Social Engineering: What is Shoulder Surfing?
Shoulder surfing is the practice of stealing sensitive information by looking over another person’s shoulder while they are keying that information into the device.
What is Shoulder Surfing?
You’re on a bus, reading the newspaper or something on your screen, when you feel a sensation at the back of your brain. You turn around to see the person behind you quickly retreat. They were looking over your shoulder, or in other words, “shoulder surfing”.
What they were doing was rude, yes, but ultimately not illegal. Now, if you were, say, typing something like a password and they happened to be watching, that’s the first step before identity theft.
As a form of social engineering, shoulder surfing happens when a third party looks over the shoulder of another to see the information they are keying into, say an ATM, laptop, smartphone, etc.
Examples of Shoulder Surfing
Usually, this happens in crowded places. That’s when it’s easy for someone to stand behind another person and take a peek over their shoulder. However, it can also be done from a distance using binoculars.
Let’s go over some hypothetical shoulder surfing scenarios.
You are at the airport, and you’re rushing to check in. But before that, you remember that you need to grab some cash. So, you run to the ATM, enter your PIN, grab your $100 and run to the gate.
As you wait for your plane, you get a notification on your phone. You look at it only to see that someone has withdrawn $500 from your card.
Your mistake: In your rush, you neglected to spot the person standing just a few feet from the ATM. In addition, you also didn’t take the receipt or make sure that the transaction was complete.
This time, you are in a cafe. The only spot to sit you could find was at the bar. You take it and open your laptop to pay some bills. People bump into you, but you pay them no mind as you type your login info for the bank account.
Meanwhile, you order a drink from the bar. As you pay for it, you are momentarily distracted from your laptop to give the money to the bartender. Thinking nothing of it, you turn your attention back to the screen while sipping your beverage.
Your mistake: Again, you didn’t pay attention to your surroundings, and entered your username and password in plain view. Then you got distracted just enough for someone to see your login information on your screen.
You’re on the bus, and your spouse is calling you. They need to pay something with your credit card but can’t remember the PIN, so they’re asking you for it.
Over the phone, you go: “3-5-1-6. Did you get that? Okay, bye babe”.
Yes, they did get that, but so did about a dozen or so strangers on the bus with you. If they were paying attention, they now have your PIN.
Your mistake: Shoulder surfing isn’t just visually looking over someone’s shoulder to see what keys they are entering. It can also be done by listening in situations like these. By declaring your PIN out loud, you have made it publicly known.
Of course, if anyone else calls you or sends an SMS asking you to reveal some sensitive information over the phone, don’t do it. This is called vishing and smishing and both are also types of social engineering.
How to Prevent Shoulder Surfing?
So how do you prevent shoulder surfing? Here are some tips:
- First, always be aware of your surroundings. Whether you’re in an ATM line, cafe, airport, bus, etc. be sure to look around. Even that small act will often discourage the would-be shoulder surfer and make them leave the spot or at least make them more hesitant to peek over you.
- When using the ATM, always shield the keypad as you enter your PIN. Lean over it to cover the view of any potential “onlookers”.
- Again, when using an ATM, make sure to select “Exit” when asked “Would you like to make another transaction?” and take the receipt. Some ATMs don’t require the card to be in the ATM when making an additional transaction, so the shoulder surfer can simply step in behind you and re-enter your PIN to get some cash for themselves.
- If you’re in a public space like a coffee shop, and you need to enter some financial information, do so with your back turned to the wall.
- If you need to share sensitive information over the phone, do so away from curious ears. Better yet, send them the info via a message on the phone.
- Don’t leave your laptop unattended. If you need to quickly leave (for the toilet or to another coworker’s desk, for instance), be sure to lock the screen and close the laptop. Of course, if you’re in a public place, you shouldn’t leave your laptop lying around as someone might snatch it while you are away.
- Use biometric authentication instead of PINs and passwords. Many devices today allow you to log in and access your data using fingerprint or facial recognition. It is something that the shoulder surfer can’t do anything with. 2FA is also a way to prevent anyone but you from accessing your accounts, even with your password.
- Use contactless payment. Again, instead of entering a PIN, use contactless payment apps whenever possible. Remember, the best way to obscure your PIN is not to have to use it at all.
- Obscure passwords when typing them. If you need to enter a password to log in to an account, be sure that the password field returns an asterisk field like “*******”.
- Use a screen protector. Most folks think of screen protectors as something you put on your phone to avoid the screen being scratched. However, some can also be used to obscure whatever is on your screen and protect your information, so they’re very useful to have.
Sometimes, all it takes is not paying enough attention to your surroundings, a moment of distraction, or verbally giving the PIN to someone over the phone.
Shoulder surfing isn’t so much about protecting your data from hackers online, but more about protecting it from those who are physically nearby.
Share This Article
Salman works as an Information security analyst for Mailfence. His areas of interests include cryptography, security architecture and design, access control and operations security. You can follow him on LinkedIn @mohammadsalmannadeem