Shoulder surfing

Shoulder surfing refers to the act of obtaining sensitive information, such as login credentials, personal identification numbers (PINs), or other confidential data, by observing someone’s actions from a close distance or over their shoulder. The term “shoulder surfing” is derived from the idea that an attacker physically positions themselves close enough to the victim to watch what they are doing, much like “looking over their shoulder.”

Shoulder surfing is a form of social engineering, and it does not require sophisticated technical skills or tools. Instead, it relies on the attacker’s ability to exploit human vulnerabilities and lack of awareness.

Despite the name, the attacker may not have to be in close proximity with the victim. This type of attack can happen in:

1. Public Spaces: Attackers may engage in shoulder surfing in public places like cafes, airports, or public transport, where individuals use laptops, mobile devices, or ATMs. By discreetly observing the target’s actions, the attacker can capture sensitive information, such as passwords or PINs.

2. Open Workspaces: In office environments with open workspaces, employees may be at risk of shoulder surfing if they handle sensitive information or access restricted systems while others can easily glance at their screens.

3. ATMs and Point-of-Sale (POS) Terminals: Shoulder surfing is a common risk at ATMs or payment terminals. Attackers may stand close to the victim and observe the PIN entry, potentially using the obtained information for fraudulent transactions.

4. Password Entry: When people enter passwords on their devices in public or shared spaces, they may inadvertently expose their credentials to shoulder surfers.

How to prevent shoulder surfing?

To protect against shoulder surfing and enhance cybersecurity, individuals and organizations should adopt the following measures:

1. Be Aware: Stay vigilant and aware of your surroundings when entering sensitive information in public spaces or open environments. Avoid typing sensitive information when others are too close.

2. Use Privacy Screens: Consider using privacy screens or screen filters on devices to limit the viewing angle, making it harder for shoulder surfers to read your screen.

3. Shield PIN Entry: While entering PINs at ATMs or POS terminals, use your hand or body to shield the keypad from view.

4. Secure Workspaces: In office settings, encourage employees to position their monitors and screens in a way that minimizes the risk of shoulder surfing by unauthorized personnel.

5. Multifactor Authentication (MFA): Enable MFA whenever possible to add an extra layer of security. Even if shoulder surfers capture passwords, they will still need the second factor for access.

By being aware of the risk of shoulder surfing and adopting these precautions, you can significantly reduce the chances of falling victim to this simple yet effective social engineering tactic.