Shoulder Surfing

We should all be cognizant of "shoulder surfing" – people who can see our computer screens or keyboards. What can attackers gain by shoulder surfing? How can you tell when you might be vulnerable to a shoulder surfing attack?

Shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. Shoulder surfing is particularly effective in crowded places because it's relatively easy to observe someone as they: 

  • Fill out a form 
  • Enter their PIN at an automated teller machine or a POS Terminal
  • Use a calling card at a public payphone 
  • Enter passwords at a cybercafe, public and university libraries, or airport kiosks
  • Enter a digit code for a rented locker in a public place such as a swimming pool or airport. 

Shoulder surfing is also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls, or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one's body or cupping one's hand.

Recent automated teller machines now have a sophisticated display that discourages shoulder surfers. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. 

Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. Taken further, some keypads alter the physical location of the keys after each keypress. Also, security cameras are not allowed to be placed directly above an ATM.


Source: https://en.wikibooks.org/wiki/Fundamentals_of_Information_Systems_Security/Access_Control_Systems
Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 2:50 PM