MONEY Banking

Think Twice Before Linking Your Bank Account to an App

Naver Corp.'s Line Mobile Apps As SoftBank Said to Seek Stake
Bloomberg/Getty Images

Consumer protections limit your liability in case of fraud -- but you need to act quickly.

Consumers routinely share their online banking passwords with third-party apps that help with everything from budgeting to tax preparation. Apparently banks would like this to stop. JPMorgan Chase posted this notice on its website in April:

“If you give out your chase.com User ID and Password, you are putting your money at risk,” says a page titled Guard Your ID and Password. “Some websites and software offer tools to help you with budgeting, managing accounts, investing, or even doing your taxes. But if you’re giving them your chase.com User ID and Password, you could be responsible for money you might lose as a result.”

That’s no small threat. In other words, if one of those third parties gets hacked and a criminal takes your money, you could lose it all.

The page goes on to advise consumers who’ve already shared their passwords to immediately change them — and of course, not give the new login information to the third party.

The warning is broad, but popular sites like Mint.com, which perform item-by-item analysis of consumers’ accounts, stand to lose the most if consumers heed the warning. So I asked Mint what it thought about Chase’s post.

Holly Perez, a Mint spokeswoman, said the warning was not really new. Several banks have language in their user agreements telling consumers not to share login information with third parties. She’s right. Here is language from Capital One’s agreement:

“Sharing your Capital One access credentials (with third parties) may represent a breach by you of applicable [agreement or terms and conditions),” it reads. “One of the reasons that Capital One prohibits this type of sharing is that we may not have any information regarding the use of or security environment around this sensitive information at any third party. If you choose to share account access information with a third party, Capital One is not liable for any resulting damages or losses.”

Chase’s new posting is probably the result of the recent increase in high-profile hacks, Perez speculated.

Trish Wexler, a senior vice president at Chase, agreed, and pointed out that similar language was present in the Chase user agreement long before the April post: “If you disclose your Card numbers, account numbers, PINs, User IDs, and/or Passwords to any person(s) or entity, you assume all risks and losses associated with such disclosure.”

Wexler said the post was not aimed at any particular third-party service, and she did not know of any incident which led to the post. It was published out of a desire to put that provision of the user agreement into plain language. She also said the post should not be interpreted as Chase telling consumers not to use any specific service, such as Mint.

“Our job is to make sure consumers can make their own choices based on all the available information,” she said. “Clearly customers want to be able to use services like this. They need to understand there are risks associated with giving out their user name and password, be it to a third-party service or a neighbor.”

What the Law Has to Say

Those risks aren’t completely clear, however. Federal banking regulations concerning unauthorized electronic funds transfers are very consumer-friendly. Consumer liability for losses is capped at $50 or $500, depending on how quickly a consumer reports fraud once it is discovered. Even negligence doesn’t increase the consumer’s liability, banking regulators have said. For example, even writing a PIN code on a debit card doesn’t increase the consumers’ liability if the card is stolen and used to make withdrawals.

“Negligence by the consumer cannot be used as the basis for imposing greater liability than is permissible,” the rules say. “Thus, consumer behavior that may constitute negligence under state law…does not affect the consumer’s liability for unauthorized transfers.”

The rules go on to say that banks cannot impose additional liability on consumers.

“The extent of the consumer’s liability is determined solely by the consumer’s promptness in reporting the loss or theft of an access device. Similarly, no agreement between the consumer and an institution may impose greater liability on the consumer for an unauthorized transfer than the limits provided in Regulation E.”

Chi Chi Wu, a banking regulation expert with the National Consumer Law Center, said consumers victimized by theft of credentials from a third-party site would enjoy the same protections as a consumer who divulged their passwords to a hacker.

“The same principles apply,” she said.

Of course writing a PIN code — or falling for a phishing email — is not a direct parallel to intentionally sharing login credentials with a third-party site. Until there is a high-profile test case, it’s hard to say what might happen. For any consumer hit by such a crime, there’s certain to be a big hassle, even if a bank ultimately refunds their money – out of a legal obligation, or free will.

