Cybersecurity is constantly evolving every day, and so are the external hackers and cyber criminals with new techniques, tactics, and procedures. They break into systems and steal confidential information illegally. In any Cyber-attack, the weakest link is always the humans, and in this article, we will delve into an interesting topic ‘Shoulder Surfing.’ The dangerous thing about this technique is how easy it is to execute this attack and steal information without much effort. So let us get to it.
What is Shoulder Surfing?
A shoulder Surfing Attack is a social engineering technique where an attacker simply looks over someone’s shoulder to get confidential information. It could be as simple as when a person is entering their PIN in an ATM or when a person is entering the username and password to their social media account/Internet Banking etc. A shoulder surfer could just be a person or sometimes it could be sophisticated video cameras, binoculars, CCTV, and Spy cameras to spy over the victim and steal their confidential information. If we look at the phases of hacking, Social Engineering is one of them. Social engineering is the art of exploiting humans to steal confidential information. Social engineering attacks can be grouped into three types:
- Human-based
- Mobile-based
- Computer-based
Shoulder surfing attack falls under the first type, human-based exploitation.
When and Where does Shoulder Surfing Happen?
Shoulder surfing can happen any time in a public space but mostly, it happens in an ATM, Super Market payment kiosks, gas stations, or any place you use a laptop, phone, or any other electronic gadget to input personal or confidential information. One cannot feel safe just because there is no one behind you with no shoulder surfing signs around because cyber criminals today utilize highly sophisticated binoculars and miniature cameras and many a time illegally hack into CCTV cameras placed in public places, supermarkets, ATM kiosks, and steal information.
They even utilize a powerful parabolic microphone to eavesdrop on people reciting or talking about confidential information. From this, we get to know shoulder surfing ranges from as simple as a person snooping over your shoulder to steal information to cyber criminals using modern sophisticated technology to steal sensitive and confidential information., and steal information. They even utilize a powerful parabolic microphone to eavesdrop on people reciting or talking about confidential information. From this, we get to know shoulder surfing ranges from as simple as a person snooping over your shoulder to steal information to cyber criminals using modern sophisticated technology to steal sensitive and confidential information.
Why is Shoulder Surfing Used?
“No cost,” “no required skills,” “no tracking possible” and “no use of tools” are some of the usual reasons of using shoulder surfing by attacker.
Apart from all the illegal benefits, shoulder surfing is also done ethically to evaluate a corporate organization’s security posture usually during a Red Team engagement. Shoulder surfing attacks in cybersecurity are carried out by Security professionals or Ethical Hackers who have some of the best Ethical Hacking Certifications obtained using some of the best online Security courses available. Usually, these are external consultants hired to evaluate an organization's security posture.
These consultants usually are disguised as plumbers, facility staff, or IT support staff and engage in many Social Engineering attacks where one of the first ones including a Shoulder surfing attack. This engagement involving shoulder surfing in cyber security is done with all the required permissions and the NDA signed and it is done within the legal boundaries for evaluation and sometimes even to comply with many of the Corporate Compliance and Regulations requirements.
This gives us a fair idea of the uses of shoulder surfing on the positive side, on how it is used to evaluate the security posture and cybersecurity awareness of its employees. Well, as mentioned in this article, shoulder surfing is used to gain illegal access to systems, accounts etc., as well as to execute identity theft and steal confidential data.
It is replicated exactly in the same way a hacker or hacking group does it in a controlled manner to evaluate the security controls in place to protect the data of an organization. The certifications mentioned here will teach you exactly that, to execute techniques and attacks in a controlled manner to evaluate the existing defensive controls and how to improve them.
What Are the Risks of Shoulder Surfing Attack?
The gravity of the risks of shoulder surfing varies depending on the level of confidentiality of the information at stake. Well, the sure shot risk is loss of confidentiality. To get an understanding, the risk could be losing access to a social media account, bank account, credit card, professional email account, professional laptop access compromised, etc. Most of the time, when an APT group engages in hacking activity, they usually target an organization where it could be political, government, or any private sector. There are many instances where the target is never the Software Company but a customer of that company. Therefore, it can be concluded that the risk varies depending on the motive of the attack.
There are many instances where the target is never the Software Company but a customer of that company. Therefore, it can be concluded that the risk varies depending on the motive of the attack.
