Join Tom Tobiassen for an in-depth discussion in this video Shoulder surfing, part of Cybersecurity Awareness: Social Engineering.
- [Instructor] Shoulder surfing is an easy attack performed by the criminal that simply stands behind you or nearby and watches as you type on a keyboard or keypad with the possibility of capturing important, private information like bank account information, an account name, and a password. The attacker attempts to gather any type of information that you are entering. If you are filling in an online form, the attacker can collect the information in the form to use for future targeted attacks.
The attacker typically stands behind you or sits behind you looking over your shoulder and watching you as you type information that they would like to use for their own benefit. The attacker may sit right behind you or across from you like on an airplane. Someone may be watching you on a subway car or on a bus. Possibly, you could be watched while typing away on your laptop in your favorite coffee shop. The key is that the attacker has visibility to your screen and to your keyboard so they can watch your fingers as you type.
With the very small size of video recording equipment available now, an attacker could record your laptop activity in order to play it back later and carefully analyze everything you have entered as they prepare for their next move. Even if the password does not appear on your laptop screen, the attacker has recorded your finger movement in order to capture that important piece of information. A technique for protecting your laptop from shoulder surfing would be to purchase one of the privacy screen covers available for sale on the market.
These privacy screen covers prevent the laptop screen from being observed from an angle, requiring a direct view of the laptop screen. With shoulder surfing, you are very vulnerable at the ATM. The ATM is a good target, since it is fairly easy to steal cash if the attacker can get enough information. The attacker can watch your fingers as you enter your PIN during the transaction. And if the attacker can distract you enough to get your ATM card, or has the ability to skim your account information, he could initiate a transaction cleaning out your account.
In order to protect your PIN at the ATM, one method is to cover the PIN pad with your other hand while you enter the PIN. This is important, not only to protect you against shoulder surfing attackers, but covering the PIN pad with your hand is good for protecting against video recorders that might be capturing ATM transactions. ATM and credit card skimmers are unfortunately becoming more common, and providing the little extra precaution of covering your PIN pad, reduces the risk of your PIN being compromised by shoulder surfers or by video recording equipment.
It is important that you are aware of your surroundings while entering important information on your laptop or ATM machine. Is there anyone standing or sitting close while you are working on your computer? Consider moving to another location or position where someone sitting close by cannot view your screen. Avoid entering personal or company information on your laptop that you do not want attackers to get ahold of. Protecting your laptop screen, your keyboard, your ATM PIN pad, etc is important.
Always assume that someone is watching and will take advantage of any information they can gleam from the entry of data into the system. Shoulder surfing is an easy method for an attacker to get information like your PIN number, your account numbers, look at your laptop screens while you're not aware of somebody watching you. It's important that you're aware of your surroundings, and it's important that you take action to prevent someone from watching what you're doing.
Next, we'll move on to pre-text, another form of social engineering that is very commonly used by criminals.
Note: This course was recorded and produced by Mentor Source, Inc. We're pleased to host this training in our library.
- Shoulder surfing
- RFID theft