The bottom line for consumers: You don’t want to be that test case. Be extremely judicious when handing out your banking credentials. If you do, be vigilant about what happens inside your bank account. Roughly speaking, you only have two days from the time a fraud appears on your regular statement to report it and be protected by the $50 liability limit. Otherwise, the limit is $500. And if you wait 60 days, the limit is … unlimited. So your real worry should be spotting and reporting fraud promptly.

More From Credit.com:

TIME Security

This Tiny Box Is Your Home’s Defense Against Hackers

Bitdefender BOX
Bitdefender Bitdefender BOX

Meet the Bitdefender BOX

In Batman Begins, there’s a scene where the Dark Knight’s nemesis Scarecrow pours psychoactive drugs into the water supply in order to poison the people of Gotham City. Never in my life have I imagined that I’d ever use a Christian Bale movie as a metaphor for the Internet, but I can’t deny the reality that I’ve recently witnessed firsthand. Never mind super-villains — the web is crawling with real criminals continually pouring nastiness into our system of tubes, and as a result, we’re gulping down data from some seriously tainted pipes.

Recent research from Distil Networks has shown that 60% of the Internet’s traffic consists of bots, not people. Nearly a quarter of those bots are up to some pretty nasty stuff, like stealing passwords and credit card numbers. It’s an epidemic that’s only getting worse the more we rely on cloud computing. According to the report, the biggest culprits behind this — besides the hackers who unleash these bots on the web — are services like Amazon’s cloud services (where many bad bots make their home) and data networks like T-Mobile (which doesn’t do a great job of monitoring its traffic).

But perhaps the biggest the problem with these bad bots is that most web users never see them. They open their tap, fill their drinking glasses with dirty data, swallow it down, feel refreshed and think all is well. But using Bitdefender BOX, I was able to put my stream of data under a digital microscope. Within minutes, I couldn’t believe the viruses, malware, and other nastiness that had been flowing my way all along undetected.

Smaller than a hockey puck, Bitdefender BOX is an ethernet-connected security device that plugs in between your high-speed modem and your wireless router (it can also be used as a router itself) that will alert you to every attempted intrusion or bad piece of code that comes in from the Internet. Basically, it’s an intrusion detection system.

“Every major company, every major corporation, has a big giant box like this sitting in their network,” says Rami Essaid, CEO of Distil Networks. “It’s analyzing every packet going in, every packet going out.”

The $199 hub is designed to protect all the devices on a home’s network, whether or not they’re loaded with virus-scanning software. It comes with one free year of service, which runs $99 per year afterwards. For that price, BOX customers get continual background upgrades that protect them from the latest and scariest bugs going. The best part is that users don’t have to update virus profiles or run memory-hogging background software on their PCs. It’s a set-it-and-forget-it solution that aims to block everything from fraud to phishing.

I installed BOX on my home network on a Friday evening. Frankly, I put it off as long as possible because my home has a moderately complex Wi-Fi setup, and I didn’t want to spend a work day unraveling a knot of networking problems. I use two Apple Airport Extremes to stretch both 2.4 GHz and 5 GHz networks across my property. I also have the wireless routers run guest networks, which I have configured only my smart home devices to connect to. The only thing I had to do to make BOX work properly for my setup was toggle my primary Airport Extreme into Bridge Mode. Upon doing that, BOX was able to do its thing, and all my devices, from iPhones to lightbulbs, to computers, functioned perfectly, as if BOX wasn’t even there. (Well, sort of. It turned out that BOX didn’t support my guest networks, so all my smart home gear had to be reconnected to my main network. But I suspect this is a problem few other users would encounter, so I wouldn’t slight Bitdefender for it.)

It took Bitdefender nearly 12 hours to recognize my nearly 30 connected devices, but while it was adding and analyzing them, everything worked fine. In fact, as my wife sat poking on her iPad next to me, my iPhone started to light up with notifications like “Dangerous website blocked,” and “A malware attempt was detected.”

