Your cell phone and laptop contain highly sensitive and important information, both personal and business. Those digital assets are only two that criminals or others can exploit. Consider your radio frequency identification (RFID)-enabled passport, passport card, and credit cards. What about your GPS device? Your digital camera?
They all contain information you wouldn’t share with just anyone. Your digital devices can leave you open for identity theft, unwanted disclosure of critical information, and even tracking.
A 2009 study by Ponemon Institute indicated that a laptop is stolen every 53 seconds. If you want to lose a laptop, go to London’s Heathrow Airport. A study by that same group showed 900 laptops were lost or stolen there every week.
According to Institute, the average value of a lost laptop is $49,246. Of course, this goes far beyond the value of the machine.
This value breaks into seven cost components: replacement cost; detection; forensics; data breach; lost intellectual property costs; lost productivity, and legal, consulting, and regulatory expenses.
The most costly issue is a potential data breach. This represents about 80% of the cost. Intellectual property loss represents 59% of the total cost. Data breaches can occur not just from stolen laptops. Any digital device may be exploited--even while in the possession of their owners.
Your smartphone holds emails, passwords, contacts, digital wallets, and applications that link to products in your life. The lowly GPS device? It can broadcast your home address, the addresses of friends and family, and your travel history. If someone wanted to target you for a kidnapping or other nefarious act, your GPS could be his best friend.
In a 2011 speech, the Global Security Coordinator for the Overseas Security Advisory Council (OSAC) noted the fastest-growing segment of international organized crime is cybercrime, with smartphones a particular sweet spot.
Technology has made our daily life easier and business more convenient. It’s also opened us up to a whole new array of threats. Need a new product? Use your smartphone to order on the internet or laptop via Wi-Fi from anywhere in the world. Easy. And it’s easy for thieves or anyone else to piggyback on that wireless data exchange.
Your smartphone or laptop can automatically connect to an open Wi-FI network if a connection has been made before. Open Wi-Fi at public locations like airports, hotels, and retail shops often give all users the same password. This makes it easy for other computers on the network to listen in for unsecured credit card information or user names or passwords. It’s not just financial jeopardy. We store vast amounts of personal and business information on our laptops and cell phones.
Public networks are often vulnerable to “man-in-the-middle” attacks. In this scenario, a bad guy co-opts the security of the network. You use the public Wi-Fi to access a secure portal-- your workplace or financial institution, for example. The hacker then establishes a secure connection with that establishment without your knowledge. With a fake certificate, the bad guy then creates a secure connection between his computer and yours, intercepts your password, decrypts it, and then uses it to hijack data or finances.
What’s more concerning is if your digital device doesn’t even have to be “on” to be a target for a hacker or tracker. One way to thwart hackers was to remove the smartphone battery. But this doesn’t work for some newer smartphones like the iPhone because the battery can’t be removed. Even when “off,” your cell phone can still be corresponding with cell phone towers and giving off GPS locations allowing tracking to occur. In addition, cell phone information can be at risk for data exploitation through “man-in-the-middle” operations where your adversaries take control of your phone with an off-the-shelf mobile tower. These systems are getting cheaper and cheaper as the technology becomes even more popular.
Seemingly innocent RFID passports, cards, drivers’ licenses, and credit cards can expose you to potential threats. U.S. passports issued since August 2007 carry a data chip with the same information displayed on the page beneath your photo. This usually includes your date of birth, passport number and date of expiration, and a biometric identifier, often your digital photo.
U.S. RFID passports have an interior protective foil lining and Basic Access Control (BAC) encryption to minimize the risk of “skimming” and “eavesdropping.”
Skimming is when a bad guy reads the electronic chip information without your knowledge. Eavesdropping is when the bad guy intercepts the chip data transmission to an authorized reader. CNN reported that some RFID chips can be read from as far away as 10 feet. Having your passport cracked open even one-half an inch can compromise its protection from skimming. So, even with encryption, security can be compromised.
