What is Shoulder surfing?

When we think of cyber criminals, we usually imagine tech-savvy nerds who program malware or who otherwise gain unau­tho­rized access to remote computer systems in order to steal sensitive data. However, there is often a much easier way to obtain personal data and passwords. Shoulder surfing is a simple method for spying on un­sus­pect­ing victims to collect personal data, such as passwords, PINs, and other login in­for­ma­tion. In the following, we will explain what shoulder surfing is and how to protect yourself from this form of spying in public.

Shoulder surfing is a way for thieves to steal personal data by watching their victims use elec­tron­ic devices, such as ATMs, payment terminals at checkout, and even laptops or smart­phones. Criminals will literally look “over their victim’s shoulder” during these ac­tiv­i­ties.

It is to steal data in public when you take a look at everyone’s user behavior. We regularly use smart­phones, tablets, and laptops in public. When we do, we type passwords, PINs, user names, and other personal data into our devices without ex­er­cis­ing extra caution. Crowded public spaces, however, make it easier to be observed without one’s knowledge. For example, while working on your laptop in a busy cafe during lunchtime, you may not even notice that the person sitting at the table behind you has a clear view of your screen. In that case, you wouldn’t notice if they observed you closely when you entered your passwords for your online accounts.

Shoulder surfers can easily access data protected by a shield of public anonymity. For example, if you enter your credit card in­for­ma­tion in an online shop, a criminal may be able to see the numbers directly or work them out by watching the movements of your fingers.

Shoulder surfing is a type of social en­gi­neer­ing that is aimed at obtaining personal in­for­ma­tion through in­ter­per­son­al contact. There are two types of shoulder surfing.

The first type of attack is when direct ob­ser­va­tion is used to obtain access to data. This is when a person looks directly over the victim’s shoulder to observe when they are entering data, such as their PIN at a checkout terminal.

In the second type, the victim’s actions are first recorded on video. Criminals can then analyze these videos in detail later on and obtain the desired in­for­ma­tion. Nowadays, it is possible to use video record­ings to determine the PIN for unlocking mobile devices even if the display cannot be seen in the video. The movements of a user’s fingers are enough to determine the access code.

As soon as a thief gets hold of their victim’s personal in­for­ma­tion, there is a risk of fraud. The thief may make purchases, withdraw money, or perform other trans­ac­tions pre­tend­ing to be the victim. In the US, identity theft and fraud are a pun­ish­able offence carrying a prison sentence of up to 15 years.

In addition to in­flict­ing damage on private in­di­vid­u­als, shoulder surfing can also cause serious harm to companies. Anyone who works in the public and naively enters their login in­for­ma­tion for tools, server logins or email accounts is opening the door to criminals and jeop­ar­diz­ing the data privacy of customers, col­leagues, and employees.

As a matter of principle, you should be extra careful when con­duct­ing any private or business-related digital ac­tiv­i­ties in public. You can sig­nif­i­cant­ly increase the security of your data by heeding a few important tips.

Below you will find some of the measures that have proven to be par­tic­u­lar­ly effective in the past for PIN entry when paying with debit or credit cards.

Tip 1: It is generally rec­om­mend­ed to cover the input device with your other hand when entering your PIN.

Tip 2: At ATMs, you should check for poorly mounted or sus­pi­cious-looking parts. For example, a second card reader may be installed on the actual card reader which is used to read the magnetic strip to access the card data.

Tip 3: Another option is to use con­tact­less payment methods. Since these methods do not require you to enter a PIN, tra­di­tion­al shoulder surfing cannot be used to obtain your sensitive data.

If you cannot avoid entering sensitive data on your laptop, tablet or smart­phone in public, you should follow the coun­ter­mea­sures listed below:

Tip 1: Before entering any sensitive data, find a secure location. Make sure to sit with your back to a wall. This is the best way to protect yourself from prying eyes.

Tip 2: It is also rec­om­mend­ed to use a privacy filter. This is a sheet that is placed over your screen. It will make your screen look black to anyone looking at the screen from an angle. This will make it much more difficult for unau­tho­rized in­di­vid­u­als to see your in­for­ma­tion.

Tip 3: Two-factor au­then­ti­ca­tion requires a user to prove their identity by using two different au­then­ti­ca­tion com­po­nents that are in­de­pen­dent from one another. Since this type of au­then­ti­ca­tion only goes through when both factors are used correctly in con­junc­tion, the security measure is par­tic­u­lar­ly effective. For example, this method is often used in online banking. In this case, iden­ti­fi­ca­tion is usually carried out using a com­bi­na­tion of a password (first factor) and a pin (second factor) which is newly generated for each in­di­vid­ual au­then­ti­ca­tion process.

Tip 4: Another solution is to use a password manager. By doing so, you will no longer be entering each password in­di­vid­u­al­ly on your computer. The password manager will do this for you after you have entered your master password. This prevents unau­tho­rized in­di­vid­u­als from using your keyboard input to determine the actual password, provided that you protect your master password properly.