What is shoulder surfing?
When most people imagine a hacker, they are likely to think of a cybercriminal sitting in a basement remotely accessing business systems to gain access to confidential data. However, most cybercriminal activity starts with something as innocuous as glancing over someone’s shoulder. While it may seem harmless, shoulder surfing is more common than people think. That is why it is crucial to understand what shoulder surfing is, how shoulder surfers steal information, examples of shoulder surfing and more importantly, what steps can you take to prevent it.
On this page:
What is shoulder surfing?
So what is shoulder surfing? Shoulder surfing is employed to capture personal data and information. The act of shoulder surfing aims to obtain personal data such as personal identification numbers (PINs), passwords and other sensitive data by clandestinely observing a victim, typically over their shoulder, either to observe the keystrokes on a device, or by eavesdropping when sensitive information is being relayed by the victim.
Shoulder surfing is an effective technique to obtain someone’s personal information when standing in a crowded space, such as when the victim is entering a PIN at the cash machine/ATM, filling out a form, or paying with a credit card.
Some may view shoulder surfing as an alternative form of hacking since it allows shoulder surfers to obtain unauthorised access to the victim’s data. However, not eveyrone shares this view and consequently, not everyone treats shoulder surfing as they would a full-scale attack where a cybercriminal remotely forces their way into your business systems.
Examples of shoulder surfing
Shoulder surfing can happen anywhere and shoulder surfers can strike in several ways. ATMs and Kiosks are the most common locations where potential victims may be at risk. However, shoulder surfing can also occur when you enter personal data on your tablets and smartphones in a coffee shop or while finishing that presentation on a airplane or train. Some scenarios where shoulder surfing may occur are:
- Entering your PIN at the cash point or ATM
- Using your credit or debit card to pay for an in-store transaction
- Logging onto a banking application or website, either on the laptop or your mobile device, using your username and password
- Accessing corporate or business sytems remotely from a public location
- Providing details verbally either in person, or via the phone
Consequences of shoulder surfing
Many individuals can probably think of examples when they had the opportunity to have glanced or eavesdropped on someone if theyr desired. Now, imagine all the opportunities that exist for actors with malicious intent. For businesses, as well as individuals, shoulder surfing could lead to the exploitation of employees, by holding personal data to ransom.
More directly, shoulder surfing could lead to a severe data breach. The consequences of data breaches cannot be under-estimated. According to the Cost of Data Breach study (conducted on behalf of IBM by the Ponemon Institute), in the UK, the average total cost of data breach is £2.53 million.
Security issues, and more specically data breaches, have a direct impact on a business, such as fines from industry regulators, and loss of market reputation, in addition to further potential implications.
Tips for preventing shoulder surfing
Technology has made shoulder surfing much easier. The abundant availability of digital cameras means shoulder surfers can snoop from a distance. Keeping your employees and corporate information secure by using best practices will prevent your business from becoming victims of shoulder surfers. Here are 8 tips to prevent shoulder surfing:
1. Install a privacy filter
Privacy filters are polarized sheets of plastic which limits screen visibility to only those seated directly in front of the screen. Privacy filters are available for desktop and laptop computers as well as mobile devices. A relatively cheap solution, privacy filters ensure that a shoulder surfer will only see a black screen.
2. Maintain awareness of your surroundings
Find a private spot, away from the public, where you can conduct any business privately. Working with your back against a wall which will prevent others from looking over your shoulder. Refrain from verbally communicating passwords, PINs, or other personal sensitive data over the phone in public.
3. Use password manager
Some apps and online websites allow you to create a strong password. Moreover, you can save your password online. Whenever you want to access something, you don’t have to enter your password. Since you don’t have to enter a password, shoulder surfers won’t be able to steal your information.
4. Protect PINs
Most financial insitituations recommend covering the keypad when you enter a PIN, but only a few people take this advice seriously. Shielding the PIN pad, with your non-dominant hand, as you enter your PIN is an effective way to prevent shoulder surfing from becoming an issue. If you feel you have been watched while entering your PIN, change it immediately. As part of security best practice, change your PIN regularly thoughout the year.
5. Avoid using public networks
Free public Wi-Fi, for instance those found in coffee shops and hotels, are usually poorly configured and are susceptible to cyber. Piblic Wi-Fi is often unencrypted, meaning once a public Wi-Fi has been breached, hackers can potentially get personal and confidential data, such as passwords, bank details, credit card details.If you have no alternative, it is recommended to use VPN when using public Wi-Fi access.
6. Set strong passwords
Try using robust and secure passwords, it becomes difficult for the shoulder surfers to guess what you have typed. Here are our tips to improve your password security.
7. Use biometric authentication if possible
Most modern phones and mobile devices use either facial recoginition or fingerprint to authenticate the user onto a device. Such features avoid the need to enter a PIN or password. Biometric authentication is one of the best ways of preventing shoulder surfing.
8. Use two-factor authentication
Most of the applications allow you to set two-step verification. Two-factor authentication (2FA) can protect your information from theft. 2FA works by authenticating a user using two different methods, for example, username and password, and auto-generated PIN. In the event a shoulder surfer gets your data and tries to use it, two-step verification can save you from a serious threat.
Related: How multi-factor authentication (MFA) keeps business secure