Shoulder surfing (computer security)

In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information.^[1] It is commonly used to obtain passwords, PINs, security codes, and similar data.

Occurrence

Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:

• fill out a form
• enter their PIN at an automated teller machine or a POS terminal
• use a telephone card at a public payphone
• enter a password at a cybercafe, public and university libraries, or airport kiosks
• enter a code for a rented locker in a public place such as a swimming pool or airport
• enter a PIN or password on their smartphone

Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one's body or cupping one's hand.

Secure, the European Association for Visual Data Security, recommends that when you are in a situation with heightened risk, take steps to protect yourself by angling your screen away from the gazes of other people or using a special privacy screen shield to reduce the visibility of your screen. Secure also recommends that corporate IT security guidance includes directions on how to mitigate these threats. This could include the adoption of ISO/IEC 27001. You should also ensure that staff are properly educated to the risks involved with accessing information.^[2]

A survey of IT professionals in a white paper^[3] for Secure found that:

• 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
• 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
• 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.

Prevention

Some automated teller machines have a sophisticated display that discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, e.g. account balance, it is generally not required to protect the PIN, because the PIN is typically not displayed during entry.

Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. ISO 9564-1, the international standard for PIN management, describes such measures thus:^[4]

POS terminals often available in shops, supermarkets, and fuel outlets are more difficult to use in a way that prevents shoulder surfing as they are often located in exposed view on counters. It is good practice to shield the keypad with one hand while entering digits with your other hand.

On laptops, one can use a special "privacy screen" to prevent others from seeing the screen.^[5]

References