarding passes needing to be printed, so you log on to a public or shared computer… opening your data up to be seen and shared by someone else.
What to do? Take a reverse stance on the Nike motto and Just Don’t Do It. Most government IT departments expressly prohibit signing into work accounts on a shared computer, so stick to sharing a round of cocktails. Never access sensitive information like bank accounts from a shared or public system. If you absolutely must access one, be sure you clear all user names and passwords after use and log out of the application or web site fully. Then, to be sure, clear all browsing history from the borrowed computer.
5. No license required for phishing
If you’re ready to vacation, and perhaps booking hotels and excursions in a different country or state, be aware that hackers hovering around those destination sites are actively trying get you to expand your “circle of trust” to include them. You may book a stay at an out-of-the-way lodge in Montana, and so be unsurprised when you get an invitation to sign up for discounted rafting adventure. The email may start “Bob at Big Sky Lodge said you might be interested in this …” and end up asking for your card number to reserve one of the spots that are “vanishing fast.”
Most of us are pretty diligent when it comes to reviewing business email for signs of phishing, but we may let our guard down when it comes to planning our vacation. The Verizon Data Breach Investigation Report shows that phishing is still surprisingly effective: the 2017 report confirmed that phishing attacks on industries like Manufacturing, Information, Retail and Healthcare succeeded 10% to 14% of the time, and the 2016 report showed that 30% of phishing emails were actually opened. Bottom line: be as suspicious and aware of personal emails as you are of your business correspondence.
About Michael Thelander
Michael has a twenty-year history in product marketing and product management, with a focus over the last seven years on cybersecurity. He held senior product marketing and product management roles at security leader Tripwire, and has other career highlights that include co-founding a successful startup and receiving patents for network technology.