Public Wi-Fi & Travel Safety

TL;DR

• Most websites and apps now encrypt traffic between you and them by default — so a stranger in the café cannot read your bank password the way they could have done ten years ago.
• The biggest real risks on public Wi-Fi today are fake networks set up to trick you into connecting, and phishing pages served once you're online.
• A VPN helps with some things — mostly privacy from the network operator — but it is not a magic shield. Using a phone's mobile data is often safer and simpler than any VPN on hotel Wi-Fi.
• Before you travel: update everything, turn on 2FA on the accounts you'll need, set a screen lock you actually use, and decide what stays at home.
• At the border, in transit, and in hotels — the threats are mostly physical (theft) and social (shoulder-surfing, scams), not exotic hacking.

What it is

Public Wi-Fi is any wireless network you don't control: café, hotel, airport, airline lounge, conference, shopping centre, public transport. So is the "Free Wi-Fi" you see at petrol stations, train stations, and most public squares in major cities.

For years, the standard advice was never use public Wi-Fi for anything important. The reasoning was that the network operator — or any other person on the same network — could see your traffic. That risk hasn't disappeared, but it has shrunk a lot.

The reason: almost every serious site and app now uses HTTPS. The little padlock in the browser address bar means the conversation between your device and the website is encrypted. Even on a hostile network, a stranger can see that you went to your bank but not what you typed there. Most mobile apps work the same way under the hood.

So what is left to worry about?

What actually goes wrong on public Wi-Fi

Three things, mainly.

1. Fake networks (evil twins). Anyone with €30 of equipment can broadcast a network called "Hotel Lobby Wi-Fi" or "Free Café Wi-Fi" — close enough to the real one that you connect by mistake. Once you've joined, the attacker can serve fake login pages, intercept what's not encrypted, and try to feed your device malicious updates. The simplest defence: confirm the exact network name with the staff before you join, and prefer networks that require a password printed inside the venue.

2. Phishing pages on captive portals. A "captive portal" is the page that pops up asking you to "log in" before you get internet. Some are legitimate (just accept the terms and continue). Some ask for your email address — sold to data brokers. Some ask for credit card details — usually a scam. Some pretend to be a "Microsoft security check" or a "system update" — definitely a scam. Never enter a real password into a captive portal. Never download an "update" it offers you.

3. Devices that talk back. Your phone, laptop, and watch announce themselves to networks they remember ("Are you the Wi-Fi at home?"). A nearby attacker can spoof your home network's name and your device will helpfully connect to it. The fix is small but matters: forget networks you don't need anymore, and don't enable auto-join for any hidden or open network.

Note what's not in this list: somebody on the next table reading your password as you type it. That's an old worry. Today, far more compromise comes from a phishing email you'd have received anywhere than from the network you're on.

What about VPNs?

A VPN (Virtual Private Network) sends your traffic through an encrypted tunnel to a server somewhere else, then out onto the regular internet from there. It is useful for:

• Hiding the fact that you're using specific services from the local network or your ISP — useful in countries that block certain sites, or on a hotel network you don't want logging your traffic by destination.
• Pretending to be in another country for streaming or for accessing services that are region-locked.
• Adding a layer when you're on truly untrusted networks — but most of this protection is already given by HTTPS, which is on by default.

A VPN is not a magic shield. It does not protect you from phishing pages, malware, weak passwords, captive-portal scams, or anyone who already has access to your accounts. The VPN provider sees the same traffic the café would have seen — you have moved the trust, not eliminated it. Pick a VPN with a clear no-logs policy that has been independently audited (Mullvad, Proton VPN, IVPN, and a small number of others are the commonly recommended ones; many of the most-advertised brands have less clean histories). Free VPNs are usually free because you are the product.

For most people on most trips, the simplest and safest answer is: use your phone's mobile data for sensitive things, and only use public Wi-Fi for things that don't matter much.

How to spot a problem

• Captive portal asks for full personal data (name, address, credit card) — almost certainly not legitimate.
• The network asks you to install an app or accept a certificate. A legitimate venue's network never asks you to install something. Decline and leave.
• Your browser warns about an invalid security certificate. Don't click through. Switch networks.
• Browser pop-ups that look like Windows/macOS system warnings. Real system warnings don't appear in browsers.
• The network is open and the venue normally has a passworded one. Confirm with staff before joining.
• Two networks with similar names — "Hotel Marriot," "Marriott_GUEST," one with a typo. Don't guess.

Before you travel

Twenty minutes of prep saves you a week of recovery.

1. Update your phone, laptop, and tablet operating systems. Update key apps (banking, password manager, email).
2. Turn on 2FA on every account you'll need to access on the trip. Add backup codes to your password manager before leaving — being locked out abroad is its own special bad day.
3. Make sure your password manager works offline — open it once at home with no network, confirm it shows the vault.
4. Set a strong screen lock on your phone — six-digit PIN at minimum, biometric on, auto-lock under one minute.
5. Enable Find My Device / Find My iPhone, including remote wipe.
6. Turn off auto-join for unknown networks. Forget old networks you no longer trust.
7. Carry a charged power bank. A dying phone in a foreign country is a real safety issue, not just inconvenience.
8. Decide what stays at home. A retired laptop is safer than your main one. An empty travel email account is safer than your everyday one. Less data at the border equals less risk.

