+3 votes
in Security by (242k points)
Shoulder surfing: a danger taken lightly?

1 Answer

+4 votes
by (1.6m points)
Best answer

What is shoulder surfing?
Type of crime and characteristics of shoulder surfing
What can shoulder surfing bring with it?
Protection measures: how can shoulder surfing be avoided?
Protection against shoulder surfing: tips for entering the PIN
Protection against shoulder surfing when entering sensitive data in general


Shoulder surfing: a danger taken lightly?

When you think of hackers or cybercriminals, you imagine computer nerds programming malware or figuring out how to gain unauthorized access to other people's computers to steal sensitive data. However, there is often an easier way to access other people's personal data and passwords: shoulder surfing is a very simple method of spying on unsuspecting victims and stealing their passwords, PIN codes or other access data. To find out what exactly shoulder surfing is and how you can protect yourself from this tactic of spying in public, read on..

  1. What is shoulder surfing?
  2. Type of crime and characteristics of shoulder surfing
  3. What can shoulder surfing bring with it?
  4. Protection measures: how can shoulder surfing be avoided?
    1. Protection against shoulder surfing: tips for entering the PIN
    2. Protection against shoulder surfing when entering sensitive data in general

What is shoulder surfing?

The shoulder surfing is a technique that involves stealing personal data observing the victim's daily use of electronic devices , such as ATMs, payment terminals in shops, laptops or smartphones , that is, literally looking over your shoulder.

The ease with which this method allows stealing data in public places is not surprising if we think about how we behave as users: we regularly use our mobiles, tablets or laptops in public and we are not particularly careful when entering passwords, PIN codes , user names or other personal data. This means that often, in crowded places, we can be observed without realizing it . You may not have realized that while you are working in that crowded cafe at noon, deep in thought in front of your laptop, there is someone at the back table who not only can see your screen perfectly, but is also paying close attention when you enter your passwords.

This type of criminal, the shoulder surfer , are capable of collecting data in many situations under the protection of anonymity from the public sphere . If, for example, you enter your credit card information on an online store page, a shoulder surfer could read the digits directly on your screen or even decipher them by the movements of your fingers..

Type of crime and characteristics of shoulder surfing

The shoulder surfing is a method of social engineering or social engineering , ie, one of the practices whose goal is to access confidential information by manipulating people in the real world. There are two main ways to carry out shoulder surfing :

On the one hand, there are the attacks that seek to obtain data through direct observation . These are cases in which the victim is observed directly over his shoulder when, for example, he is about to enter his personal PIN to pay by card at the cash register.

The second variant is to videotape the victims first. This allows criminals to then thoroughly analyze the videos and extract the information they are looking for. Today, video recordings allow you to recognize PIN codes to unlock mobile devices, for example, even if the screen itself is not visible in the video: finger movements are enough to reveal the access code ..


The idea of ​​stealing data by looking over your shoulder existed long before the Internet and smartphones arrived : as early as the 1980s, criminals copied phone card numbers used in booths and then made international calls at the victim's expense or to later resell the cards at a lower price.

What can shoulder surfing bring with it?

As soon as a thief gets a victim's personal data, he can use it to impersonate his identity and thus buy, withdraw money or carry out other transactions on his behalf. In Spain, in fact, identity theft on the Internet and the theft of access data already carry penalties ranging from a fine to a couple of years in prison .

In addition to the personal damage that shoulder surfing can cause , we must also consider the serious damage it can cause to companies : if you work in public places and enter, without thinking too much, your access data to applications, the server or an email account, you are giving it to criminals and you are also putting in danger the security of the data of your clients, colleagues or workers.

Protection measures: how can shoulder surfing be avoided?

The main thing is to be especially careful when using any type of digital identification in public, whether professional or personal. In particular, you can greatly increase your data security by mastering a few tricks.

Protection against shoulder surfing: tips for entering the PIN

When paying with credit or debit cards, some measures that have proven to be particularly effective in making PIN entry more secure are the following:

Tip 1 . The general recommendation is to cover the terminal keyboard with the other hand while entering the PIN.

Tip 2 . To withdraw money, it is a good idea to check the parts of the ATM before inserting the card, in case there are any loose or that appear to be added in a suspicious way. It could be, for example, that a second card reader has been inserted over the authentic reader. This added reader would be in charge of reading the magnetic stripe and thus saving the card data.

Tip 3 . Another possibility is to simply use contactless payment methods, which do not require the introduction of a PIN code and, therefore, do not allow sensitive data to be stolen using the classic shoulder surfing method .

Protection against shoulder surfing when entering sensitive data in general

If you cannot avoid entering sensitive data on your computer, tablet or smartphone in public, we recommend that you implement the following security measures:

Tip 1 . Before entering the data, find the most suitable place : with your back against the wall, for example, you can get rid of unwanted glances.

Tip 2 . The use of privacy filters is also advised . Is about plastic sheets that, placed on the screen, make it appear black when viewed from an angle other than frontal. With them, reading the screen furtively becomes quite a bit more difficult.

Tip 3 . By applying two-factor authentication, the user must prove their identity through two independent components . Since access is then only granted if both data have been entered correctly and for a certain period of time, the level of protection is considerably increased . This method is often used, for example, in online banking, an area in which the identification usually consists of the combination of a password (first factor) and a TAN number (second factor), which is generated again with each access.

Tip 4 : Another way to protect yourself is to use a password manager. With this type of manager, you no longer have to enter the corresponding password every time you want to access an account, but the manager takes care of it and only asks for a master password as authentication . In this way, if someone were spying on what you type, they could not deduce the real passwords of the accounts, as long as you protect your master password with the necessary measures.