How Does Shoulder Surfing Attack Work?
It is a quite simple technique and not much effort is needed, the attacker must just position himself on the victim’s phone/laptop/POS screen visible while entering confidential information. In many cases, the attacker just stands behind the victim and snoops over his/her shoulder.
In a more sophisticated attack, the usage of Binoculars to spy from a distance or the usage of recording devices such as a camera or a parabolic microphone that can record voices over a long distance. The access to new-age tech has also opened more possibilities for using drones and UAVs to spy and record information.
What are the Consequences of Shoulder Surfing?
One of the major consequences of a shoulder surfing attack is Identity theft. For example, if an attacker sees your phone’s PIN and gets hold of it, they can access email accounts, payment applications, Chat applications, and all the social media accounts. From here it is easy to get the OTP from either the email account or the SMS and take ownership of all the accounts.
The next dangerous consequence is they can sell your data on Dark Web, it could be credit card details, social security numbers, PAN card details, or even Aadhaar card details. Using this information, one can commit a crime under your name. One of the simple things is that one can register a phone number in your name using any of this information. Once identity is compromised, it is a huge hassle to reclaim it and it is an extremely slow process.
How to Prevent Shoulder Surfing Attacks?
As mentioned, there are so many reasons to be worried about shoulder surfing. Here are some steps for shoulder surfing prevention and protection against shoulder surfing attacks.
1. Enable 2-factor authentication
Always enable 2-factor authentication, like an OTP, approval on your mobile device, or usage of Microsoft/Google authenticator apps.
2. Get Physical Obstacle/Shield
While entering a password or an ATM PIN, try to hide it with your body so it is not visible to the person standing behind you. If an OTP, or credit card details must be communicated over the phone, make sure you move away to a place where nobody can listen to the conversations.
3. Never login to shared devices
Never login to any of your accounts using public computers like in airports, train stations, libraries or it could be a display device in an electronic gadget store. Confidential information can be stolen.
4. Never use public Wi-Fi
It is advised not to use public unprotected Wi-Fi networks to log in to any personal accounts like social media, banks, and shopping sites. The traffic can always be monitored especially when the Wi-Fi connection uses the weakest protocol WEP.
5. Privacy shield
Use privacy filters/shields on laptops and smartphones where the display on the screens can be seen in only one direction.
6. Stop using the same passwords
Many of them use the same password for multiple accounts. Doing so can risk other accounts being compromised as well. Always try to use a different password for different accounts.
7. Use alternative methods
Wherever it is possible utilize biometric authentications like a fingerprint and face recognition to log in to laptops, smartphones, and applications.
8. Use password managers
Using password manager applications, one does not have to create a password, the password manager creates a lengthy random string and stores it. When a password is required, one does not have to type any password as the password manager logs in for you. one does not have to create a password, the password manager creates a random lengthy string and stores it. When a password is required, one does not have to type any password as the password manager logs in for you.
Examples of Shoulder Surfing Attacks
- In a crowded train or bus where the device screen is visible to others, and phone conversations are audible easily. Many a time, this is the most common place where shoulder surfing is exploited.
- Spending money at a POS in a supermarket while the person right behind can take note of the PIN entered.
- The most common risk is when people connect to unsecured Wi-Fi networks in airports, hotels, etc, to exchange confidential information.
- The use of drones and CCTV can also be a major threat for enabling a shoulder surfing attack, this is precisely why we have no-fly zones in many areas which hold confidential information such as military bases, secret financial institutions, government offices, and historical heritage sites.
- While using your mobile phone to pay bills or enter an OTP in public places. Most commonly when people recite their credit card number while typing it.
- Shoulder surfing is also done by insider attackers.
Unlock Your Potential with ITIL 4 Master Certification. Elevate Your Career in IT Service Management and Embrace Success. Enroll Today!
Conclusion
This article discusses Shoulder Surfing and its effects as well as its preventive measures. Shoulder surfing is one of the easiest and most useful techniques used in Social Engineering to steal confidential information. Social Engineering is part of the hacking process regardless of whether it is ethical or not. One can join an ethical hacking online training program to excel in this field and enhance knowledge and growth in their career. KnowledgeHut’s Best Ethical Hacking Certification program provides an interactive and hands-on learning environment.
