We’ve arrived at a point where we depend on technology and the Internet for almost every aspect of our lives. From banking to shopping, we now rely on digital platforms to handle our transactions and keep us informed.
Unfortunately, many of us forget that while technology brings plenty of conveniences, it also comes with a large share of risks.
And these risks do not just exist in the online world. Sometimes, the most dangerous threats come from people in our physical surroundings.
One of these risks is shoulder surfing, a form of identity theft where an individual uses observation to try and obtain personal information. While the majority of us use passwords or PINs to protect our accounts, it can become quite easy for someone who’s actively observing us to break them.
This article will provide information on how you can identify when someone is trying to shoulder surf, as well as tips on how you can best protect yourself against it.
What is Shoulder Surfing?
Shoulder surfing is a type of social engineering attack in which a person uses observation to try and obtain personal information. In other words, they literally look over your shoulder to try and see what you’re typing into a computer, ATM, or another type of device.
These thieves can steal information like passwords, PINs, Social Security numbers, and credit card details by simply watching you type them in. They can then use this data to access your accounts and steal money or commit other fraudulent activities.
While there is no research yet on the prevalence of shoulder surfing attacks nationally, a controlled study by New York University researchers found that 73% of mobile device users reported that they had observed someone else’s PIN code.
Situations Where Shoulder Surfing Can Occur
Any public place can be a potential target for shoulder surfers. Here are some of the most common situations where shoulder surfing can occur:
When You’re Using an ATM or Online Banking Service
When using an ATM or accessing your bank account in a public space, it is very easy for someone to stand behind you and watch as you enter security codes, PINs, passwords, and other personal information into the machine.
This type of attack requires little effort on the attacker’s part as they can easily observe from a distance without being noticed. Some criminals may use cameras to capture images of what is being typed into the machine or binoculars to get a better view.
When You’re Logging Into Your Device in Public
Suppose you are logging into your laptop at an airport or coffee shop and there are no physical barriers between you and other people. In that case, a shoulder surfing attack is a possibility. This person could then use this information to infiltrate your account without needing additional authentication from you.
When You’re Typing in Passwords or PINs on Public Computers
If you’re at an internet cafe and are typing in your login credentials for a website, someone sitting next to or behind you could look over your shoulder and memorize or take pictures of the information.
Or, if you’re not observant, there may be planted cameras or other recording devices that are capturing the information you type in.
When You’re Providing Sensitive Information Over the Phone
Shoulder surfing can also involved eavesdropping. When you’re in a public area, and your child suddenly calls you and requests for sensitive information to buy something online, be aware of your surroundings.
By providing sensitive information over the phone, you make yourself vulnerable to shoulder surfers. Anyone nearby could potentially hear what you are saying. Depending on your environment, there may also be recording devices that could capture your conversation and any sensitive data provided.
This puts your personal information at risk of being leaked or misused by malicious third parties who can use it for fraudulent activities such as identity theft and fraud.
When You’re Using Your Debit Card at a Store
You are at a store using your debit or credit card to make a purchase. As you enter your PIN number, a lurker may glance in your direction and notice the numbers you have entered on the keypad. If they have good eyes, they may also make out the card number and expiration date on your card.
With this information memorized, the individual may then use those PIN details to access your account online or clone another version of your card using all the necessary data printed on it.
Tips to Protect Yourself From a Shoulder Surfing Attack
Social engineering attacks like shoulder surfing can be prevented with the right precautions.
Here are a few tips you can use to protect yourself from shoulder surfing:
1. Be aware of your surroundings
Minding your surroundings is a basic tip for avoiding any type of theft, including shoulder surfing. Here are a few steps you can take to practice caution:
- Choose a secure location when accessing any of your devices. Avoid crowded places and make sure the device’s screen is not visible to passersby or bystanders.
- Be aware of the people around you. If you notice someone who seems to be hovering or looking over your shoulder, stop what you’re doing and move to a more secure location.
- If a situation calls for you to access sensitive information in public, use your body or any other object to cover your device’s screen or hand movements.
- When on the phone, turn away from any nearby individuals and lower your voice. If it can be avoided, don’t discuss any personal or financial information at all.
2. Use privacy screens
A privacy screen is a panel or filter placed over a laptop screen or mobile device to prevent people from seeing the display. It is made up of a light-reducing material that blocks the view from anyone who is not directly in front of the monitor.
Using a privacy screen reduces the chances of someone seeing confidential information on your device since they will not be able to view the data at an angle or from a distance.