These alerts immediately prompted her to wonder if I could monitor what she was browsing online. Generally, I could not, but if an alert popped on the accompanying BOX iOS app, I could see where the dangerous file originated from. But keep in mind, I told her, on the web, vile files flow in from every direction, not just the pages you surf to.

If I have a complaint about Bitdefender BOX, its iPhone app might be it. Though it’s good and generally responsive, it still needs some work. For instance, you have to rekey your password every day. It’s 2015, people — time to use Touch ID, throw in some 1Password/LastKey integration, and make your app as secure as it should be. Also, once inside the app, new alerts don’t get pushed over into the history after they’re viewed, so unless you’re keeping track, you have no idea how many bugs have floated your way since the last time you’ve opened the app.

But if there was one thing that surprised me about BitDefender BOX, it’s the device’s “Private Line” feature. Essentially a Virtual Private Network (VPN) for dummies, Private Line lets users set up a tunnel between your mobile devices and BOX with the flip of a switch. In other words, when I’m out on the town using my AT&T mobile data, my web surfing will go from my handset to my home network, through the Bitdefender BOX to ensure I’m protected, and into the web. While using my iPhone 6 in this mode, I didn’t notice any lag, though there was one huge hiccup: I couldn’t send SMS messages (I could send iMessages). A representative from Bitdefender said she thought the problem might stem from AT&T not allowing messaging connections from servers other than its own. Whatever the root cause, I hope it gets resolved, because it was a Private Line deal-killer for me.

After the first week of running BOX, as its new gadget shine wore off and malware notifications piled up, complacency nearly became another deal-killer. BOX was great, but I wondered if it was doing anything more than my browser already could — after all, properly configured, they can block threats very well. Despite having more than a dozen smart home products on my network, not one of them got a nibble from a hacker.

“There are a lot of people that use bots to see what’s out there,” says Essaid, specifically calling out Dropcams and baby monitors — both of which I run 24-7. “What you’re going to start seeing is a lot of people probing you because you are connected to the web.”

And that’s what Bitdefender is banking on. The big idea behind BOX is that it can stand guard between the bad guys and your smart home gear, most of which is defenseless. In fact, according to a study by ThroughTek, cybersecurity is the number one concern for buyers of smart home products, with 25% of people concerned about their personal data getting out. Until I had this device, I had no idea if someone was trying to digitally break into my home. I just hoped that they weren’t. But the more attacks I see bouncing off my phones, tablets, and computers, the more I’m convinced Bitdefender has the chops to keep all my Internet-connected gear safe. So in that way, Bitdefender may just be the hero the Internet of Things deserves, just not the one it needs right now.

MONEY Opinion

The US Could Have Blocked the Massive Cyberattack on Federal Employee Data

open padlock
Jose Luis Pelaez—Getty Images

Chinese hackers are suspected of stealing personal information on 4.1 million workers.

True or False? There was no way the Office of Personnel Management could have prevented hackers from stealing the sensitive personal information of 4.1 million federal employees, past and present.

If you guessed “False,” you’d be wrong. If you guessed, “True,” you’d also be wrong.

The correct response is: “Ask a different question.” Serious data breaches keep happening because there is no black-and-white answer to the data breach quagmire. So what should we be doing? That’s the right question, and the answer is decidedly that we should be trying something else.

The parade of data breaches that expose information that should be untouchable continues because we’re not asking the right questions. It persists because the underlying conditions that make breaches not only possible, but inevitable, haven’t changed—and yet we somehow magically think that everything will be all right. And of course we keep getting compromised by a shortlist of usual suspects, and there’s a reason. We’re focused too much on the “who” and not asking simple questions, like, “How can we reliably put sensitive information out of harm’s way while we work on shoring up our cyber defenses?”

According to the New York Times, the problems were so extreme for two systems maintained by the agency that stored the pilfered data that its inspector general recommended, “temporarily shutting them down because the security flaws ‘could potentially have national security implications.’”

