Shoulder Surfing

What is a Shoulder Surfing Attack?

A shoulder surfing attack describes a situation where the attacker can physically view the device screen and keypad to obtain personal information. It is one of the few attack methods requiring the attacker to be physically close to the victim to succeed.

While it might be as simple as looking over the victim’s shoulder as the name suggests, some attackers will use binoculars, miniature video cameras, or other optical devices to spy on their victims. The goal is to obtain information such as usernames and passwords, personally identifiable or sensitive information, and credit card numbers.

While most shoulder surfing attacks will occur with malicious intent, some might result from nosy people, where it is more an invasion of privacy.

How a Shoulder Surfing Attack Works

Most shoulder surfing attacks are straightforward: the attacker positions himself so that they can view the victim’s device screen and the keyboard or keypad if necessary. As the victim enters and views information on the device, the attacker records this data.

The attacker is likely writing or typing the information somewhere in an equally straightforward manner. Still, more sophisticated attacks may use optical devices, so they don’t need to be looking over the victim’s shoulder and aren’t as easily detected.

An attack where the user has installed some kind of reading device to steal information (such as a skim reader on an ATM) or attacks where the hacker can view your screen, and your entries are not shoulder surfing attacks, since these attacks happen remotely.

Examples of Shoulder Surfing Attacks

Some real-world examples of shoulder surfing including:

  • While you were using an ATM, someone positioned themselves in such a way that allowed them to watch you enter your PIN. In a rush, you leave the ATM with your card and money without making sure it had exited entirely out of your account. If the ATM doesn’t require the card to be inserted for the entire transaction, other transactions are permitted if you don’t confirm that you have any other transactions to make as long as the attacker knows the PIN.
  • Crowded public transit makes it easy for attackers to see the device screens of others or hear conversations of others. In these cases, they’re literally looking over the victim’s shoulder.
  •  The victim accidentally leaves their device unattended in a public place. Having watched the victim enter his password into their computer just moments before, the attacker can unlock the device with this information, putting any sensitive data on the computer at risk.

How to Protect Yourself from Shoulder Surfing Attacks

  • Eliminate passwords: The ONLY way to ensure the prevention of credential-based attacks is through eliminating passwords. Learn more about passwordless authentication today and keep your most critical applications secure.
  • Add a privacy screen to your devices: Using devices with attached privacy screens dramatically lessens the risk of data disclosure. Some glass protector manufacturers have versions with a privacy screen included, which not only protects your phone’s glass but the information on your phone, too.
  • Always be aware of your surroundings: In public places, don’t let your guard down. Attackers gravitate to those that they see as the easiest. If you’re distracted, you may not notice someone is watching you and what you’re entering into the device or the ATM.
  • Use biometric authentication instead: Biometric authentication, either using your fingerprint or face, can offer additional security that a PIN cannot. Since the attacker never sees you enter a physical PIN, they can’t log into the device.

With digital attacks so much more common, shoulder surfing and other similar attacks might not be something you’d think about when thinking about digital security. But it does happen, and staying aware of your surroundings and who’s watching is key to stopping it.