Traveling Safe with a Smart Phone
Cyber Defense and Research, Inc.
Dr. Steve Smith
These general guidelines will help increase your security as you travel. This is a broad overview of the technology on your phone and how to make it difficult for miscreant malcontents to steal your data. It’s advisable to not keep credit card numbers, credit card pictures or other valuable information on your phone while overseas.
WiFi-Calling: If you are in a place that has good WiFi, and you’ll be there for a while, you can use WiFi-Calling. This uses the WiFi instead of cell towers for calls, as well as texts. The SMS text messages function the same over WiFi. This can help reduce data charges, save your phone power by not using the cell-phone transmitter and receiver. There is a setting in WiFi-Calling that lets the phone connect to registered hot-spots, so if you’re in a city with lots of available WiFi, you don’t have to stay in one place. This applies for normal usage at home. If you spend all day in the same spot, enabling WiFi-calling can do the same there: save battery, reduce phone information “scatter” and cut down on data usage. If you use it in a city, where you’ll be changing hot-spots as you go, keep your VPN enabled to protect your data. (More on VPNs below)
Turn-on location: If your phone can run all day with the GPS service on, then leave it on. This will make your location trackable should anything go wrong. Do this especially in 3rd world countries where Americans are often kidnapped for ransom. Even in 1st world countries, crimes against tourists are common, so it’s good to have your location available to authorities.
Protect Your Phone! : There is a huge underground market in stolen phones. Even though iPhone’s iCloud lock and Android’s pin lock can keep a thief from using the phone, that doesn’t stop them from selling it for parts. In one study, a third of iPhones stolen from the US were shipped to China and re-flashed with other stolen info to enable them to work. Don’t hold the phone way out in front of you while taking pictures, hold it high and close. You can even use key chain tethers to physically attach your phone to your belt. In tourist destinations, often children will just run up, grab the phone and run off so fast you won’t know what they look like. Sometimes, they will offer to sell you something, then grab the phone and run. So don’t show off your phone in public (meaning don’t look through pictures or other unnecessary tasks you can do later in a safer place). Make sure your phone has a PIN to login. If you like to use the fingerprint or face scanning, research your specific model, because on some models, those biometric options don’t work well and anyone can open the device.
If your phone is stolen, call your provider and cancel the account so the thief can’t run up charges. Providers have stolen phone lists. Make sure all your accounts have other passwords besides your login pin. Many times, a thief will contact the victim through phone calls or email, pretending to be the service provider and ask for your pin or password so they can locate the device, while in actuality, they’re getting your password/PIN to unlock your phone. There are kits sold underground that provide forms and emails a thief can use to contact the victim to try and get the passwords/PIN from the victims. If your phone is stolen, only give information to your service provider when you call them. If they call you asking for passwords and PINs, they’re likely the criminals. Feel free to either witness to them about the Gospel or curse them a blue streak a sailor would be proud of-whichever your inclination.
Turn-on Cloud backup: Some Android systems have multiple cloud backup options. My Samsung phone through Sprint can backup to Samsung’s cloud or Sprint’s Cloud, or both. They have different storage amounts so know how much data you have left before traveling. When at home, you should leave this “off” and backup your phone to your PC so you’ll always have access to your data. Cloud backups are not secure so it’s best to use them only when away from home. ALSO, turn it on and let it backup over free WiFi through a VPN at the hotel overnight. Once the initial backup is made (which you can do a day before leaving home) then only additional pictures and new data will be added to the backup. If you have a good roaming data plan, it’s easier to enable this the day before leaving then let it backup on its own schedule. One thing to remember: the Supreme Court has ruled that any data transmitted to a third party (the cloud) relinquishes any expectation of privacy in that information. Anything on a public server (the cloud) cannot be claimed private. You have copyrights, but no privacy rights.
Mobile Data: Call your cell carrier before you leave and ask them about coverage where you’ll be going. A lot of people buy a cheap sim at the country they are traveling to in order to save from roaming charges. This works if your phone is GSM and unlocked from a single provider. Most phones in the United States are CDMA. Only some Apple, some AT&T, and a few other phones are GSM capable. You can call your provider and ask or lookup your cell phone online to see if it’s GSM or CDMA. The issue is that GSM is the standard for the rest of the world. However you decide to use your phone overseas, you’ll want to leave the Mobile Data activated. This, in concert with the GPS Location Services will provide tracking data to help keep you safe.
Turn off Bluetooth: Unless you are using it, Bluetooth should not be on. Bluetooth is the least safe connection of any of the wireless connections on a phone. Turn it off when you are done using it. Malicious Bluetooth devices can connect through security weaknesses if it is on, even if you are already using a Bluetooth device.
Turn off Wi-Fi when not in use: Most smart phones have a setting that will let your phone automatically and unknowingly connect to any available Wi-Fi signal. Disable this setting always so that you have to choose a Wi-Fi network. Even if the setting is off, your phone will still be sending a Wi-Fi signal looking for networks. This is why it’s best to turn off Wi-Fi when you aren’t using it.
