In computer security, there are many risks and many forms that those risks can take. Shoulder surfing is a form of social engineering. It refers to a class of attack where an attacker gains information by looking at the victim’s device. This historically involved physically looking over their shoulder but also encompasses techniques involving hidden cameras and the like.
The classic example of shoulder surfing is when an attacker looks over the victim’s shoulder while typing in their payment card PIN. Awareness of this type of attack has led to changes in behavior, including actively covering the hand and typing the PIN with the other hand. Some payment terminals also include a built-in privacy cover over the PIN pad. Some ATMs also remind users to check over their shoulders. They may also feature a small mirror to let you check over your shoulder.
Note: The ATM mirror is often tiny and somewhat foggy. This is deliberate. It’s good enough to let you check over your shoulder. It’s also not good enough to allow a well-placed attacker to see your PIN.
These countermeasures have led to more advanced techniques in the real world. Many criminal enterprises have utilized hidden cameras to spy on the PIN pad. Some have placed themselves further away and used binoculars or a telescope to see the PIN pad from a safe distance. Thermal cameras have also been used to identify the PIN due to the remnant heat left behind on the buttons when they were touched. In some cases, skimmer devices have been placed over the front of the device, covering the real buttons. While this last case still results in PINs and card details being stolen, they don’t strictly count as shoulder surfing, as no actual observation was needed.
Of course, shoulder surfing can also be a risk in other scenarios. Any system with a short secret – especially on a numbered PIN pad – is open to this risk. An attacker could watch a code entered into a security door, see the tumbler positions when opening a safe, or observe a password being entered.
Note: When a single PIN is used on a keypad for an extended period, the buttons can become worn down or grimy just from use. This is similar to – if a more extreme variant of – the thermal imaging concept. It typically only applies to security doors as they tend to have one PIN known by everyone authorized, which isn’t often changed.
The scenario of an attacker observing a password being entered is particularly interesting in computer security. While you may not willingly tell people a password, there are other ways to get it. Phishing is a relatively well-known and often underappreciated risk. Shoulder surfing is also another risk. This risk especially applies in public settings where you have no control over the people around you. In a home or work environment, there’s more of an expectation of trustworthiness, as misplaced as that may be.
For example, an attacker may see your passcode over your shoulder if you’re in a coffee shop and sign into your phone. An attacker can also do the same if you’re using a laptop. It’s easier as the keys are more prominent and easier to distinguish if you quickly type your password.
Often the biggest target of shoulder surfers is something small of high value. PINs and passwords are ideal for this as they’re short, relatively easy to identify and remember and provide further access to funds or an account or device, for example. In other cases, the attack can be purely opportunistic or the result of particular targetings, such as espionage.
An opportunistic attack tends to be the observation of something of sensitive but not something useful to the attacker. For example, some businesspeople work on public transport. They may work on sensitive documents involving financial forecasts or any other sort of sensitive, internal, and non-public information. Someone sitting nearby may be able to see their screen and gather information.
In this case, the attacker may not even be an actual attacker. They may be curious but have no intention of doing anything with what they learn. This isn’t always the case, though, and there’s no way to tell, so care should be taken when dealing with sensitive information in public places. This concept also applies to sensitive personal content, especially photographic or video. Again, someone else may look at your screen. Even if they don’t share it further, that may still be an unwanted intrusion.
In espionage and social engineering contexts, an attacker may deliberately target a victim or location to see sensitive information on a screen. This may not necessarily provide the attacker direct access like a password would. Like the previous example, other sensitive information can also be valuable to the attacker.
Shoulder surfing is a class of social engineering attack. It involves an attacker gleaning information by looking at the victim’s actions or screen. Shoulder surfing primarily covers attempts to identify passwords or PINs. It also covers attempts to see private information on screens, such as corporate or government secrets or compromising information. Shoulder surfing is essentially the visual equivalent of eavesdropping or listening to conversations you weren’t supposed to be able to hear.