Shoulder Surfing

Working in public places, such as airports, restaurants and bars, large offices, and spaces dedicated to smart working presents a series of security risks. It requires some measure adoption to prevent data or identity theft, compromise of devices, credentials and more. One of these risks is what is called “shoulder surfing”. It is a social engineering technique used to obtain information such as PIN codes, passwords, and other confidential data by observing the victim over their shoulders.

How does “shoulder surfing” work?

This technique does not require any technical knowledge. The malefactor is simply peering at those who perform certain operations. For example, enters his password, pin in an ATM, code for closing the lock of the gym locker, or the password to access a reserved area by code on a numeric keypad.

It is one of the oldest, but no less effective social engineering techniques. We could mention several examples of attacks that have successfully exploited it. There is an interesting case described in the book “The Art of Deception” by Kevin Mitnick. Kevin is an American programmer, phreaker, cracker and entrepreneur. He distinguished himself for his remarkable skills in social engineering, having performed some of the most daring forays into the computers of the United States government. In the book he tells of his character, Eric, who precisely starting from shoulder surfing techniques, managed to gain access to the network of the DMV (Department of Motor Vehicles) through a series of steps. He used this access for several months to steal data about driving licenses, that he sold obviously making huge profits, and often causing innocent people to get into trouble.

In addition to the classic attack, when someone peeks at your monitor, or keyboard, there is a number of technological evolutions. These involve the use of devices such as microphones, nano-amplifiers, micro-cameras and other objects, which are often available on the internet at very low costs.

How to protect yourself

Now you know how easily even a less experienced social engineer can acquire fundamental information about your security systems. How can we defend ourselves from shoulder surfing? Here are some simple rules:

1. When entering passwords, codes, PINs and others credentials, always protect the keyboard, so it is invisible to people and cameras around you
2. While entering passwords or credentials, never say them out loud
3. If you work in public places, install a protection on your device to obscure the visibility of the display
4. Never write down any password. Reading these notes in public places, for example to insert an access PIN – it increases your attack surface
5. When available, use multi-factor authentication, so that compromising a single factor, such as a PIN, does not automatically compromise your account
6. Always use different passwords and PINs for each service. Criminals often use the compromised credentials of a single account to attempt to access other accounts in your possession. For example, a criminal could see you type in the password to access a web service and attempt to use that same password for your corporate account, or home banking portal
7. Change your credentials frequently

You and your colleagues from non-IT teams can learn more with Sababa Awareness training course.