Long-term Travel Considerations

Mobile voice/data service

Unlocked quad-band GSM phone is best, since this can be used internationally while traveling (other than in Japan and South Korea). Two national GSM carriers in the United States as of 2017 are ATT and T-Mobile. ATT has better coverage outside major metropolitan areas. Also, as of 2015, internet rumor was that ATT offered better protection from fraudulent third-party billing aka "cramming". There are also a number of virtual providers, who lease and resell ATT and T-Mobile service.

As of 2018, I am with ATT for prepaid service. Each February, switch to cheapest per-minute plan and buy $100 credit, which keeps account active while in Europe. Upon returning from Europe at beginning of November, switch to $45/month plan, which provides 6GB data. Total cost about $180/year.

Banks increasingly require SMS two-factor authentication, which will be a problem if using local SIM when traveling, since bank will only have USA phone number on file. So set up Google voice number, and give that to bank as primary mobile phone number for receiving SMS texts.

Internet security

For transactions with financial institutions, computer must be free of keyboard monitors and other malware. Possibly you can trust someone else's computer. If not, bring your own or bring a smartphone with adequate capabilities to substitute for a computer when secure access to internet is needed. (Or use old-fashioned voice telephone instead of internet.)

Even with your own computer or smartphone, remember that eavesdropping on wifi connections is easy. SSL ("https" rather than "http") greatly reduces insecurity of wifi. However, SSL is still vulnerable to man-in-the-middle attacks during connection setup. Banks and other other websites protect against such man-in-the-middle attacks by providing feedback during authentication process. Typically, they send a pre-arranged user-specific image after SSL connection has been established but before user enters password info. If image is not what user expects, this implies a man-in-the-middle attack and so user should not enter their password. Google allows for 2-step authentication, in which a text message is sent to user's smartphone, containing a code which user must enter during initial authentication process for a computer. Problem is, loss of smartphone is most likely data breach for someone like me, and 2-step authentication becomes a problem in that situation, which is why I disabled it. In any case, not all websites use feedback or 2-step authentication, and some don't even use SSL.

Using a virtual private network service, with a trustworthy VPN provider, is the best way to protect all connections from eavesdropping. I experimented with StrongVPN (aka ReliableHosting), which cost $55/year back in 2011 for PPTP protocol service. Unfortunately, the servers at StrongVPN only worked for a day or so before refusing to let me login again (perhaps because they thought I was already logged in), so that I had to switch servers. But I was only allowed 3 switches/month without paying extra. Tech support was via a crummy chat system. I was told to install a remote login program and then give their tech support full administrator access to my computer so they could ensure my settings were right. No thanks. I don't think they were trying to hack my computer. Rather, they just didn't want to provide quality tech support and this was a way to drive off support requests. I didn't renew service when my year was up. (In 2017, someone recommended VPNGate.net as a better VPN, but I haven't tried yet.) An alternative to a VPN is to use EDGE or 3G connections rather than wifi, since eavesdropping over these types of connections is more difficult and less common than eavesdropping on wifi connections.

There has been much progress in recent years in the technology of cracking passwords. In particular, 8 character passwords are no longer reliably secure, and networks of hackers now exist to take immediate advantage of cracked passwords which have been used on multiple sites. It is thus best to create a unique 16 character long randomly generated password for each website for which you have an account. Memorizing such passwords is impossible, so use a password manager, protected by a secure master password, which then becomes the only password you need to remember. I use KeePass (which is free, though I donated to the author) because it is very secure and runs on all systems I am likely to use: Windows, Linux, Android, iOS, MacOS. Master password database is kept on my computer, with copies on smartphone and memory cards in wallet and storage locker. There is little risk in storing copies of master password database in insecure locations (like memory card), since database is protected by secure master password. Big risk is forgetting forgetting master password, so be sure to write down master password on scrap of paper and store somewhere secure, like safe deposit box or storage locker.

Email security

I prefer web-based accounts (such as Google gmail or Yahoo mail), so that my mail is automatically synchronized between my laptop and smartphone. Avoid accessing web-based email accounts using shared computers, due to the possibility of keystroke-monitors and other forms of malware. That is, assume anything you type into a shared computer, including all userids and passwords, is being intercepted and read by a hacker somewhere.

Because most websites are setup to readily sent password reset information via email, it is critical to securely protect email accounts. Both Google gmail and Yahoo mail allow for persistent login, meaning you are automatically logged in, using "cookies" stored on your local computer or smartphone/tablet, the next time you visit the website. Also, some email apps store logon information so as to log you on to the email account automatically. For email accounts like this, if someone steals your local computer or smartphone/tablet, and that device is not protected by a strong password, then the thief will have rady access to your email account, and thus ready access to password reset emails, and thus ready access to all your internet accounts, including financial websites. So protect your computer and smartphone/tablet with strong passwords that are automatically activated after 5 minutes or so of inactivity.