Instead, the agency tried to patch together a solution. In a hostile environment where there are known vulnerabilities, allowing remote access to sensitive information is not only irresponsible — regardless the reason — it’s indefensible. Yet according to the same article in the Times, the Office of Personnel Management not only allowed it, but it did so on a system that didn’t require multifactor authentication. (There are many kinds, but a typical setup uses a one-time security code needed for access, which is texted to an authorized user’s mobile phone.) When asked by the Times why such a system wasn’t in place at the OPM, Donna Seymour, the agency’s chief information officer, replied that adding more complex systems “in the government’s ‘antiquated environment’ was difficult and very time consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.”

Somehow I doubt knowing that protecting data “wasn’t easy” will make the breach easier to accept for the more than 4 million federal employees whose information is now in harm’s way (or their partners or spouses whose sensitive personal information was collected during security clearance investigations, and may have been exposed as well).

A New Approach

Given the above circumstances, the game changer — at least for the short-term — may be found in game theory. In an “imperfect information game,” players are unaware of the actions chosen by their opponent. They know who the players are, and their possible strategies and actions, but no more than that. When it comes to data security and the way the “game” is set up now, our opponent knows that there are holes in our defenses and that sensitive data is often unencrypted.

Since we can’t resolve vulnerabilities on command, one way to change the “game” would be to remove personal information from systems that don’t require multifactor authentication. Another game changer would be to only store sensitive data in an encrypted, unusable form. According to Politico, the OPM stored Social Security numbers and other sensitive information without encryption.

This fixable problem is not getting the attention it demands, in part because Congress hasn’t decided it’s a priority.

The U.S. is not the only country getting hit hard in the data breach epidemic. The recent attack on the Japanese Pension Service compromised 1.25 million records, and Germany’s Bundestag was recently hacked (though the motivation there appeared to be espionage, according to a report in Security Affairs).

According to an IBM X-Force Threat Intelligence report earlier this year, cyberattacks caused the leak of more than a billion records in 2014. The average cost for each record compromised in 2014 was $145, and has increased to $195, according to Experian. The average cost to a breached organization was $3.5 million in 2014, but is now up to $3.8 million. More than 2.3 million people have become victims of medical identity theft, with a half million last year alone. Last year, $5.8 billion was stolen from the IRS and the Treasury Inspector General for Tax Administration predicts that number could hit $26 billion by 2017.

If you look at the major hacks in recent history — a list that includes the White House, the U.S. Post Office and the nation’s second largest provider of health insurance — it would seem highly unlikely that a lax attitude is to blame, but that is precisely the problem. A former senior administration adviser on cyber-issues spoke off the record with the New York Times about the OPM hack: “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”

During this siege-period, while our defenses are no match for the hackers targeting our information, evasive measures are necessary. I agree with White House Press Secretary Josh Earnest, who said, “We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system.”

But laws take a long time, and we’re in a cyber emergency. The question we need to ask today is whether, in the short term, the government can afford not putting our most sensitive information behind a lock that requires two key-holders — the way nukes are deployed — or storing it offline until proper encryption protocols can be put in place.

This story is an Op/Ed contribution to Credit.com and does not necessarily represent the views of the company or its affiliates.

More From Credit.com:

TIME cybersecurity

This Massive Healthcare Company Just Got Hacked

Insurer CEOs Head to White House to Discuss Obamacare Woes
Bloomberg—Bloomberg via Getty Images Chet Burrell, chief executive officer of CareFirst BlueCross BlueShield, waits to go through security near the White House in Washington, D.C., U.S., on Wednesday, Oct. 23, 2013. Health insurance executives including WellPoint Inc. Chief Executive Officer Joseph Swedish will meet with top White House officials today as President Barack Obama seeks to contain political damage over the rollout of online enrollment for his health-care expansion. Photographer: Andrew Harrer/Bloomberg via Getty Images

It's the third Blue Cross and Blue Shield insurer targeted in recent years

Hackers have targeted yet another healthcare company.

CareFirst Blue Cross and Blue Shield, a healthcare insurer that provides service for residents in Maryland, Washington and parts of Virginia, said Wednesday that it’s suffered a cyberattacking compromising the records of 1.1 million customers. Modern Healthcare reported Wednesday that hackers compromised a company database last year and could have accessed member usernames, names, birth dates, e-mail addresses and identification numbers.