Your GPS may also rely on Wi-Fi. If you’re using maps and searching for something it will need Wi-Fi or a cell data network. Wi-Fi is usually faster, but letting it use cell data is safer.
If you are connected to a network and not using it, there is still a lot of traffic on that network that gives away information about your phone. If your phone is named Steve’s s8, then if I am connected to Wi-Fi, and a VPN, and doing nothing online, then anyone watching web traffic will know there’s someone around named Steve who has a Samsung Galaxy s8. VPNs only encrypt TCP/IP traffic, which is what web sites broadcast. However, there are several other lower level protocols that don’t use TCP/IP, but use your device’s name and MAC address to setup and keep connections alive. These other protocols, like NetBIOS or UDP, use your device’s MAC address to setup, monitor, and keep communications working. So turn off your Wi-Fi when not using it so that your MAC address and device name aren’t constantly being broadcast.
VPN: A VPN encrypts the data packets between your phone and the endpoint on the internet. You may have to turn it off to put the password in your hotel Wi-Fi, then enable it. Choose a server in the country you are in, if you are in a 1st world country. If you are in a third world country, choose a VPN server in your home country. One thing to know, if you connect to a VPN server in a country that doesn’t speak English, your web pages might not appear in English, but can be in that country’s language. Your preferred language is built into your browser so well programmed websites will automatically ask for that information from your browser and use the appropriate language. Some websites don’t.
A VPN encrypts your data to the VPN server you choose. From there it goes out into the internet to the website you are calling. Most websites are https, which will encrypt the data between you and it, but even that is hackable. VPN makes your point of getting “on” the internet be the server you choose. Not all servers are the same speed. Try using different servers in different 1st world countries to see which ones give you the best speed and service. Using a VPN server in Ukraine (or other former Eastern-Bloc countries), in Asia, South America or Africa is not advisable unless you are trying to reach a website hosting inside that country.
A VPN can work over cell data networks or Wi-Fi. But if you connect over cell data then connect to a Wi-Fi, you’ll need to stop the VPN, turn off cell data, then connect to Wi-Fi, start the VPN and then turn cell data back on. Most phones switch effortlessly between Wi-Fi and cell data so you never know. If your VPN is connected to cell but you’re using Wi-Fi, your data is not being protected over Wi-Fi. My suggestion is to leave Wi-Fi off and connect the VPN over cell data when you need secure internet access during the day. Once you get to your room, then turn off the cell data and VPN, connect to Wi-Fi, then reconnect to VPN then turn cell data back on. You don’t want to leave a VPN running over a cell data connection because data will be sent to keep the connection alive even if you’re not using it. You’d be paying roaming charges while you weren’t even using it.
Selecting a VPN: Be sure to get one that has a good reputation. A lot of articles on the web are paid advertisements made to look like legitimate comparisons. So when doing research, use one that has lots of reviews and one that is mentioned often in well-known real technology magazines or website. I’ve only used 2 pay VPNs, one TigerVPN and the other ExpressVPN. Express gets good reviews and has a fair price. It also has much better performance than TigerVPN. Don’t fall for one-time price lifetime plans like I tried with TigerVPN.
If you’re only accessing data that doesn’t contain anything dangerous to lose, a VPN isn’t necessary.
Business provided Wi-Fi: Business provided Wi-Fi is not safe. It is easy for a criminal to setup a network flow recorder and pickup everything that goes across it. A decently safe Wi-Fi will have you input a password they give you at check-in, and then when you log into it, it will be an https page. Https, or encrypted, protects data from being seen in transit. If you enter your credit card number in a http page or otherwise not encrypted page, anyone monitoring network traffic can see it. Make sure the lock is shown in your browser and it says https in the URL.
Phone software: Make sure your phone software is up to date. Update the firmware and the software to fix any security vulnerabilities. Your browser and OS should be up to date with security patches to prevent criminals from easily stealing your data.
Phone: use a long password or fingerprint (as mentioned above) to lock your phone. Even if you don’t do this at home, you should do this while traveling. Make sure it is set to go to the lock screen after a time of not being used. Similarly, if your phone has data encryption options, which most do since 2010 or so, enable it. This makes your data unreadable should someone manage to copy data from your phone.
Log out of apps like Wallet or Amazon, or any other app that involves charges and usually keeps you logged in. This will keep someone from using those apps unknowingly. You can check your phone’s data usage to see how much it’s using during your travels, so you’re not surprised by the charges.
Download pictures, videos, and any other data on the phone that you want to keep, before you leave. Besides giving yourself more space for lots of pictures on vacation, you’ll be happy not to lose those other pictures if something does happen to your phone.
Smart-phones are just mobile computers and everyday someone comes up with another way to hack one. There is no way to be “bullet-proof” online, but you don’t want to paint a target on your back either. Software for capturing network data is easily available and easy to use. Protect yourself by using your smart-phone smartly.
Feel free to print this page for reference.