Working in public places, such as airports, restaurants and bars, large offices, and spaces dedicated to smart working presents a series of security risks. It requires some measure adoption to prevent data or identity theft, compromise of devices, credentials and more. One of these risks is what is called “shoulder surfing”. It is a social engineering technique used to obtain information such as PIN codes, passwords, and other confidential data by observing the victim over their shoulders.
This technique does not require any technical knowledge. The malefactor is simply peering at those who perform certain operations. For example, enters his password, pin in an ATM, code for closing the lock of the gym locker, or the password to access a reserved area by code on a numeric keypad.
It is one of the oldest, but no less effective social engineering techniques. We could mention several examples of attacks that have successfully exploited it. There is an interesting case described in the book “The Art of Deception” by Kevin Mitnick. Kevin is an American programmer, phreaker, cracker and entrepreneur. He distinguished himself for his remarkable skills in social engineering, having performed some of the most daring forays into the computers of the United States government. In the book he tells of his character, Eric, who precisely starting from shoulder surfing techniques, managed to gain access to the network of the DMV (Department of Motor Vehicles) through a series of steps. He used this access for several months to steal data about driving licenses, that he sold obviously making huge profits, and often causing innocent people to get into trouble.
In addition to the classic attack, when someone peeks at your monitor, or keyboard, there is a number of technological evolutions. These involve the use of devices such as microphones, nano-amplifiers, micro-cameras and other objects, which are often available on the internet at very low costs.
Now you know how easily even a less experienced social engineer can acquire fundamental information about your security systems. How can we defend ourselves from shoulder surfing? Here are some simple rules:
You and your colleagues from non-IT teams can learn more with Sababa Awareness training course.
|_ga||2 years||The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.|
|_gat_gtag_UA_150416163_1||1 minute||Set by Google to distinguish users.|
|_gid||1 day||Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.|
|pardot||past||The pardot cookie is set while the visitor is logged in as a Pardot user. The cookie indicates an active session and is not used for tracking.|
|visitor_id909942-hash||10 years||No description|
|lpv909942||30 minutes||No description|
|visitor_id909942||10 years||No description|