Beware the Risks While Away from Home

Spring Break escapes and summer getaways are on a lot of minds right now, especially in my neck of the woods where unseasonably warm temperatures (albeit  mixed with periods of sub-freezing ice and snow) have us all dreaming of relaxing times ahead.

Sadly, travel is also on the minds of fraudsters. 

Crooks know just how to prey on people who are out of their element. They understand exactly  how to exploit all the vulnerabilities as minds are on many other fun things . As good  folk s are gearing up for vacations, the scoundrels are planning how to take advantage.

So, be smart as you're out exploring. And be sure to read and share the tips below before you take off!
Singapore 2016
three4 Unexpected Ways Your Privacy is at Risk in Hotels
Easy to let guard down when comfortable

Even as it's become an increasingly large target for fraudsters, the hospitality industry is doing a great job making guests feel at home. Sometimes, however, this can back-fire on guests' privacy. When we are most comfortable is often when we are most vulnerable.

Next time you visit a hotel, keep these things in mind...

Hotel staff have 24-hour access to your room. Just running to the vending machine or down to meet a colleague for a drink? Don't leave that laptop screen open. Confidential information can very easily fall into the wrong hands as cleaning, maintenance and other personnel are allowed to enter your room without notice or consent.  And, if you leave the door open, which many people do in hotels, especially if they are just running down the hall to the vending machine or another room, anyone passing by can enter. 

Hotel staff may be compelled by law enforcement to share data. Between 2015 and 2017, Motel 6 allegedly  released personal information on over 9,100 guests to U.S. Immigration and Customs Enforcement (ICE).

Do Not Disturb signs are a request, not an order. The signs and key cards that tell hotel staff you'd rather they not enter are not a guarantee they will stay out. Since the deadliest mass shooting in U.S. history, during which a gunman used a Las Vegas hotel for cover, hotels across the world are making it clear they will ignore the signs if they have cause to enter the room.

Unseen eyes are watching you.  In the hotel lobby. In restaurants. On planes. Chances are, you display too much of your personal and sensitive information on screens when you are out and about. Invest the comparatively small amount in a privacy screen for your smartphone, tablet, laptop and any other type of computing device you use while traveling. Here are some examples. (Full disclosure, I'm a 3M Visual Privacy Council Board member who truly believes the company's privacy screens are valuable. Of course, these types of screens are available from a few other companies, as well.)


If you operate or lead a hotel, motel, bed and breakfast, hostel, conference center  or any other lodging / hospitality business, now is a good time to review your privacy policies.

Questions to consider:
  • Are you making each of the above points clear to your guests? 
  • Are you helping them understand when and how you may share their information or access their rooms? 
  • Do your employees and contractors know and follow these policies?

Alaska 2016
hero2Privacy Hero: Mari J. Frank 
Privacy expert leverages nearly every available media platform to advance message

Mari Frank, CIPP, is an attorney and author who has devoted her career to raising awareness of data security and privacy threats facing consumers and businesses. 

She is the author of several books, including The Complete Idiot's Guide to Recovering From Identity Theft and Safeguard Your Identity. She hosts her own radio show, Privacy Piracy, and was the host of the nationwide broadcast of the PBS Television special, Protecting Yourself in the Information Age. Mari has appeared on dozens of national TV programs and has been quoted by many journalists for their stories on data security and privacy issues.

In addition to her work to educate, she has donated countless hours to help victims of fraud and identity theft. Her devotion to this work is among the reasons she was named to Money Magazine's list of Money Heroes.  

Mari has a keen understanding of the influence government officials have in protecting citizens from harm in our increasingly connected world. She has testified many times in Congress and the California legislature, as well as spoken at the White House, on important issues related to data security and privacy. 

Several industries have come to rely on Mari's expertise. She has chaired the California State Bar Privacy Committee, and she advises 3M's Visual Privacy Council. She serves as a Fellow for the Ponemon Institute and was advisor to the California Office of Privacy Protection.

Want to hear some of Mari's advice? Listen to this Voice America show episode for a recent, insightful and wholly educational conversation we had about identity theft.

