Four ways your devices can be hacked in hotels and how to stay safe
There’s a new wave of scams to watch out for this summer.
With millions of travelers gearing up for vacation in the coming months, experts warn to be wary of what is now one of the biggest scam hotspots: hotels.
Fraudsters can set up fake “evil twin” Wi-Fi connections to steal passwords and even modify USB ports to collect data using a technique called “juice jacking,” according to a report from Nord VPN.
Account takeover fraud – fueled by data theft – accounts for about 15 percent of all fraud worldwide. That’s about 136 million cases last year, according to a LexisNexis report that collects data from companies around the world.
Britons should be wary of scams in their hotel rooms where scammers set up ‘evil twin’ Wi-Fi to steal personal and financial details
Nord VPN claims that hackers can use cybersecurity vulnerabilities in hotels in a variety of ways to target vacationers – even in rooms.
Jason Lane-Sellers, director of market planning at LexisNexis Risk Solutions, said: “Crowded resorts full of laid-back tourists who let their guard down will no doubt be seen as a tempting opportunity for fraudsters during the summer months.”
Below, Nord VPN reveals four ways scammers can steal data this summer – and how to avoid it.
1. Fake Wi-Fi networks
Hackers can use a hotel’s Wi-Fi in two ways to steal travelers’ passwords and personal information.
One is to connect to the hotel Wi-Fi and install malicious malware.
The second is creating a so-called ‘evil twin’ – a fake, unprotected WiFi hotspot with an unsuspecting name like ‘guest WiFi’ or ‘free hotel WiFi’. This way they can then steal private data.
All the fraudster needs to do is set up a fake Wi-Fi network with a convincing-looking login page that asks for your name and email address and prompts you to create a username and password.
“It’s not much more complicated than setting up your phone as a hotspot,” says Lane-Sellers.
Once they have this, they use a technique called credential testing to attempt to log into the victim’s online accounts, such as banking or credit services.
This is made even easier as many people still use the same username and password combination for all of their online accounts. So once the fraudster has one set of credentials, he has a good chance of success.
“Once they have your details, they can also call you and try a scam scenario. For example, they call as if they were your bank and say there’s a problem – and of course they say they ‘can tell from your transactions that you’re on vacation’ – to help convince you it’s real,” explains Lane-Sellers out.
Andrianus Warmenhoven, cybersecurity expert at NordVPN said: “To avoid being hacked on hotel Wi-Fi, travelers should ask the person at the front desk for the exact name and password for the Wi-Fi provided to prevent them from connecting with an ‘evil twin’ network.
You can also use a VPN service to encrypt your data and prevent third parties from intercepting it.
Warmenhoven also says “it’s always a good idea to turn on a firewall when using public Wi-Fi.”
2. Dodgy USB charging ports and chargers
Some hotels install USB charging ports in hotel rooms for the convenience of visitors. This is a tempting way to charge a device, especially if the guest is coming from a location with a different type of plug.
However, this can carry the risk of becoming a victim of cybercriminals.
Hackers can charge cables in public places to install malware on phones to carry out an attack called juice jacking.
This type of attack allows hackers to steal users’ passwords, credit card information, address, name, and other information.
Warmenhoven: ‘Usually the safest way to charge your device is via a socket. Otherwise, it’s a good idea to bring a power bank or USB data blocker.”
Watch out for the plug, adds Lane-Sellers: “If a charging point looks odd or has been tampered with, don’t use it.
“If you plug your phone into a charger and your phone asks you to ‘allow access to this device,’ don’t allow it.”
3. Smart TV cyberstalking
A smart TV can become a gateway for cybercriminals. They are wired to local Wi-Fi to give travelers access to apps and streaming platforms.
A hacked smart TV can be used to cyberstalk travelers with built-in microphones or cameras, or steal personal credentials used to log into smart TV apps and sell them on the dark web.
The best thing you can do, according to Nord VPN, is to keep the smart TV disconnected from power sources when not in use.
Covering the webcam and avoiding logging in with personal credentials also reduces cyber risks.
4. Automatic connections to Wi-Fi
Disabling the auto-connect feature on your devices can help mitigate cybersecurity risks during a trip, as devices can be surrounded by public and insecure internet connections.
This way, even if it connects to Wi-Fi, the device remains protected from cybercrime, says Nord VPN.
The cyberattack group DarkHotel is known to compromise luxury hotel Wi-Fi by combining spear phishing, dangerous malware and botnet automation designed to capture confidential data.
Unfortunately, complete cyber-attack prevention can be challenging, especially when it comes to professional hackers targeting high-value targets.
Because the group seeks only high-value targets — C-level executives, politicians, representatives of military organizations, and representatives of pharmaceutical companies — phishing emails are tailored to each target and highly persuasive.
Warmenhoven said: ‘Travellers should always be aware of phishing attacks – check the authenticity of suspicious emails and executable files and watch out for odd spellings.’
In general, if you think your data or your device may have been hacked while you were away, change your bank or credit card passwords immediately and then contact your bank to give permission.
Never reuse passwords or use easy-to-guess passwords, especially for things like financial services.
Some links in this article may be affiliate links. If you click on it, we may earn a small commission. That helps us fund This Is Money and use it for free. We do not write articles to promote products. We do not allow any commercial relationship to compromise our editorial independence.