While some cyber threats can be complex and require a bit of know-how to perform, there is one type of cyber threat that many people are guilty of partially committing without even realizing it: shoulder surfing. Shoulder surfing is an extremely easy type of attack that can be performed by anyone regardless of age or technological skill. A shoulder surfer simply “observes an unaware individual’s keystrokes, screen content, or conversations with the goal of obtaining sensitive information” (MITRE). If you have ever watched a friend type in their password, peeked at a coworker’s monitor when they left their desk, or eavesdropped on someone’s phone conversation, you technically have committing the act of shoulder surfing.
How Does Shoulder Surfing Work?
Since shoulder surfing involves watching the screen or keyboard of the intended target, it “typically requires physical proximity to the target’s environment, in order to observe their screen or conversation” (MITRE). This is why it is crucial to be aware of your surroundings, especially when entering sensitive information into a device such as a phone, computer, or ATM. However, while shoulder surfing implies that the attacker is looking over your shoulder, this “doesn’t always mean that someone is literally looking over your shoulder. It can also be done from far away, using binoculars or even a small telescope” (McAfee). Alternatively, the attacker could “record the target and obtain sensitive information upon review of the recording” (MITRE).
Dangers of Shoulder Surfing
While it may seem like a harmless act at first, a shoulder surfer can actually cause a lot of damage. Of course, it is possible that the “snooper could just be curious”, but it is more likely that “they could be trying to capture your login information so they can use it to access your accounts impersonating you later on” (McAfee). For example, say you are at the coffee shop and are waiting in line to order. You pull out your phone, type in your PIN, and then browse social media for a bit. Meanwhile, the person waiting in line behind you has had their eyes on your screen; they now know your PIN and could easily unlock your phone if they got ahold of it (MITRE). You likely have often seen shoulder surfing at work in movies or television shows: one character, using a telescope or binoculars, watches another enter a secret pin to gain access to a restricted area. Unfortunately, shoulder surfing is just that simple. It is extremely “easy to fall victim to shoulder surfing. Often, it happens when you’re distracted or in a rush. There’s a good chance you might be in a crowded, public place” (Symanovich). This ease with which someone can shoulder surf is why it is such a common method of attack, and those who are particularly skilled are able to memorize the finger movements of their targets to figure out their passwords (McAfee). Furthermore, shoulder surfing is not just a danger of public spaces, either. Shoulder surfing “can also occur at the workplace where giant computer screens are facing outward for anyone walking by to see” (McAfee).
How to Stay Safe from Shoulder Surfing
Fortunately, protecting yourself from shoulder surfing can be rather easy. McAfee provides the following four tips to keep yourself safe from a shoulder surfer:
Look for an area where your back is against a wall.
Be aware of your surroundings at all times, not just people but also video cameras.
Consider using a screen protector to obscure the visibility of the display.
Save your personal, business and financial matters for when you are in the privacy of your own home.
McAfee
Additionally, MITRE recommends that you “ensure that sensitive information is not displayed to nor discussed around individuals without need-to-know access to said information” (MITRE). You should always refrain from discussing confidential information in public, even if you believe that nobody is paying attention. You never truly know who might be listening in.
Finally, Symanovich includes a few additional tips for keeping yourself safe from shoulder surfers:
“…Use VPN if you do financial transactions on Wi-Fi.
Shield the keypad on the ATM when you enter your PIN.
Make sure your ATM transaction is complete and take your receipt.
Pick strong passwords so it’s hard for any observer to guess what you typed.
…
Symanovich
Resources & Further Reading
McAfee. “What Is Shoulder Surfing?” McAfee, McAfee, LLC, 27 June 2022, www.mcafee.com/learn/what-is-shoulder-surfing/.
MITRE. “CAPEC – CAPEC-508: Shoulder Surfing (Version 3.9).” Capec.mitre.org, The MITRE Corporation, 30 July 2020, capec.mitre.org/data/definitions/508.html.
Symanovich, Steve. “What Is Shoulder Surfing?” LifeLock by Norton, Gen Digital Inc, 14 Sept. 2017, lifelock.norton.com/learn/identity-theft-resources/what-is-shoulder-surfing.
The H.A.C.K.E.R. Project 
Leave a comment