Social security numbers, financial records, passwords and credit card numbers were reportedly not accessed, CareFirst said in a statement.

The security firm Mandiant discovered the attack occurred in June of last year and was hired to examine the company after hackers targeted other healthcare insurers in recent days, including Premera Blue Cross and Anthem. According to the article, “CareFirst is the third Blue Cross and Blue Shield insurer to acknowledge a cyberattack this year, following record-breaking hacks at Premera and Anthem, which affected 11 million people and 80 million people, respectively.”

“We deeply regret the concern this attack may cause,” said CareFirst CEO Chet Burrell in a statement. “We are making sure those affected understand the extent of the attack—and what information was and was not affected.”

TIME Aviation

Feds Probe Security Expert Who Claims to Have Hacked Numerous Flights

The suspect says he penetrated up to 20 flights during the past four years

Federal authorities have launched an investigation into the actions of a cyber security consultant who claims to have hacked several commercials flights’ computer systems, even causing one aircraft to bank sideways.

According to an official search warrant application, Chris Roberts told the FBI in April that he compromised commercial flights during 15 to 20 occasions from 2011 to 2014 by hacking the vessels’ in-flight entertainment systems.

During one such incident, Roberts allegedly was able to access a plane’s navigational system and caused the craft to veer sideways briefly mid-flight.

On Sunday, Roberts tweeted that his actions were motivated by his desire to help make aircraft security safer, but refrained from commenting further.

In a report published last month, the U.S. Government Accountability Office warned that new aircraft might be susceptible to having their in-flight computer systems penetrated via onboard wi-fi networks.

TIME Innovation

What’s Behind the Russia-China Cyber Deal

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. Should we be worried about the new Internet security pact between China and Russia?

By Cyrus Farivar in Ars Technica

2. Here’s a roadmap for building an innovation ecosystem in Africa.

By Jean Claude Bastos de Morais in IT News Africa

3. What if junk food actually kills off the bacteria that keeps us healthy?

By Luke Heighton in the Telegraph

4. We’re about to lose the best way to measure how well we educate poor kids.

By Jill Barshay in the Hechinger Report

5. Want to end the War on Drugs? Don’t talk to Washington. Lobby your local police department.

By Ben Collins in the Daily Beast

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

TIME Security

Has Your Browser Been Hijacked by Fraudsters?

Heartbleed Extensions
Chromebleed

It's not unlikely, according to a sobering new study

Illicit “ad injectors” are infecting a not-insignificant proportion of Web browsers, according to a study by Google and the University of California.

The pieces of software replace the ads you’re supposed to be seeing with different, unapproved ones, hurting not only Internet surfers, but advertisers like Amazon and Wal-Mart (and many others), as well as publishers who lose revenues, the study authors said.

Ad injectors make their way into browsers through software downloads and browser extensions. Many users might not even know their browsers are afflicted with them. Google says it has identified more than 50,000 browser extensions and 34,000 software applications that send the fraudulent ads to browsers, pushing aside the ads that were supposed to show up.

Most alarmingly, about a third of the injectors are equipped to steal account credentials and hijack Web searches, returning results meant to benefit the fraudsters. More than 1,000 networks distribute the injectors, Google said, with many of them pushed by “affiliates” who get paid some pittance whenever somebody clicks on one of the ads.

The ads come from so-called “injection libraries,” often via legitimate ad networks. Advertisers big and small end up paying for injected ads they have no knowledge of.

Sometimes, the ads appear even on Web pages, such as Wikipedia, that don’t normally feature advertisements.

Google says that so far in 2015, it has received more than 100,000 complaints about injectors in its Chrome browser. The study indicates that all the major browsers are vulnerable.

And you’re not safe if you’re on a Mac. According to the study, 5.1% of all pageviews involving injected ads came from a computer running Windows. Macs accounted for 3.4%.

Fixing the problem isn’t easy. Google says it stepping up its monitoring of extensions for Chrome to ensure that they don’t run afoul of policy. Other browser makers do the same. But with so many extensions out there, much of the responsibility falls on users themselves to be hyper-vigilant when downloading software.

