Being safe when you travel is just a smart thing to do. Protecting your stuff from being stolen, using RFID blocking accessories, and keeping your valuables out of sight are obvious choices regardless of the length of your trip. But too many people fail to make smart decisions about their online security when traveling.
When I travel, I have the following safety concerns:
Hacked, in this case, means someone has stolen my login credentials to one or more online services. Phished is similar, but it means I've done something really, really stupid, and accidentally or inadvertently given my login credentials away. (Nine times out of ten, when someone says their account has been hacked into, it's really been phished.)
Not having access to money
This is likely a direct result of being hacked/phished, but not always. Credit cards can be ripped off several ways, from dummy ATMs to unscrupulous waiters in a restaurant. And a lot more.
I tend to live out loud online. Rather than trying to curtail my online check-ins, I actually use the transparency those check-ins provide to increase my feeling of personal safety. Yeah, it sounds a little counterintuitive. It'll make sense as you read on. I promise.
In this post, I'll run down some easy-but-rarely applied ways I protect myself online when I travel. These aren't just good ideas. They are the actual techniques I use daily, and I'm a professional traveler. So you can trust me!
Technique #1: I'm not stupid about my passwords
Seriously. How many more stories do you need about online hackers stealing account information, sports stars or brands having their social media accounts taken over, or the embarrassing number of people who still use "password" as their password? I'm going to give you three smart and easy techniques to ensure that your passwords is quite hard to compromise. And if someone does manage to steal or guess one, the damage to your accounts will be limited. All of them center around one thing: Never, ever use the same password for more than one site. But how do you remember the dozens of passwords you need? It's easier than you think.
For "commodity" sites where I don't have any financial data stored, I use the 0regonGo! method. It’s a two-part password: The first part, "0regon", is always the same. (No, its not really 0regon, but it works as a good example.) The second part, "Go!" is different every time, (and it's never Go!). Instead, it's the first two letters -- the first always capitalized -- of the online service, followed by an exclamation mark, which a non-alphanumeric character. For my Line account, it would be 0regonLi!. For Workflowy, it would be 0regonWo!. And so on. (Note also my first letter is a zero and not a capital O. That's to get around the pesky site that require a mix of capitalization, numeric and non-alphanumeric passwords.)
The above technique is great, but it's not as secure as you might think. A “brute force” attack with a computer trying out millions of combinations will crack it pretty quickly. That, and it can be a little tough to remember. This xkcd article explains the math behind the complexity, and Randal is smarter than me. So for sites that have sensitive data that I need to log into all the time across multiple devices -- like my Amazon.com account -- I use four common words that mean absolutely nothing when strung together as a sentence. However, I can make up a story in my head (see the xkcd strip) that I'll always remember. (Note: I never use the same four common words for multiple sites. So use this sparingly.)
For critical accounts (my bank accounts) and passwords I share with others (my wife), I love the convenience and security of Passpack. This handy online tool makes it easy for me to have a unique, highly complex password for every single login not covered by my two “memorizable” techniques. Not only that, it also stores my passwords in a highly secure environment and remembers them for me. With a single mouse click, I can automatically log in to any of my accounts. Best of all, I never once have to actually see the password when I’m logging in, ensuring it won’t be picked off by prying eyes or some keylogging piece of spyware. A service like Passpack is really the best way to stay secure, especially if you have hundreds of passwords like I do!
Pro Tip: The time to get your passwords in order is now, before you travel. Waiting to do this until you’re on the road, or hacked, or phished, is really too late. It'll take you some time to undo all the poor password choices you've made. Do it now.
Side note: Many services like Google offer something called 2-step authentication. It’s not for the technically terrified, but it's a super smart extra layer of protection. I highly recommend it. It's non-trivial to set up, so give yourself plenty of time to properly implement it. It probably won't take an hour, but it might.
Being diligent with my passwords keeps me almost immune from the threat of hacked/phished. I say "almost" because there are no guarantees.
Technique #2: I'm smart with my credit/debit card
Now let's talk about money. Specifically, how I keep the bad guys from ripping off my bank accounts while I'm traveling. Some experts tell you to use cash, only and always. But for full-time travelers like me, that's just not practical. Here are the rules I follow when I whip out the plastic when I'm abroad:
I keep my card in my hand.
Portable credit card readers and customer-facing machines are becoming the norm just about everywhere. As long as I can stick or swipe my card myself, I'm comfortable. I might turn it over to the clerk at the grocery store, but only because I know it's not going to leave that little 1x2 kiosk. But that's it. I'm not handing the card to waiter if he's going to walk off with it to run the charge somewhere else. (That’s the norm in the US, where we’ve yet to use the portable card readers that dominate Europe.) It takes a little reconnaissance on my part, but it gives me great peace of mind knowing someone didn't copy down my card number and CCV to sell later. In all other cases, I use cash.
