If you're worried about identity theft or being hacked, there are a number of steps that you can take to avoid such problems. These include being careful about what sites you visit and what emails you open.
Another step that's often overlooked, however, is being aware of your surroundings when entering private information. And this is a mistake because it leaves you open to a practice known as shoulder surfing.
So what exactly is shoulder surfing and how can you protect yourself from it?
What Is Shoulder Surfing?
Shoulder surfing is the act of watching somebody as they reveal private information. It typically involves the victim using an electronic device such as an ATM, a computer, or a phone.
Shoulder surfing is a type of social engineering, generally carried out by criminals with the hope of stealing from the individual being watched. It can occur both at random (i.e. the victim is being careless) or it can be a targeted attack.
Shoulder surfing can be used to steal any type of information. It's most often used to find out passwords, payment details, and PINs.
But it can also be used to steal personal information for the purposes of identity theft. The latter is particularly easy to do as many people won't think twice about revealing such details in public.
Examples of Shoulder Surfing
Shoulder surfing is often carried out at ATM machines. If you don't cover your hand while entering your PIN, it's just a matter of standing behind you on either side.
This is profitable because some ATM machines ask if you'd like to continue at the end of a transaction. If you don't specifically say no, the person next in line can access your account by simply reentering your PIN.
If an ATM has this functionality, it's not uncommon for thieves to line up in the hope that somebody is in a rush.
Shoulder surfing can be carried out anywhere that people use the internet. The most obvious example is a cafe where people work on laptops. But a busy train full of people glued to their phones can provide the same opportunity.
Shoulder surfing can be used to steal information from documents such as application forms. Carrying out such attacks has never been easier thanks to the increased sophistication of smart phone cameras. All a thief has to do is wait somewhere with forms that require a social security number.
Shoulder surfing can be used to gain access to secure areas including apartment complexes. If the door is opened using a PIN, it's just a matter of hanging around long enough for somebody to enter. A professional will divert suspicion by wearing a delivery uniform.
How Often Does Shoulder Surfing Happen?
It's difficult to determine how often shoulder surfing happens. During a successful shoulder surfing attack, the victim remains unaware that they are being watched. And even after the stolen information is used, the victim often doesn't suspect the activity.
If a password is stolen, for example, it could just as easily be caused by phishing, a data breach, or malware. It's only after these things are ruled out that victims may suspect that they were being watched.
Shoulder surfing is not a new activity and actually predates widespread use of the internet. The idea was first adopted by people who wanted to steal phone card numbers. In the 1980s, criminals would stand around (sometimes even with binoculars!) waiting for somebody to use a payphone.
Evidence of shoulder surfing is now primarily found on ATM cameras. It's also often used to explain how hackers manage to gain access to restricted systems despite having otherwise effective security.
Shoulder surfing is typically carried out at short distances but this isn't always necessary. The use of binoculars is particularly popular at ATM machines, while a hidden camera can easily be placed outside a pin operated door.
How to Prevent Shoulder Surfing
Shoulder surfing isn't difficult to prevent. Its effectiveness is largely based on the victim being unaware of the practice.
Pay Attention at ATMs
Pay attention to your surroundings when using an ATM. Always cover your hand when entering your PIN, look around you before doing so, and make sure that the transaction is finished before walking away.
Watch Where You Sit
If you need to enter private information in public, take the time to stop somewhere appropriate. For example, if you're going to a cafe with the intention of using an electronic device, sit somewhere that allows your back to face the wall. For particularly sensitive information, i.e. your payment details, it's usually best to wait until you are in private.
Use a Password Manager
Password managers are useful for storing hard to hack passwords and protecting against malware. They can also protect you from shoulder surfing. Once installed, you can log in to any of your accounts without revealing too much.
Use 2-Factor-Authentication
Activate 2-factor-authentication (2FA) on any account that offers it. 2FA prevents anyone from using your password to access your accounts unless they also have access to a personal device such as your smartphone. Without that device, shoulder surfing becomes completely ineffective.
Use a Privacy Screen
If you're worried about people watching your laptop, you might want to consider a privacy screen. This is a transparent screen cover which is designed to reduce viewing angles. The purpose is to make it impossible to read a screen without being directly in front of it.
Are You a Victim of Shoulder Surfing?
Shoulder surfing is a simple but surprisingly effective technique. It relies on the fact that while the average person would never give their password to a stranger, but they will happily enter their password while potentially being watched by one.
If you think that you might have been a victim of shoulder surfing, act immediately. Depending on the purpose of the attack, there's often a delay between the information being obtained and actually being used.