 

TIME Security

This Tech Keeps You Safe From Hackers

TIME.com stock photos Computer Keyboard Typing Hack
Elizabeth Renstrom for TIME

Encryption is the one thing standing between hackers and your data

From Edward Snowden to Anthem Healthcare, data security has been a hot-button topic the past couple of years. But between politics and personal data, one thing tying these two massive breaches together is encryption — or lack thereof.

Encryption is effectively scrambling up information and making it only decipherable with a key. This information could be a message, as it was in World War II with the Nazis using the Enigma Machine to mix up their communications, or it could be a computer file, as it should be with personal documents emailed to you by your accountant, for instance. An overly simple example of encryption, says Trent Telford, CEO of enterprise encryption provider Covata, would be a word search game.

“To look at it visually, you would just see a big block of 1,000 letters that meant nothing,” Telford says. “But when you decipher it you can see that there are words hidden in there.”

Take that analogy a step further by looking at an encrypted Word document loaded with personal information. Using complex algorithms, this multi-page file with your social security number, your address, and other data is encrypted, and as a part of that process an encryption key is generated. This key is the password required to unlock the algorithm and de-scramble the information within the computer file.

The key and the file should be kept separate from each other to ensure the data’s safety. For example, if someone breaks into your computer and copies that file, it would be useless without the key — all they would see is nonsensical characters, not the personal data that actually exists there.

So, if encrypting files is as easy as that sounds, why isn’t it done all the time?

“Organizations are either lazy or don’t want to affect change in their business,” says Telford. For instance, imagine a company has millions of files all over the place that are used either by people, computer systems, or applications. These files are useless when they’re encrypted, so the company has to find a way to work with the data while allowing automated business processes to keep workflows moving.

“You would need to enable those systems to have the power within that application to decrypt, use the information, and then let that file stay encrypted,” he says. “Organizations now need to put the projects in place and the priorities in place to do this.”

Recent hacks like the ones at at Anthem, Home Depot, and Target have shown how companies sometimes leave data unencrypted. And, Telford points out, the government data that Edward Snowden snagged wasn’t scrambled up either.

End-to-end encryption is a term that consumers have become more familiar with, especially as they’ve done more banking online. The idea that their data could be intercepted as it criss-crosses the Internet is terrifying, but Telford says data is more at risk when it sits on companies’ servers.

“It’s pretty rare that someone steals information in the transport layer, in the tunnel, moving it from A to B,” he says. “It’s when it’s sitting in the clear at either end that it tends to get compromised or stolen.”

The reason for this is that data is fundamentally stored in two ways. The first is on big file server networks, which are essentially enormous hard drives full of all kinds of data that can be encrypted. The second way is in databases, which in most cases can’t be encrypted. Databases are built to have queries run against them so the systems can go and pick out what information they want, quickly. Moving from a database architecture to a server setup is costly and time consuming, which is why companies haven’t been doing it.

But consumers can protect their own computers very easily by encrypting their data too. Windows users can use the BitLocker application to encrypt their drives, while Apple offers a program called FileVault2 to do the same thing on Macs. Still, with the Internet of Things promising to bring us lots more web-connected devices, this is only the beginning for encryption technologies. With millions if not billions more computing devices coming online — only some of which are encrypting their communications — a lot more data is in danger of being exposed. “There’s a whole other vector of attacks from a privacy perspective,” says Telford.

TIME How-To

How to Avoid Getting Hacked Next Time You Leave Home

500817803
Hero Images—Getty Images/Hero Images

The world is a dangerous place — especially if you’re not careful with your gadgets

How times have changed. It used to be that when you packed for a trip, you wanted to be sure not to forget vitals like your toothpaste, swimsuit, or even travelers’ checks. But if forgotten, those things can be replaced on the road.

