Shoulder Surfing Attack

When it comes to data protection from threat actors, namely, in a cybersecurity context, we tend to think in terms of technology. Having a strong IDS (intrusion detection system), a properly configured firewall, up-to-date servers, and other defensive measures all are important in Information Security.

What often gets overlooked, however, are the other (namely physical) attack vectors. From social engineering attacks to bypassing security ID checks by following employees into a building, the physical security component is just as vital in protecting data.


What is Shoulder Surfing Attack

One of the oldest and most effective methods of breaching security is shoulder surfing. It is a relatively simple concept. A threat actor, or perhaps a penetration tester hired by an organization, will seek to gain information that they can use to harm a target through this method. The original iteration of this attack was peering over someone’s shoulder when they were logging into their account, viewing the keystrokes, and logging the password entered. Another common variation was looking at sticky notes that employees wrote their passwords on. The sticky notes were usually placed on their monitor and were easily read by a malicious individual.

How has Shoulder Surfing Evolved?

The attacks began mostly in offices during the 90s dotcom boom, and while these methods are still a threat, shoulder surfing has many more tactics available in the 21st Century. Much of this has to do with how the threat landscape has opened up. With the advent of smartphones, tablets, and other IoT (Internet of Things) devices, the possibilities for attacking are endless. So many individuals log into sensitive accounts in public with no awareness of how this can be used against them. From their social media accounts to mobile banking applications, shoulder surfing is more lucrative for cybercriminals than ever before.

Defending against Shoulder Surfing

Nowadays, to defend against shoulder surfing attacks, one must be cognizant of their environment at all times. Threat actors don’t just shoulder surf by standing behind you at an ATM, but also use video cameras, binoculars, and other image magnification methods. To mount a proper defense against shoulder surfing, try the following methods.

  • Do not use sensitive accounts on your smart devices in public. Better yet, try not to use your smartphone or other mobile device in public except for absolutely necessary communication.
  • Try to find a place where you can place your back against a wall if you absolutely must use a sensitive account in public.
  • Use a password manager instead of writing down your new password. It is inevitable that your organization will use rotating passwords, so this is the most effective method of 1) not having to memorize every new password you make, and 2) have an encrypted repository of all your passwords.
  • Block your screen, keyboard, or whatever you might be using with your body as much as possible when entering sensitive data (especially login information).
  • Do not reuse passwords. If you happen to fall victim to shoulder surfing, this will at least minimize the damage done. The less accounts a hacker can access, the better.