Skip to content

Shoulder Surfing: How it Works and How to Protect yourself

Working in public places, such as airports, restaurants and bars, large offices, and spaces dedicated to smart working presents a series of security risks. It requires some measure adoption to prevent data or identity theft, compromise of devices, credentials and more. One of these risks is what is called “shoulder surfing”. It is a social engineering technique used to obtain information such as PIN codes, passwords, and other confidential data by observing the victim over their shoulders.

How does “shoulder surfing” work?

This technique does not require any technical knowledge. The malefactor is simply peering at those who perform certain operations. For example, enters his password, pin in an ATM, code for closing the lock of the gym locker, or the password to access a reserved area by code on a numeric keypad.

It is one of the oldest, but no less effective social engineering techniques. We could mention several examples of attacks that have successfully exploited it. There is an interesting case described in the book “The Art of Deception” by Kevin Mitnick. Kevin is an American programmer, phreaker, cracker and entrepreneur. He distinguished himself for his remarkable skills in social engineering, having performed some of the most daring forays into the computers of the United States government. In the book he tells of his character, Eric, who precisely starting from shoulder surfing techniques, managed to gain access to the network of the DMV (Department of Motor Vehicles) through a series of steps. He used this access for several months to steal data about driving licenses, that he sold obviously making huge profits, and often causing innocent people to get into trouble.

In addition to the classic attack, when someone peeks at your monitor, or keyboard, there is a number of technological evolutions. These involve the use of devices such as microphones, nano-amplifiers, micro-cameras and other objects, which are often available on the internet at very low costs.

How to protect yourself

Now you know how easily even a less experienced social engineer can acquire fundamental information about your security systems. How can we defend ourselves from shoulder surfing? Here are some simple rules:

  1. When entering passwords, codes, PINs and others credentials, always protect the keyboard, so it is invisible to people and cameras around you
  2. While entering passwords or credentials, never say them out loud
  3. If you work in public places, install a protection on your device to obscure the visibility of the display
  4. Never write down any password. Reading these notes in public places, for example to insert an access PIN – it increases your attack surface
  5. When available, use multi-factor authentication, so that compromising a single factor, such as a PIN, does not automatically compromise your account
  6. Always use different passwords and PINs for each service. Criminals often use the compromised credentials of a single account to attempt to access other accounts in your possession. For example, a criminal could see you type in the password to access a web service and attempt to use that same password for your corporate account, or home banking portal
  7. Change your credentials frequently

You and your colleagues from non-IT teams can learn more with HWG Sababa Awareness training course.

Related post

The future of cybersecurity - trend 2025

As we move into 2025, the cybersecurity landscape will reach unprecedented levels of complexity. Advanced technologies such as Artificial Intelligence (AI) and automation will take center stage - not only…

5 minuti
SIEM Cybersecurity

The rapidly evolving nature of cybersecurity threats challenges organizations to adopt advanced tools to protect their data and infrastructure. Security Information and Event Management (SIEM) systems are at the forefront,…

6 minutes
cset conference

Genoa, Novembre 14, 2024 - The 2024 CSET Conference,concluded yesterday, following two days of insightful discussions held on November 12-13 at the historic Palazzo della Borsa in Genoa. Organized by…

Back To Top