As noted previously, there is the possibility of eavesdropping when accessing web-based email via unsecured public wifi hotspots. As of 2013, Yahoo email uses SSL for password authorization, and provides image feedback during the authentication process to prevent man-in-the-middle attacks, and there is an option that can be set to force Yahoo to use SSL for uploading and downloading the email itself. This option is a recent addition to Yahoo, finally added after many years of complaining by computer security experts concerning weak Yahoo email security. If this option is not set, or if Yahoo doesn't recognize the option for some reason (not unlikely, based on my experiences with Yahoo), then email will be transmitted in the clear, and thus be open to eavesdropping, especially on insecure wifi connections. Google has long been using SSL for both authorization and data transfer, at least for the standard web-based version, and thus is secure without a VPN. I long ago switched from Yahoo email to Google gmail and have no intention of ever switching back.

Personal domain and website

This is a nice way to have a permanent address in cyberspace. As of 2018, Godaddy.com provides domain name service and email forwarding for $15/year and Amazon Web Services (AWS) provides website hosting for about $1/month.

Backups

Online backup sounds nice, but I don't trust it. Also, motels often have slow wifi connections, which makes online backup difficult, especially for large media files. Thus I rely on a combination of my smartphone and memory cards (as of 2018, 128GB microSD cards) for backing up my laptop computer.

Media files (ebooks, photos, music, video) and this website don't require encryption, so I copy these directly to both smartphone and memory cards. Document files are compressed into zip format twice (initial zip file, then another zip file wrapping initial zip file so as to hide filenames, which would otherwise be visible due to technical limitations of zip file format), with wrapper file encrypted using 256-bit AES encryption method, using same password as for KeePass password manager. These zip files are small (about 20MB), so I keep multiple copies on both smartphone and memory cards (both of which have storage measured in GB). To organize zip files, I use filenames like YYYY_MM_DD.zip (initial zip file) and YYYY_MM_DD.zip.zip (encrypted wrapper zip file).

I keep one pair of memory cards in my storage locker and one pair in my wallet, and swap whenever I visit storage locker. (Like any physical media, memory cards can fail, so backup should always consist of pair of cards with identical contents, rather than single card.) While traveling, new photos and changed document files backed up to a hidden directory on website (document files stored in encrypted zip format), while website itself backs up changes to website files.

It only takes a few minutes to create a new zip file for my documents and copy to smartphone and memory cards, so I do this daily, assuming any changes. Thus, if laptop fails or is stolen from motel, I lose only one day of modifications to files. If motel burns down and I am unable to rescue either smartphone or wallet containing memory cards (very unlikely), I lose only modifications since I last visited storage locker.

Banking

Cheapest way to get money while traveling is via ATMs. Traveler's checks are obsolete. Credit cards are another possibility but fees are very high (as much as 5% for cash advances, plus interest until the cash advance balance is paid off). In general, I recommend payment in hard cash (paper currency or coins) rather than credit/debit cards while traveling.

Several bank accounts are advisable, in case something goes wrong with the primary account. For example, damaged ATM cards, account drained by thief, account locked because of suspicion of fraud. Some banks charge stiff fees for using ATM's outside their network, especially internationally. Others charge only the 1% Visa/Mastercard foreign exchange fee, plus whatever fee the foreign bank charges for using its ATM (typically about $2). Cards with a Visa logo use the Plus network while cards with the Mastercard logo use the Cirrus network. Most (though not all) ATMs work with both of these networks.

I prefer plain vanilla ATM cards, which require a PIN to withdraw money, versus debit cards, which can be used for point-of-sale transactions without PIN (signature usage). However, some banks no longer issue plain vanilla ATM cards. As of 2018, it is possible to effectively convert some debit cards to plain vanilla ATM cards by setting daily limit for point-of-sale (POS) transactions to zero, while leaving the daily limit for ATM transactions at some larger number. If this is not possible, then be sure to keep only a limited amount of money in those bank accounts which have an associated debit card, to minimize impact of lost/stolen cards which are then used fraudulently.

I do not carry credit cards with me while traveling, and I set point-of-sale limit to zero for debit cards. To make large purchases over internet, such as for airline tickets, I have three options: (a) PayPal; (b) debit card, after raising POS daily limit back to a high value; (c) credit cards, using details (card number, expiration date, security code) carried securely in the password manager app on my smartphone (KeePass2Android).