Passport cards and electronic drivers licenses (EDL), which are available in some states, were remotely copied from more than 150 feet by University of Washington researchers.1 Researchers at the United Kingdom’s University of Birmingham found RFID passports were trackable without having to break the passport’s encryption.2
What’s a savvy traveler to do? Our travel security company works with businesses like Dow Jones & Company to train employees to mitigate risks through enhanced travel security awareness. There are proven steps you can take to identify, avoid, or mitigate potential threats, including digital threats.
First, conduct research before you travel. Research recent news about technology changes and security incidents involving technology or cybercrime.
If traveling abroad, what rules does the country’s customs have? When crossing the United States border, U.S. customs agents can search for anything on your devices with probable cause and can copy data they don’t have time to search for later review. Some other countries don’t need probable cause. It pays to guard your data before you get in this situation.
And, instead of the phrase, “Don’t leave home without it,” be sure to leave home without valuable data that isn’t necessary for your trip.
The most effective defense against digital threats is a combination of physical and cyber security measures.
• A close watch on your devices at all times.
• Using physical locks and properly securing devices.
• Blocking RFID chips from being accessed or read until you want your devices or cards to be read. You may want to:
o A more comfortable option is an RFID-blocking pouch. To ensure operational success, RFID-blocking pouches must seal totally.
Laptops may be left on or in standby mode, exposing them to exploitation. When traveling, use signal-shielding messenger bags or brief cases, which block signals in or out.
Physical security also includes area security. Don’t leave devices where someone can gain access. Your hotel room isn’t safe. Neither is your rental car. It only takes seconds to copy data off your GPS.
Learn how to determine whether someone has been in your hotel room, rental car, or backpack. And if someone has accessed your digital equipment. Software protection can help you determine this. In addition, you can set certain physical markers to determine if your room, rental car, or personal belongings have been compromised. These markers can be learned through travel security training.
• Put a password on your cell phone. That includes a PIN on your SIM card. Use remote tracking and wiping capability if available.
• Change passwords often and don’t reuse passwords. Don’t use the same ones for your digital devices.
• Use longer passwords for your laptop. Ideally, at least 14 characters with a combination of numbers, uppercase and lowercase letters, and special characters. Avoid common dictionary words or number or dates with meaning.
Why such a long password? Automatic password-cracking programs can quickly break simple, shorter passwords. For example, it can take only about 30 minutes to come up with an alpha-numeric password up to eight digits long.
Use only protected WiFi connections for web access. You can do this by:
• Using HTTPS (Hypertext Transfer Protocol Secure), a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. This provides encrypted communication and secure identification of a network web server.
o When going on websites that should be secure, check to make sure it says HTTPS in your browser.
o Or use an add-on that tells you whether a page is secure or not. Most online services can turn this feature on. Gmail has the ability to use it all the time.
• Using a virtual private network (VPN) to access a central organizational network. Be sure you know where the VPN is going!
Encryption of data for storage and transmission is another great security measure. For laptops, set a BIOS password that does not allow the BIOS settings to be changed. Remove all bootable devices except the local hard drive. Hardware options include storage devices like IronKey UBS. Software options include programs like the Windows Encrypting File System (EFS), WinZip, TrueCrypt, and Mac Disk Utility 256 AES Partition.
These are only a few of the many precautions you can take to protect your digital devices. When you leave on your trip, you lock your house and car. Now, make sure you’ve locked your digital data.
1“EPC RFID Tag Security Weaknesses and Defenses: Passport Cards, Enhanced Drivers Licenses, and Beyond,” Karl Koscher, Ari Juels, Vjekoslav Brajkovic and Tadayoshi Kohno, AMCM CCS, 2009.
2"A Traceability Attack Against e-Passports," Tom Chothia and Vitaliv Smirnov, School of Computer Science, University of Birmingham, Birmingham, United Kingdom, presented at the 14th International Conference on Financial Cryptography and Data Security, 2010.
Clinton Emerson is chief executive officer of Escape the Wolf, a company providing preemptive, holistic travel risk mitigation solutions for companies and government agencies. Emerson teaches preemptive risk mitigation strategies and practices developed from his own experience in combat and highly sensitive operations worldwide as a Department of Defense employee for nearly 20 years.