Travel Security Checklist: A Practical 2026 Guide

I travel a lot, and like most people in security I have spent more time than I should thinking about how to do it without getting burnt. Most of the popular travel-security advice is either paranoid theatre or generic checklists copied from one another. The actually-useful version is shorter than people expect.

This is the checklist I use. It is calibrated for a typical business or leisure traveller in 2026, with notes at the end for people with a real threat model (executives, security researchers, journalists in hostile jurisdictions). Skip what does not apply. The goal is to spend ten minutes of preparation, not ten hours of cosplay.

The real threat model, honestly

Before the checklist, what is actually at risk:

• Phone or laptop loss. The single most likely incident. A stolen device is a credentials problem, an authenticated-session problem, and a 2FA problem all at once.
• Credit-card skimming. Real and unglamorous. Most often at restaurants, taxis, and unattended ATMs.
• Account-takeover via reused passwords. Triggered by a breach that happened months ago and only becomes a problem when the attacker tries it from a foreign IP and slides past your travel patterns.
• Hotel Wi-Fi and public network risk. Less catastrophic than people think in 2026 (TLS is everywhere) but still real for legacy apps and lazy session handling.
• Border device inspection. Rare for ordinary travellers, real for some passport holders, journalists, and people travelling to specific jurisdictions.
• Old-fashioned pickpocketing. The boring threat that ruins more trips than every cyber category combined.

The checklist below addresses each of these in proportion to the real risk. The paranoia version (Faraday bags, burner phones, decoy wallets) belongs in the high-risk addendum at the end, not in the default flow.

Before you leave

The ten minutes of prep that prevents most incidents.

Devices

• Install updates. One pass on every device you are taking. Operating system, browser, and the apps you actually use on the trip. Most malware exploits are weeks-old patched bugs.
• Enable full-disk encryption. On by default on iOS and modern Android. On macOS, FileVault. On Windows, BitLocker. Verify it is on; do not assume.
• Strong screen lock. 6-digit PIN minimum, biometrics for convenience. Never a 4-digit PIN on a device with sensitive accounts.
• Enable Find My Device / remote wipe. Apple Find My, Google Find My Device, or the OEM equivalent. Test that you can locate your devices from a browser before you leave.
• Back up everything. iCloud, Google One, or an external drive that stays home. Verify the last backup actually completed.

Accounts

• Audit your password manager. If you do not have one, get one. 1Password, Bitwarden, Apple Passwords. Anything you log in to during travel should have a unique password.
• Move 2FA off SMS. SMS codes do not work reliably abroad and are SIM-swappable. Use an authenticator app (Google Authenticator, Authy, 1Password) or hardware keys for high-value accounts.
• Add passkeys. For any account that supports them. Phishing-resistant by design and they survive the device swap better than any other method.
• Tell your bank. Most banks let you set travel notifications in the app. Five minutes of clicking saves you a frozen card on a Tuesday night in Lisbon.
• Set up account alerts. Every account that supports transaction or login alerts should have them on. The point is fast detection, not prevention.

Documents

• Scan everything. Passport, driver's licence, credit cards (front and back), insurance card, itinerary. Store in a secure note in your password manager.
• Share with a trusted person. A spouse, sibling, or assistant who can read them to you over the phone if your wallet is stolen.
• Check passport expiry. Most countries require six months of validity from arrival. Renew if you are close.
• Enroll in STEP (US citizens) or your country's equivalent. The US Department of State's Smart Traveler Enrollment Program gets you on the embassy's contact list in case of a crisis. Free, takes two minutes.

Home

• Do not announce the trip on social media. Post the photos after you are home. Public "on holiday" posts have funded more home break-ins than they have likes.
• Mail hold. If you will be gone more than a week, USPS or your country's equivalent. Mail stacking on a porch is a flashing sign.
• Smart-home audit. Make sure your camera apps and locks are working. A smart light schedule is the modern version of timed lamps.

Wallet

• Bring less. One credit card, one debit card as a backup, the IDs you actually need. Leave loyalty cards, library cards, and unused-bank cards at home.
• RFID sleeve for your passport. Cheap, useful, mostly for chip-card scanning paranoia. A real defence against a small real risk.

While you are travelling

The flight, the hotel, the coffee shop. The risk pattern is different in motion than at home.

Connectivity

• Use cellular wherever possible. An international eSIM or roaming plan beats almost any hotel or airport Wi-Fi. Cellular is encrypted, individually identified, and harder to attack than open Wi-Fi.
• If you must use public Wi-Fi, run a VPN. The 2026 caveat: nearly every meaningful service uses HTTPS, so VPN is less critical than it used to be. It still defends against captive-portal mischief and lets you bypass geofenced services. Pick a reputable provider (Mullvad, IVPN, Proton, NordVPN).
• Turn off auto-connect. Devices should not silently join open networks. Forget rogue "Free Wi-Fi" networks after one-time use.
• Disable Bluetooth and AirDrop unless actively using them. Bluetooth attacks are rarer than they were a decade ago but the surface is still real.

Devices on the move

• Bring your own charger. Carry a power bank. Public USB charging stations can deliver power and data; "juice jacking" is real, just rare. The discipline of always using a wall outlet with your own cable is cheaper than worrying.
• Privacy screen on the laptop. Especially useful on planes and trains. Cheap, effective.
• Hotel safe for the laptop. Hotel-room safes are not actually that secure (a maintenance master code defeats most of them), but they raise the bar enough to deter opportunistic theft.
• Never leave devices in plain sight in a hotel room. Housekeeping is not the threat. Other guests, contractors, and the occasional opportunistic visitor are.

