What is Shoulder surfing?
When we think of cyber criminals, we usually imagine tech-savvy nerds who program malware or who otherwise gain unauthorised access to remote computer systems in order to steal sensitive data. However, there is often a much easier way to obtain personal data and passwords. Shoulder surfing is a simple method for spying on unsuspecting victims to collect personal data, such as passwords, PINs, and other login information. In the following, we will explain what shoulder surfing is and how to protect yourself from this form of spying in public.
What is shoulder surfing?
Shoulder surfing is a way for thieves to steal personal data by watching their victims use electronic devices, such as ATMs, payment terminals at checkout, and even laptops or smartphones. Criminals will literally look “over their victim’s shoulder” during these activities.
It is to steal data in public when you take a look at everyone’s user behaviour. We regularly use smartphones, tablets, and laptops in public. When we do, we type passwords, PINs, user names, and other personal data into our devices without exercising extra caution. Crowded public spaces, however, make it easier to be observed without one’s knowledge. For example, while working on your laptop in a busy cafe during lunchtime, you may not even notice that the person sitting at the table behind you has a clear view of your screen. In that case, you wouldn’t notice if they observed you closely when you entered your passwords for your online accounts.
Shoulder surfers can easily access data protected by a shield of public anonymity. For example, if you enter your credit card information in an online shop, a criminal may be able to see the numbers directly or work them out by watching the movements of your fingers.
Types and characteristics of shoulder surfing
Shoulder surfing is a type of social engineering that is aimed at obtaining personal information through interpersonal contact. There are two types of shoulder surfing.
The first type of attack is when direct observation is used to obtain access to data. This is when a person looks directly over the victim’s shoulder to observe when they are entering data, such as their PIN at a checkout terminal.
In the second type, the victim’s actions are first recorded on video. Criminals can then analyse these videos in detail later on and obtain the desired information. Nowadays, it is possible to use video recordings to determine the PIN for unlocking mobile devices even if the display cannot be seen in the video. The movements of a user’s fingers are enough to determine the access code.
Looking over people’s shoulders to steal data isn’t a new occurrence in the age of internet and smartphones. As early as the 1980s, criminals were spying on people using payphone calling cards to obtain the numbers from the cards to make long-distance calls at the expense of the victims or to resell the cards below market value.
What are the possible consequences of shoulder surfing?
As soon as a thief gets hold of their victim’s personal information, there is a risk of fraud. The thief may make purchases, withdraw money, or perform other transactions pretending to be the victim. In the UK, identity theft and fraud are a punishable offence carrying a prison sentence of up to 10 years.
In addition to inflicting damage on private individuals, shoulder surfing can also cause serious harm to companies. Anyone who works in the public and naively enters their login information for tools, server logins or email accounts is opening the door to criminals and jeopardising the data privacy of customers, colleagues, and employees.
Countermeasures you can take against shoulder surfing
As a matter of principle, you should be extra careful when conducting any private or business-related digital activities in public. You can significantly increase the security of your data by heeding a few important tips.
Protecting yourself from shoulder surfing: tips for PIN entry
Below you will find some of the measures that have proven to be particularly effective in the past for PIN entry when paying with debit or credit cards.
Tip 1: It is generally recommended to cover the input device with your other hand when entering your PIN.
Tip 2: At ATMs, you should check for poorly mounted or suspicious-looking parts. For example, a second card reader may be installed on the actual card reader which is used to read the magnetic strip to access the card data.
Tip 3: Another option is to use contactless payment methods. Since these methods do not require you to enter a PIN, traditional shoulder surfing cannot be used to obtain your sensitive data.
Protecting yourself from shoulder surfing when entering sensitive data in general
If you cannot avoid entering sensitive data on your laptop, tablet or smartphone in public, you should follow the countermeasures listed below:
Tip 1: Before entering any sensitive data, find a secure location. Make sure to sit with your back to a wall. This is the best way to protect yourself from prying eyes.
Tip 2: It is also recommended to use a privacy filter. This is a sheet that is placed over your screen. It will make your screen look black to anyone looking at the screen from an angle. This will make it much more difficult for unauthorised individuals to see your information.
Tip 3: Two-factor authentication requires a user to prove their identity by using two different authentication components that are independent from one another. Since this type of authentication only goes through when both factors are used correctly in conjunction, the security measure is particularly effective. For example, this method is often used in online banking. In this case, identification is usually carried out using a combination of a password (first factor) and a pin (second factor) which is newly generated for each individual authentication process.
Tip 4: Another solution is to use a password manager. By doing so, you will no longer be entering each password individually on your computer. The password manager will do this for you after you have entered your master password. This prevents unauthorised individuals from using your keyboard input to determine the actual password, provided that you protect your master password properly.