However, it’s not a 100% foolproof security measure, as an experienced shoulder surfer may still be able to read the information from a close range. Remember to check your surroundings first before inputting sensitive information.
3. Enable two-factor authentication
Two-factor authentication (2FA) is an additional layer of security that requires the user to provide two pieces of information to authenticate their identities, such as a password and a one-time code sent via SMS or email.
This makes it much harder for an attacker to access your accounts by simply observing what is being entered on the keyboard since they would need both pieces of information to log in successfully.
2FA can also be set up as a physical token (like a hardware key), making it even more difficult for a shoulder surfer to hack your information. You can even take it a step further and enable multi-factor authentication, which requires more than two pieces of information to be provided for authentication.
4. Avoid using the same password for multiple accounts
Reusing passwords for multiple accounts can make shoulder surfing attacks easier to carry out. If a malicious actor is able to observe the password used for one account, they could then attempt that same password for your accounts.
Unfortunately, using the same password is a common habit. A report below showed that most Americans admit to using the same password across accounts.
Assigning different passwords to different accounts can help lessen the damage, as the malicious actor would only be able to access a single account. Another good practice is to also make your passwords long and complex so they cannot be easily memorized by an observer.
5. Use a password manager
A password manager is a digital tool that helps users store, manage, and protect their passwords. It offers several benefits, including the ability to generate strong and unique passwords, store multiple passwords in a secure vault, and auto-fill login credentials.
In terms of how it prevents shoulder surfing since a password manager typically fills in passwords automatically when a user visits a website, someone standing close by won’t be able to see what the actual password is.
6. Log in with biometric authentication
Biometric authentication is a secure form of identification that utilizes physical characteristics like fingerprints and facial scans to verify an individual’s identity.
With biometric authentication, shoulder surfing is virtually impossible because the information used to authenticate the user cannot be guessed by just looking at them or their environment.
Biometrics are also difficult for hackers to replicate since they are unique to each individual. From a convenience standpoint, biometric authentication is much faster than traditional methods. This reduces the amount of time someone has to observe what a user is entering.
7. Set up fraud alerts
Credit card companies usually offer fraud alerts, which request lenders to contact you before opening any new accounts in your name. This is important, as credit card fraud is one of the most prevalent identity theft cases.
The Federal Trade Commission’s Consumer Sentinel Network Data Book 2021 showed that credit card fraud is the most common identity theft complaint. The Commission received 363,092 complaints in total.
While fraud alerts don’t necessarily stop a shoulder surfing attempt, it can delay or prevent the attacker from pushing forward with the scam. The extra time can give you a chance to investigate and take preventative measures.
8. Opt for contactless payment methods
When using a debit or credit card, you’re often required to enter your card details and PIN number. This presents an opportunity for someone to shoulder surf.
Contactless payments eliminate the need for a PIN by using a secure chip that activates when the card is placed close to the payment terminal. This removes any risk of shoulder surfing and helps keep your information safe and secure.
If the store doesn’t offer contactless payment methods, consider paying with cash instead.
What to Do If You Suspect Identity Theft
If you have reason to believe that your identity has been stolen, act quickly to protect yourself and take the following steps:
1. Report any suspected identity theft to your local police department and file a complaint with the Federal Trade Commission at IdentityTheft.gov.
2. If you believe any of your accounts were compromised, contact the financial institution immediately to have them closed and request a new account number.
3. Change all of your online account passwords and PINS associated with debit cards or other accounts that may have been affected by fraud or identity theft.
4. Notify relevant agencies. For instance, contact the IRS if you think someone has filed a fraudulent tax return using your information, as well as the Social Security Administration if you find an incorrect earnings record due to attempted Identity theft.
5. Consider placing a security freeze on all of your credit files so that only those organizations you specifically authorize can access them.
Shoulder surfing is an issue that many of us don’t think about, but it can be a very real and dangerous form of identity theft. You could be vulnerable to this type of crime any time you access a computer, ATM, or other devices in a public or crowded area.
Fortunately, there are steps you can take to protect yourself from shoulder surfing. Be aware of your surroundings, shield the devices you’re using with your body or a privacy screen, and use security measures like two-factor authentication and password managers.
In the event that you believe someone may have stolen your information through shoulder surfing, contact the relevant authorities and take steps to secure your accounts.
With these helpful tips, you can greatly reduce the risk of becoming a victim of shoulder surfing.