Instead, these days, we obsess about packing our smartphones, tablets, and even laptops. However, bringing tech on a trip can expose your entire life to hackers and cyber-crooks. So before you book your next vacation, consider these six tips on how to stay cyber-safe while traveling:

1. Don’t check your device: Make sure you keep your smartphone, tablet, or computer with you, rather than placing it in your checked luggage. “There’s a number of things that could happen to it — getting damaged or stolen — once it’s out of your sight,” says Stacey Vogler, managing director for Protect Your Bubble, a company that provides insurance for everything from cell phones to identity theft. In addition, RFID-blocking products like those made by Silent Pocket can protect everything from your tablet to your passport from digital snoops using over-the-air technology to get at your data.

2. Keep it encased: While keeping your smartphone in a case is great advice for everyday life, it’s especially appropriate when you’re traveling. Firstly, when you’re moving around the world and out of your comfort zone, your phone is especially susceptible to being dropped. Also, thieves eye well-heeled tourists with high-priced handsets whom may not know where to turn if their phone gets lifted. Cases can help camouflage your top-of-the-line model. And finally, you’re more likely to use GPS and other memory-intensive features when you’re out and about, so a battery case is especially helpful on the road.

Incipio makes a line of rugged, battery-boosting cases for a wide range of smartphones that make for great travel partners. Also, if you’re going someplace warm and watery, get a protector that can shield your device from liquids as well as drops. According to data from Protect Your Bubble, water damage claims rise in the summer months.

3. Watch your Wi-Fi: It’s tempting to tap into local wireless networks to cut back on data charges when you’re traveling, especially when you’re abroad. “Be careful which Wi-Fi network that you access,” says Vogler. “Make sure that it’s a secure one, and one that you’ve been given a password for.” If the network you’re connecting to doesn’t require a password, anyone could be on it, and have access to the information you’re sending or receiving. So the rule of thumb is if it doesn’t ask for a password, it’s not secure.

This primer on using public Wi-Fi from Internet security company Kaspersky Labs can help you protect down your phone or tablet if you must use these networks, but the safest bet is to get your access from a trusted, secure source, like your hotel.

4. Password protect your device: Sure, it might be a pain, but password protecting your phone, tablet, and PC is a goal-line defense for keeping cyber-thieves from your personal information. If you think about it, while your phone or tablet may fetch a crook hundreds of dollars; your identity can be worth thousands more. Make sure to enable every safety mechanism available for your device, from iOS’s Find My iPhone to the Android Device Manager used to locate Google-compatible phones. These apps also work for tablets as well, so make sure your slate is set up to be detected, too.

5. Bank the old-fashioned way: More than ever, people need access to and information about their money when traveling. That makes tourists and business travelers alike great targets for data theft. The best way not to expose your financial information is to bank the old-fashioned way: use cash if you can, hit a teller for balance inquiries if possible, or call into your institution’s telephone services if you need remote access. Using the app, as secure as banks make them out to be, only makes you a possible target for identity theft.

6. Stay off social media: Everyone loves sharing vacation photos, but consider showing off your sunset selfie after you touch back down in your hometown. That’s because posting your on-location photos tells people that your home is left unattended. You might think your friends would never use that against you, but if your privacy settings are public (or friends of friends) on Facebook, or if you don’t have a locked-down Twitter account, you’re basically telling the world that you’re not home.

TIME Innovation

This Is Why Fingerprints Are Forever

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

These are today's best ideas

1. You can change your password if someone steals it, but you’re stuck with your fingerprints forever.

By Aarti Shahani at NPR

2. Can teaching kids to be tough make up for income inequality?

By Rachel M. Cohen in the American Prospect

3. You don’t need a nuclear arsenal to feel safe.

By Erlan Idrissov in the Diplomat

4. America’s high school dropouts are quitting school to go to work.

By Molly M. Scott at the Urban Institute

5. Here’s how AI will help your doctor diagnose cancer better.

By Adam Conner-Simons at MIT News

The Aspen Institute is an educational and policy studies organization based in Washington, D.C.

TIME Ideas hosts the world's leading voices, providing commentary and expertise on the most compelling events in news, society, and culture. We welcome outside contributions. To submit a piece, email ideas@time.com.

Your browser is out of date. Please update your browser at http://update.microsoft.com