We want to know: Who is your privacy hero?
Each month in 2018, we'll introduce an individual who has gone over and above to advance data security and/or privacy in their corner of the world. To nominate, simply drop us a note and explain why we need to know your hero.
At the end of December, we will announce our Privacy Hero of 2018. He or she will receive a token of appreciation and commemoration of outstanding work.
netU.S. Net Neutrality Laws Vary State by State
Travelers in America face different risks as they go
The FCC repealed net neutrality by officially relinquishing their authority for it in January of this year. And they did so in spite of st rong objections, even from a minority number of the FCC's commissioners. It's  a move I, and many colleagues across industries, view as damaging to privacy and the overall experience of using the internet.
So now we are faced with a situation in which there is no U.S. federal authority ensuring net neutrality. As a result, different U.S. states are applying different rules to the internet service providers (ISPs) that operate in their jurisdictions. (Some are also suing the FCC.) Aside from creating a lot of confusion, especially for national and international companies and the consumers who buy from them, the patchwork legislation can create different experiences for Internet users as they move across the country.

What does this mean for you as a traveler? Many things.  But one very important outcome is that the ISP providing internet service to your airport, cab, hotel or conference center may, in fact, be able to collect and use data on your online activities without having to ask your permission.


Use a VPN. A virtual private network gives you an encrypted, private channel for accessing the internet. Of course, the VPN can usually see what you're up to and could be compelled to share that data.

Use Tor. Tor is, in general, anonymity software that allows users to remain anonymous online. It may even allow users to visit some dark web sites.

What the country needs, as the Internet Association supports, is a clear framework that protects the free flow of information online. This will prevent consumers from having to download cumbersome, inconvenient software. It will stop  ISPs and other online provides from nickel-and-diming customers, especially small businesses and startups that now may be asked to pay extra for being "findable" online.

Without net neutrality, ISPs can easily bury content if a customer doesn't pay up. That is not freedom, nor is it supporting the great potential the internet has to provide value and services to everyone.

meetingMeeting 'Real' People in a Digital World 
Catfishing and account spoofing are on the rise
If you get an online connection, such as a LinkedIn or Facebook friend request, always view it with skepticism. Especially after returning from a trip during which you met lots of new people, it can be tempting to assume the request is coming from a legitimately new acquaintance.

But, it may very well be fake.

It's a global problem. According to Australia's Stay Safe Online, the creation of fake social media profiles is now an industry worth over $700 million. For it's part, Twitter says approximately 8 percent of its accounts are fake.  Facebook said in 2017 it had more than 200 million fake or duplicate accounts globally, an increase of 14 percent from 2016. 

By and large, fake attempts to connect with you are initiated via machine learning and artificial intelligence robots. Crooks purchase inexpensive software that scours the internet looking for "easy marks." Here are a few things you can do to stay off the radar of these fraudsters and their computers:

Learn the social platform's privacy settings. And review them quarterly. Social brands are notorious for making frequent changes to their options.

Enable two-factor authentication. This makes it much less simple to hack your account, which spoofers do so they can impersonate you. Once they have your photos, your personal data and your connections, they can much more easily fool people into believing their account is legitimate.

Use a strong password. You've heard it before. No names, addresses or easily guessed passwords. NEVER use the same password on social media that you use on your financial accounts .

Search by image on Google. I once caught a spoofer by putting his social profile pic into Google Images.

In the April Tips I'll include a case study showing how fraudsters tried to catfish me!
quickQuick-Hit Travel Tips

Remember these simple rules when leaving town

Don't post until you're home. This can be a tough one. You want to share your experiences in real-time with your connections. But remember, not everyone is watching with a good heart. Instead of seeing that beautiful beach sunset, a crook sees an unoccupied home or office.

Avoid using public charging stations. A good rule of thumb is never to put an unknown USB or other cord into your device. Malware could be present, and now all of your data has been exposed. There are devices that sit between your phone or laptop and a public USB, so if using public charging stations is something you want to continue doing, you may consider investing in one.  See my YouTube videos, such as this one, for discussions of skimmers.

Watch out for fake WiFi. Fraudsters create their own WiFi networks, sit in public spaces and wait for unsuspecting internet users to jump on. They use that connection to steal anything they want  off the connected devices, and from the transmissions - photos, files, account numbers, you name it! Use your own WiFi hotspot whenever possible. 

Beware of unmanned terminals. ATMS, gas pumps - anywhere you are asked to swipe a card without a cashier present - are vulnerable to skimming. If something looks out of the ordinary or tampered with, find a different machine.

