14TH SEP 2024
A shoulder surfing attack occurs when an attacker gains unauthorized access to sensitive information by observing a victim’s device screen or keypad. Unlike many cyberattacks, this technique requires the attacker to be in close physical proximity to the victim.
While the term implies simply glancing over someone’s shoulder, attackers may use more advanced methods like binoculars or hidden cameras to spy on their targets. The objective is to collect valuable information such as passwords, usernames, credit card details, and other personally identifiable information (PII).
Although most shoulder surfing attacks are carried out with malicious intent, sometimes, it could also be a case of curious onlookers unintentionally invading privacy.
A shoulder surfing password attack is typically straightforward. The attacker positions themselves where they can see the victim’s device screen, keyboard, or keypad. As the victim types in their sensitive information, the attacker either memorizes or records the data.
Less sophisticated attackers may simply write down the information, while more advanced ones could use optical devices like miniature cameras, allowing them to record data without being noticed. However, attacks that involve skimming devices or remote access are not considered shoulder surfing, as they don't require the attacker to be physically present.
Here are some other real-world examples of how shoulder surfing is potentially dangerous:
ATM PIN theft: While using an ATM, an attacker positions themselves nearby to observe the victim entering their PIN. In a rush, the victim may leave without ensuring their session is fully closed, allowing the attacker to make additional transactions if the PIN was compromised.
Public transportation: Crowded buses and trains offer an ideal setting for shoulder surfers, as attackers can easily glance at nearby device screens or overhear sensitive conversations.
Unattended devices: In cases where the victim leaves their device unattended, an attacker who has already observed the victim entering a password can unlock the device and gain access to sensitive information.
It’s not just the contents of a screen that shoulder surfers target. Skilled attackers can observe the victim’s finger movements to gather passwords and login information.
This type of attack is often concealed in crowded places like public transportation, airplanes, or concert venues where people are packed closely together. Picture how easy it is to see what the person next to you is typing, especially if they’re wearing headphones and unaware of their surroundings.
The simplicity of this attack is what makes it common. A study conducted in the UK found that 72% of commuters admitted to shoulder surfing — mostly out of boredom, but it highlights how easy this practice is to execute.
In one of the most infamous incidents of shoulder surfing, UK cabinet minister John Mercer lamented that Downing Street was ignoring other MPs. This information only became public after a passenger took a photo of Mercer’s laptop screen!
Here are some practical ways to protect yourself from shoulder surfing while entering or accessing personal data on your devices:
Position yourself with your back against a wall to block others from viewing your screen.
Be mindful of video cameras and people around you.
Consider using a screen protector to obscure your screen's visibility.
Conduct sensitive tasks, like personal banking or business matters, when in a private, secure location.
To prevent a shoulder surfing social engineering attack, consider these strategies:
Move towards passwordless authentication: The most effective way to prevent password-based attacks is by eliminating the use of passwords altogether. Passwordless authentication methods add an extra layer of security, reducing the risk of shoulder surfing password attacks.
Use privacy screens: Adding privacy screens to your devices significantly reduces the chances of someone viewing your information. These screens limit visibility from side angles, keeping your personal data secure in public spaces.
Stay aware of your surroundings: Always be vigilant in public settings. Attackers often target individuals who appear distracted. Being mindful of who’s around you can help prevent a shoulder surfer attack.
Enable biometric authentication: Opt for biometric security, such as fingerprint or facial recognition, rather than a PIN. This makes it harder for attackers to steal your credentials, as they won’t have access to your biometric data.
Avoid Working on Sensitive Tasks in Public: Whenever possible, refrain from handling sensitive tasks like accessing bank accounts, reading confidential documents, or shopping online in public spaces. These tasks are best completed in private to minimize the risk of shoulder surfing.
With digital threats dominating today’s cybersecurity landscape, shoulder surfing might not always be top of mind. However, it remains a genuine risk, particularly in public or crowded places. By staying alert and employing preventive measures like privacy screens, passwordless authentication, and biometrics, you can protect your sensitive information from shoulder surfing attacks.
