It starts innocently enough, with the same exact transaction you've performed a thousand times before. You walk up to an unassuming ATM kiosk, slip a plastic debit card into the slot, punch in a personal code and withdraw cash. Convenient, absolutely, but ATMs can host hidden dangers, especially for travelers already distracted by luggage, train schedules or herding an unruly family through an airport.
It's a scam called ATM skimming, and it's only one of the pitfalls to watch out for, especially when traveling in unfamiliar territory, whether you're on vacation or a work trip. And with a little preparation, you can outwit the crooks.
Beware the skim scam
Skimming is a way for criminals to gain access to your ATM card's magnetic stripe information and your PIN, giving them open access to your bank account. They start by attaching a hidden card reader to an ATM; it fits perfectly over the existing card slot on, or even inside, the slot itself. Often, the bad guys also will place a tiny camera on the ATM, to capture your PIN as you type it on the keypad. Then, after retrieving the skimmer and camera from a compromised machine (some readers also transmit the stolen data wirelessly), the crooks can make a copy of your card, or just sell the information on the black market.
The good news is that the shift to chip-and-pin style cards (credit and debit cards with tiny microchips built in, in addition to magnetic stripes), may eventually make ATM skimming a thing of the past. But criminals also know this and are stepping up their game in the meantime -- financial company FICO reported that instances of ATM skimming rose by 546 percent from 2014 to 2015.
Until you get a new card, your first line of defense is to do what security experts call the "shake, rattle and roll" test before using an ATM. Grab the card slot, which usually protrudes from the machine's face, and give it a close visual examination, along with a quick tug or wiggle. Even a skimmer device that looks like a legitimate card slot may be loose or rattle or its design won't match the rest of the ATM.
Ryan Naraine, head of security research at Kaspersky Lab USA, a research group and maker of security software, goes to even greater lengths to make sure his ATM transactions are secure. He suggests avoiding all standalone ATMs (like the free-standing machines at a convenience store) unless it's 100 percent necessary. "Use ATMs only at banks. And if possible at all, go into the banking location to do it," he says. "Actually walk into the bank to use the ATM instead of one at the side of the street."
Many travelers rightly shake their heads at the idea of paying $20 a day or more just to connect to the internet from a hotel room. But, if you simply must get online and aren't careful, surfing from your hotel room can be much more than just expensive.
One scam that's not widespread, but potentially very damaging, is the fake Wi-Fi hotspot. It can pop up in coffee shops, airports and, yes, hotels. And it's easier to fall for than you might think. Imagine flipping open your laptop in a hotel room after a long day on the road. You have email to answer, or you want to Skype with your spouse before bed. Searching the available Wi-Fi networks, you see one with the name of your hotel, so naturally you assume that's the one to join.
In fact, it could be an impostor network, deliberately named to fool you into connecting. Then, while a scammer is monitoring your activity, your passwords and other sensitive information are compromised. It's as simple as mistakenly joining "Chain Hotel Wi-Fi" rather than the real network, which might have a name like "Chain Hotel Guest Wi-Fi."
How can you tell the difference? Fortunately, the answer is right in front of you. When checking into a hotel, confirm the exact name of the Wi-Fi network you need to join, which is usually printed on a card or in a book right in your room. When in doubt, check with the front desk.
Naraine also recommends tethering to your phone instead for doing anything sensitive, like online shopping or sending personal information. "If it's not a financial burden, absolutely [tethering] is a top-of-the-list thing," he says. Just keep in mind that tethering may be exorbitant or even impossible when traveling internationally.
If hotel or public Wi-Fi is your only option, using encrypted messaging apps like WhatsApp, Telegram, Wickr or Threema is a second line of defense.
Grifters at the gate
One of the most physically secure spots many travelers visit may be one of the most dangerous for your data. While it's nearly impossible to sneak a bottle of water past airport security these days, it's very easy for someone to walk out with your online passwords or other sensitive information.
The first thing many travelers do while waiting at their gate is log into the airport Wi-Fi and check their email. Naraine says, "One of our researchers actually did an experiment where he just sat in a corner of an airport with a camera pointed at people's keyboards. You can slow that down and get usernames and passwords really, really easy in airports, because everyone has cameras and everyone is shooting [photos] around the airport."
But not all potential data dangers come from high-tech sources. It's the most analog part of air travel that's especially vulnerable -- your old-fashioned printed boarding pass.
Naraine recommends avoiding printed boarding passes completely as they typically carry a lot of potentially sensitive personal information including frequent-flyer account numbers and itinerary details such as dates and destinations. (For the same reasons, don't post a photo of your pass on social media.) Instead, use your airline's app to check in. "If you can't avoid printed boarding passes, you should destroy them," he says. "Be careful about leaving them in the back of the seat or dropping them...It's a small thing, but it goes a long way."
This story appears in the fall 2016 edition of CNET Magazine. For other magazine stories, click here.