At the border

Border officers in many countries are legally allowed to inspect your devices. The rules vary widely — what's acceptable in one country may not be in another.

• Don't lie about device contents. That's a separate criminal matter on top of anything else.
• Have a strong PIN, not just a fingerprint or face. Many jurisdictions can legally compel biometrics but not memorised codes — but this is country-specific and changing; consult a lawyer for your situation if it matters.
• Travel with a clean device if you cross borders where the risk of device search is high. Cleanliness here means: minimal data, no sensitive client information, no journalist sources, etc.
• Power off devices before going through customs — they're harder to compel to unlock from a cold-boot state on many platforms.

In the hotel

• Don't use the "business centre" PC for anything that requires a password. Keyloggers are common.
• Don't print boarding passes or sensitive PDFs from the hotel printer if it has a hard drive. If you must, delete the print job afterwards.
• Don't trust USB charging stations in public spaces — "juice jacking" is real but rare. A USB cable with only the power lines connected, or a wall charger of your own, is the simple fix.
• Watch what's around you. Hotel rooms in some countries have been used for organised burglary — the door is more important than the Wi-Fi.

What NOT to do

• Don't log in to your bank from a hotel business PC. Ever.
• Don't connect to an open network with no captive portal verification in a venue that normally requires a password.
• Don't post your real-time location ("just landed in Bali!") publicly while you're away from an empty home.
• Don't share photos of your boarding pass — the barcode contains booking details that can be used to change or cancel your flight.
• Don't use public Wi-Fi for the first login on a new device — that handshake is one of the moments where doing something on mobile data instead is most worth it.
• Don't dismiss "the boring stuff" — a strong screen lock, current OS updates, and 2FA on email are worth more than any specialist travel gear.

Use AI to help you

Quick travel-prep checklist:

"I am travelling to [country] for [length and reason]. I will carry [list devices]. I will need to access [list — email, bank, work, social, etc.]. Please give me a security-prep checklist tailored to that trip, in plain language, covering before departure, at the border, and during the stay. Note any country-specific concerns to verify with current sources."

Wi-Fi spot-check:

"I am about to connect to a public Wi-Fi network. The venue name is [name], the network name shown is [SSID], and the captive portal asks for [describe what it asks]. Should I be cautious? Are any of these signs suspicious?"

A reminder: AI does not know the current political or legal situation at any specific border. For any country with active conflict or unusual device-search practices, verify with your country's foreign ministry travel advisory before you leave.

Who to call

Find the latest contacts for your country with AI:

"I'm a citizen of [your home country] travelling to [destination country] for [length of trip]. List the official sources I should check before and during the trip — my home country's foreign ministry travel advisory page for the destination (focus on digital-security and border-search guidance), my embassy or consulate contact details in the destination country, the destination country's official tourist-emergency line, the destination's official cybersecurity centre's travel guidance if any, and my home country's national cybercrime reporting body in case something happens while I'm away. For each, give the official URL and phone number. Cite each source. Flag anything that might be outdated, and note any current border-search practices or restrictions on encryption or VPN use I should know about for that destination."

• Your bank, immediately, if you suspect your card details may have been captured at a captive portal or skimmed at an ATM abroad.
• Your phone carrier, to enable international roaming on an account PIN so SIM-swap is harder while you're away.
• Your country's consulate or embassy in the destination country — note the address and phone before you leave.
• Your travel insurance, who often have 24/7 helplines and increasingly cover cyber incidents.

When to escalate beyond chat

• A device is lost or stolen abroad — wipe it remotely if you can; report to local police and your hotel for the insurance paperwork; change passwords on the affected accounts from a known-safe device.
• You suspect your laptop was tampered with in a hotel room — power it on at home and run an antivirus scan; consider a clean reinstall if anything sensitive is on it; for journalists or those handling especially sensitive data, treat the device as compromised and replace it.
• A captive portal took your card details and you're seeing strange transactions — bank's fraud line, today; freeze the card; dispute the charges in writing.
• You're being followed or threatened in person — the digital advice in this card no longer matters. Local emergency services and your embassy take priority.

Related topics

• Passwords & Two-Factor — what you should have in place before you leave.
• "I've Been Hacked" — the recovery flow if something went wrong while you were away.
• Phishing & Scam Emails — captive-portal scams are phishing in a new dress.
• Smart-Home & IoT Security — your home network deserves the same care as the hotel one.

Sources & references (internal — not rendered to the live page):

• Mozilla — HTTPS deployment statistics across the web
• NCSC UK and BSI für Bürger — public-network and travel guidance
• Mullvad / Proton — VPN no-log audits and threat-model documentation
• EFF — border-search practice guides by country