I use a bank card that refunds me all ATM charges.
Because I use cash a lot yet don't want to travel with a safe strapped to my back, I hit the ATM frequently. Like, two to three times a week frequently. That's a lot of ATM fees, which can quickly add up. But my bank (Charles Schwab) reimburses me on all of those fees. I might rack up $50 in fees in a month, but all of that -- every penny, peso, or pence -- comes back to my account the next period. (Pro tip: Unless I have no other option, I use ATMs that are physically attached to a bank. Maybe that's just me being paranoid, but...)
I have transaction alerts on all my cards.
It's almost 2016, and just about every bank has online banking with an alerts section. I have mine set to send me an email or text *every* time a transaction is made. It means there are extra emails to wipe out and maybe a few more pennies in data charges to my phone, but if something comes across I didn't authorize, I can take care of it immediately. If your bank doesn't offer online alerts, switch. Now.
I use Mint to get an overview of all of my accounts all at once.
is a super helpful -- and free! -- service that logs into all of my accounts for me. When I login to Mint, I get a great snapshot of all my accounts, with the ability to go deeper to look at any single transaction right in the interface. And with Mint, I can set up a whole series of alerts when accounts get low, when bills are upcoming... which is great when on the road. And I check it at least three times per week, so I always know where I stand financially. Which can be a little depressing at times, to be honest.
Pro tip: It's easy to obsess over money, ad doing so when you travel eats into the good time you're supposed to be having. But if you follow these simple steps, it can give you great peace of mind without curtailing any activities.
Technique #3: I overshare my physical location online when I travel
I'm well aware of how odd that sounds. Conventional wisdom says I'm announcing to the world when it's a good time to break into my house. But it only takes minutes to break in and steal a TV, so no one needs to wait for the three-week period when I've asked the neighbors to water my plants.
(But in the interest of full disclosure, I should mention that I don't actually have a house, being a full-time traveler. However, I assure you that I did the same oversharing when I did have a nice house filled with nice things.)
To me, the benefits of letting a few hundred people -- or anyone, really -- know where I am at any given time come down to two things:
- In the highly unlikely event I am kidnapped/stranded/passed out in a ditch somewhere, lots of people know the last place I was and when I was there. Sure, you tell your mom you're visiting Thailand. Mine (and everyone else) knows exactly where I was two hours ago thanks to my Instagram post or a Swarm check-in from breakfast. In fact, my network gets a little worried when I haven't posted or checked in every few hours.
In the equally unlikely event my email credentials are phished or hacked, my contacts will be less likely to fall for the "I've lost my passport in London and need you to Paypal me $4K to get out of jail" scams that are all too commonplace because they (and everyone else) knows I'm in Thailand, not London. Remember that not all hacking is about you; quite often, hackers and phishers just want access to your network. If it's large enough, that increases their chance that someone will fall for their ruse. And in a way, you'd be complicit in that, right? I sure don't want to be.
But yes, I will acknowledge the risk to your personal safety by telling everyone where you are at every moment of the day. If that's a concern of yours (and it should be), here are a couple of thing to think about:
Not all friends are created equal.
You can request to connect with me on LinkedIn, and I'll automatically allow that. It's rare that I ever share my actual current location on LinkedIn, so my personal safety risk is low, even though that network of mine is filled with total, random strangers. I'm a lot more picky with Facebook, and downright protective of Swarm. I keep both of those networks pretty open so anyone can look up my profile and see where I'm checking in. But only "friends" on those networks can get notifications from me as I check in, which changes the equation. My rule on location-based social networks is this: Do I know the person well enough to have them show up and take a seat at the table with me when I'm eating? Because that's what I'm inviting when I accept that connection.
Sometimes later is better than now.
On more than one occasion, I've had people show up to a restaurant or bar just because I've checked in there. Most of the time, that's fine. But not always. So unless it's an open social occasion, I'm training myself to check in when I pay the bill, not when I walk in the door. I get the same "credit", but eliminate awkward situations.
I get that this approach isn't great for everyone. I fully understand that many people have very good reasons for not sharing their location with the world. And yes, I know that there are bad people just waiting for an invitation to do bad things. But this works for me. I have no valid reason not to share my location, and the benefits of my oversharing far outweigh any theoretical downside. I don't live my life in fear, and I like living out loud. You may not. That's OK. My suggestions on password safety and keeping your bank accounts protected work well enough on their own. This one was just a bonus.
This article was originally published by one of our partners on August 27, 2015. But they've since sold and taken all the great content offline. Luckily, I have copies of everything! Here's how my blog post announcement originally looked, as I was just linking to them. - Evo
My latest article on TravelSmith is out! TravelSmith is all about safety this month, and my article plays to that. But instead of reviewing the great gear they have to keep you safe, I covered some ways to help travelers stay safe online. Yes, that's important, too!