Buyer protections are much better for credit cards than debit cards or cash, because with a credit card, it is possible to ask the credit card company to put a hold on the transaction until the dispute is resolved. Whereas with a debit card or cash, you will have to fight the merchant directly to get your money back. In practice, this feature of credit cards may be of limited value to long-term travelers, who usually can't wait around for the several months that it typically takes for a credit card dispute to be fully resolved. A better approach is to simply avoid major purchases where there is a possibility of disputes. Purchases I make via credit/debit cards are for airfare, electronics, books and gear, with most of these purchases made over the internet. Disputes over airfare with a major carrier are unlikely, and even less likely is the possibility that the consumer will prevail. Disputes with a small travel agency is another matter—I recommend avoiding these or else paying with hard cash rather than plastic. Purchases for electronics, books and gear are usually for small amounts that I can afford to lose. In practice, I have yet to have problems with dishonest vendors for purchases made over the internet, probably because I carefully evaluate these vendors in advance. Long ago, I dropped a credit card after using it to buy a bus ticket. It was picked up by a thief, who quickly bought several thousand dollars of electronics goods (big-screen television, etc). Because I notified the credit card company within a day of the loss, and because the thief was caught (while buying more electronics), and because I agreed to testify in court if that was ever necessary (it wasn't), the charges were cancelled and I lost nothing. That is the only credit/debit card problem I have ever had.

For travel to countries undergoing financial crisis (such as Ukraine in 2015), it would be advisable to bring along some crisp recently printed $100 bills, which can be easily converted to local currency at a good exchange rate at banks and other reputable exchange offices. Be careful about shady looking characters who congregate in bus stations, offering very attractive sounding exchange rates, as they tend to be sleight-of-hand swindlers.

Hardcopy mailing service

A good mail box service will offer the option of bundling up mail and forwarding on to another destination, for a fee. USPS post office boxes are inferior to private mail box services for many reasons: (a) post office may return mail if not picked up within 30 days, especially if mail overflows the box; (b) can't pay box rent while traveling, such as by automatic deduction from credit card or mailed check; (c) no forwarding service; (d) some mailers require a street address, such as for UPS or Fedex packages. In Reno, I can highly recommend The Postal Depot, which charges $185/year as of 2018 for their basic service, plus forwarding fees if that is required.

Storage locker

Even if you retain your permanent apartment while traveling, a secure storage locker is a good idea for storing enough gear to be able to recover in case the apartment burns or is burglarized. For example, back when I still had an apartment, I stored an old laptop computer and a full set of winter clothes, among other items, in a small locker ($20/month in 2010). I also store either my passort book or passport card in the storage locker, in case I am robbed of identification I am carrying on my person. Rumor has it that some low cost storage lockers in big cities have high rates of insider theft. In Reno, I can highly recommend Interstate U-stor, which charges $79/month as of 2018 for a 5'x10' indoor locker (big enough to easily store my bicycle), with 1 month free for paying a year in advance.

Workshop

If living in motels while not traveling, it is useful to have access to a workshop for messy bike work. I use the public work stations at Reno Bike Project for $4/hour as of 2017.

Taxes

EFTPS automates paying United States estimated income tax. I've been using this for many years. Works very well once you get it set up.

As of 2013, it is possible for a criminal to file a false tax return for someone else, giving false information so as create the illusion of a big refund, and direct this refund to the criminal's bank account. Once the problem is detected, the IRS will allow the victim to refile. However, if the victim was due a refund, then the IRS will not give that refund until it collects the refund it previously sent to the criminal, which may take years. This argues for being careful not to overpay taxes, so as to ensure you won't be due a refund. There are many flaws with the IRS procedures, but the most gaping hole is that the IRS, unlike private companies, does not require the name on the bank account to which refunds are directed be the same as the taxpayer's name.

EFTPS can be combined with the above flaw to drain a bank account, as follows. The criminals creates an EFTPS account using someone else's name and social security number, attaches this EFTPS account to the victim's bank account, uses the account to pay a large amount of estimated tax for the victim, files a tax return for the victim, and then has the tax refund routed to the criminal's bank account. The only way to protect against this sort of fraud would be to ask your bank to disallow ACH (automated clearing house) transactions against your account. However, that would prevent online bill paying and other conveniences (though these conveniences also enable other types of fraud). As noted above in regard to debit card, the simplest way to limit losses to a bank account is to minimize the money stored in the bank account, while keeping the bulk of your money in a separate investment company account. I use Vanguard for my investments.

As of 2013, supposedly you can ask the IRS to be setup with an Identity Protection PIN or IP PIN (file form 14039 or call Identity Protection Specialized Unit at 800-908-4490, extension 245). Each year in mid-December the IRS will send letter 4869CS, containing a unique 6-digit IP PIN for that tax year, which is then used when filing either electronically or by hardcopy mail so as to prove the return is legitimate. The IRS will only send this letter once and will not reissue PINs. I'm not sure what happens if the postal service loses the letter. I'm considering enrolling in this service myself, though I've never been a victim of identity fraud.