My flight to Singapore on All Nippon Airways (ANA) 2016

Flash Alert Shines Light on Troublesome Vendors

The U.S. Office of Personnel Management (OPM) is not happy with one of its vendors, Health Net of California. 

The federal government's chief HR agency claims Health Net of California is obstructing OPM from conducting vulnerability testing of its systems. What's worse, they claim, is that the vendor contract Health Net of California signed with OPM obligates the insurer to let OPM perform this testing.

Unfortunately, this continues to be a problem in health care and beyond. Securing vendor cooperation with vulnerability and penetration tests has been notoriously difficult. The same goes for other technology-based assessments, risk assessments and program audits.

2 simple things you can do...

Be aware of timing. Companies should make efforts to work with vendors so testing does not occur during difficult times, such as a key employee's absence or the vendor's implementation of a new enterprise operating system or application.

Be clear in the contract. Companies must include specifics in their vendor agreements. Contracts should cover what constitutes an acceptable refusal or reschedule of testing requests. It should also describe what action will take place if the vendor refuses to allow the testing.

For more information on how to address these challenges, check out Health Net Cited for Refusing a Security Audit.

PPInewsPrivacy Professor On The Road & In the News  

On the road and in the ethernet...

One of my favorite things to do is visit with leaders in different industries - health care and managed systems providers to insurance and energy (and beyond!). Below are a few of the places I have been recently and a few of the events I have scheduled for the upcoming season.

April 17: Providing identity theft information at Compass Financial 
in Des Moines, Iowa at their free, public event.

April 24
Teaching online GDPR Compliance MasterClass for IT GRC Forum 

April 26: Teaching ISACA ILLOWA Chapter 1-day ISACA ILLOWA Spring Seminar on Privacy Management & Privacy Impact Assessments (8 CPEs) at the ProCircular facilities in Coralville, Iowa.

May 30-31: Giving Keynote SecureWorld, Atlanta, Georgia. 

September 19-20: Giving keynote and sessions at Data Privacy Asia, Manila, Philippines.

Privacy Professor in the news...


I'm so excited to be hosting Data Security & Privacy with The Privacy Professor on the  VoiceAmerica Business network . Our first several episodes are available for on-demand listening. Hear the perspectives of incredible guests as they talk through a wide range of hot topics, including identity theft, medical cannabis patient privacy, cybercrime prosecutions and evidence, and government surveillance. 

Friday, Mar. 2, I'll be talking with the reknowned Tom Conley on how companies, airlines, law enforcement and others can balance security with privacy when using body cameras. The theme of our Mar. 9 episode is uberveillance, and we'll be talking with Dr. Katina Michael about the growing Internet of Medical Things (IoMT). 

Do you have an idea for a show topic? Or would like to suggest someone who would be a great guest? Please let me know!

CPO Magazine

Healthcare Info Security

The morning TV broadcast regularly covers privacy and security tips with their guest, the Privacy Professor! Each is a brief 10-15 minutes and covers topics ranging from insider theft to connected vehicles. Check out this online library to watch recent episodes.

On February 19, we talked through a different type of identity issue on the internet, specifically the case of the California man tied to Russian interference in the U.S. presidential election. 

You can catch up on many of my visits to CWIowa Live with my on-demand library on YouTube.

Questions? Topics?

Have a topic I should discuss on the  CWIowa Live morning show or on my VoiceAmercia radio show? Or, a question I can answer in my next monthly Tips? Let me know!

My trip to Alaska, circa Feb. 2016
Time away is exciting enough without inviting fraudsters, scammers, crooks and cons into your experience. 

By following just a few simple tips, you can greatly mitigate your security & privacy risks, ensuring you get to sqeeze every enjoyable moment out of our travels. 

Here's to fantastic (safe, secure & private!) travels this Spring!

Rebecca Herold, The Privacy Professor

Need Help?

Permission to Share

Want to repurpose the information contained in this Tips? Yes, please forward in its entirety. 

If you prefer to use only excerpts, please use this attribution:

Source: Rebecca Herold, Founder, The Privacy Professor┬«,,,, 

NOTE: Permission for excerpts does not extend to images.
The Privacy Professor
Rebecca Herold & Associates, LLC
Mobile: 515.491.1564

Visit my blog    Follow me on Twitter