Money

• Tap to pay where possible. Apple Pay, Google Pay, contactless cards. Tokenised, harder to skim than a chip-and-pin, harder still to skim than a swipe.
• Use ATMs inside bank branches. Skimmers are most often found on standalone outdoor ATMs. Shield the keypad when you type your PIN.
• Limit cash. The exact amount depends on the destination, but pickpocket-and-grab loss is a lot less painful when the wallet has $80 instead of $800.
• Watch the card. In restaurants in many countries, the server brings the terminal to the table. If they have to take it away, the risk goes up.

Physical awareness

• Crowded transit is the highest-risk environment. Subway platforms, tourist queues, airport security lines. Front-pocket your phone, hand on your bag, eyes up.
• Hotel-room door alarm. A 10-dollar wedge alarm catches the once-a-decade incident where someone opens your door at 3am. Worth it for the sleep.
• The shoulder-surfing window. Be conscious of when your phone screen is visible. Most modern phones now have anti-prying modes that dim aggressively at off-angle, but a privacy screen is the belt-and-braces option.

Messaging

• Default to Signal. End-to-end encrypted, free, works everywhere with internet. Use it for any messages you would not want a hotel network operator to read.
• Be skeptical of urgent emails. Phishing campaigns specifically target travellers ("your flight has been changed", "action required on your booking"). Open the airline app directly; do not click the link.

After you return

The forgotten lane. Most travel breaches show up in the week after the trip, not during it.

• Change any passwords you typed on a non-trusted device. Hotel business centres, friends' laptops, kiosks. If you used it, rotate the password.
• Review credit-card and bank statements. Small "test" charges of a few dollars are the early signature of a stolen card number. Catch them in the first week.
• Forget travel Wi-Fi networks. Settings → Wi-Fi → forget. Your phone should not be hunting for that Heathrow Wi-Fi five trips from now.
• Update your devices again. Anything you deferred during the trip.
• Delete trip-specific apps. The local transit app, the museum app, the airline-loyalty app you signed up for once. Less surface, less to leak.
• Run a quick check-in on your accounts. Most major services (Google, Apple, Microsoft, Facebook) have a recent-logins audit. Five minutes spotting anomalies is worth the time.

High-risk traveller addendum

If you are a corporate executive with material non-public information, a security researcher with active disclosures, a journalist in a hostile jurisdiction, or anyone whose threat model includes a state actor, the default checklist is not enough. Some of what to add:

• Burner devices. A travel-only phone and laptop wiped after each trip. Never use your primary device for the trip itself.
• Pre-trip and post-trip OPSEC review. What can be on the device? What accounts can it be logged into? Anything you would not want examined at a border crossing should not travel.
• Know the local laws. Encryption-import restrictions, mandatory disclosure laws, device-search authority. Some jurisdictions can lawfully compel a passcode at the border.
• Hardware security key as your second factor. YubiKey or equivalent, on your person, not in luggage.
• Travel insurance with cyber coverage. A handful of policies now cover incident response and identity-theft remediation. Worth the line item if your role makes you a target.
• Pre-arranged escalation. A specific person to call if something goes wrong, with the authority to start incident response on your behalf.

The quick cheat sheet

If you remember nothing else from this post:

1. Update every device. Encrypt every device. Enable remote wipe.
2. Move 2FA off SMS. Add passkeys where you can.
3. One credit card, one backup, leave the rest at home.
4. Tell your bank you are leaving. Set alerts.
5. Default to cellular over Wi-Fi.
6. Bring your own charger and a portable battery.
7. Do not announce the trip on social media.
8. Forget the networks and rotate the passwords after you return.

That is 80% of the defence for the price of ten minutes of preparation. The rest is situational awareness, which no checklist can substitute for.

Adjacent reading on guptadeepak.com

For the underlying account-security primitives: authentication vs authorization and the passwordless authentication checklist. For the broader personal-security view: cybersecurity resources map. For the everyday digital tools: free tools and checklists.

FAQ

Do I really need a VPN for travel in 2026?

Not really. With HTTPS on nearly every meaningful service, a VPN's value is now mostly for captive-portal mischief, geofence bypass, and DNS protection. Useful, not critical. If you are choosing one tool to add, make it a password manager, not a VPN.

Should I bring a burner phone?

Only if your role justifies it (executive with material non-public info, security researcher, journalist in a hostile country). For ordinary travel, a well-configured primary phone with up-to-date software, full-disk encryption, and Find My enabled is enough.

What's the single highest-impact thing I can do before a trip?

Move every account off SMS-based 2FA. SMS is the most travel-broken second factor (does not work reliably abroad, vulnerable to SIM swaps, intercepted in transit). Switch to authenticator apps or hardware keys.

Are hotel safes worth using?

Yes, with one caveat. They are not unbreakable (most have a maintenance code), but they raise the bar enough to deter opportunistic theft. Combine with not announcing high-value items inside.

What about juice jacking at airports?

Real but rare. The cleanest defence is to always travel with your own charger and a portable battery, and use wall outlets. The FBI has issued advisories about public USB charging ports; the cost of skipping them is essentially zero.

How do I handle device search at international borders?

Know your destination's laws before you go. Some countries can lawfully compel passcode disclosure. The defensive moves: travel with as little sensitive data on the device as possible, log out of accounts you do not need, and consider a clean device for trips to jurisdictions where border searches are routine.