Shoulder surfing (computer security)

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification number, password and other confidential data by looking over the victim's shoulder.[1] This attack can be performed either from a closer range by directly looking over the victim's shoulder or from a longer range by using a pair of binoculars.[2] To implement this technique attackers do not require any technical skills, keen observation of victims surroundings and the typing pattern is sufficient. Crowded places are the more likely areas for an attacker to shoulder surf the victim. In the early 1980s, shoulder surfing was practiced near public pay phones to steal calling card digits and make long distance calls or sell them in the market for the cheaper prices. However, the advent of modern-day technologies like hidden cameras and secret microphones makes shoulder surfing easier and gives more scope for the attacker to perform long range shoulder surfing. A hidden camera allows the attacker to capture whole login process and other confidential data of the victim, which ultimately could lead to financial loss or identity theft.[3]


Shoulder surfing is more likely to perform in the crowded places because it is easy to observe the information without dragging the victim's attention.[4] Various situations where an attacker can easily shoulder surf the victim are, while filling out a form(bank withdrawal, deposit form or a loan form), entering their PIN at an automated teller machine or an at a POS terminal, using their telephone card at a public payphone, entering their password at a cybercafe, public and university libraries, or airport kiosks, entering their code for a rented locker in a public place such as a swimming pool or airport, entering their PIN or password on their smartphone.[5]

A survey of IT professionals in a white paper[6] for Secure found that:

  • 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
  • 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
  • 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.


A person concealing their PIN entry at an ATM

Some automated teller machines have a sophisticated display that discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, e.g. account balance, it is generally not required to protect the PIN, because the PIN is typically not displayed during entry.

Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. ISO 9564-1, the International Standards for PIN management, describes such measures thus:[7]

POS terminals often available in shops, supermarkets, and filling stations are more difficult to use in a way that prevents shoulder surfing as they are often located in exposed view on counters.[8]

While making transactions, making sure to sit against the wall to prevent anyone to look into the system.[9] Being careful about the environments, as there will be video cameras too.[10] Using privacy screen protectors on the systems like the way bankers use to blank out the screen to others except our-self.[11] Using one hand to cover the keypad while entering the pin at ATM.[12] Being careful about the surroundings.[13] Better not to access to personal accounts when in public.[14] If in a crowded place, locating for a quiet place to work.[15] Not revealing the passwords to anyone.[16]

The awareness to the users at the public ATM can be provided while a shoulder surfing is occurring. Then a decision can be made by the user if the information he is entering in the public is sensitive and if it has to be hidden. Flashing border can be used to notify and alert the user. When a person enters the area near to the user, the borders of the machine flashes by alerting the user. It can even be detailed with colors. Like red color can be used if the person entered is looking towards the display and green when the person is still near that vicinity but not looking towards the display. Another way is creating a 3-D shadow on the display of the user peeping into the display.[17]

While making important pecuniary transactions, making sure to be far from the people. These crimes are not well recorded as many of the people are not reporting to the police.[18] Do not reply to phishing e-mails and even to the pre-texting phone calls. No bank or financial companies will ask for sensitive information through calls or e-mails. Avoid mailing the sensitive information. If ever there is a situation to send the financial documents, send them through certified mailing institutions and make sure to have a proof that the financial institution has received all the documents. If the account has already been compromised, immediately stop all the transactions to that account[19]

Being cautious at the ATM[edit]

While using the ATM, it is recommended to stand close to the machine while entering the details. As already mentioned in the above, it is better to shield with the hand while entering the pin on the keypad. Sometimes, there may be a camera that is fixed near the keypad to record the actions being done on the keypad. If the ATM that is being used is in a crowded place and if there is someone who is trying to trace, it is better to stop the transactions at that ATM and leave. Never take any help from the strangers though they look well-mannered. Never get being distracted. People sometimes fix devices that record all the card details. These details are later used by the one who fixed the device by making fraud transactions. When in such situation, call to the card banker and report the issue while being still near the ATM. It is always a better thing to save the bank’s 24/7 customer service number. After a transaction, the very first thing to do is, always get the money and the card in the bag. Do not just throw the ATM receipts in the trash. Always tear them or at least destroy the sensitive information on the receipts.[20] Never write the checks in a hurry. It is better to avoid writing checks at the peek time of the shopping season. Using only one card for shopping is sometimes better which not only helps in monitoring the money spent, but can also be easy to know the suspicious activity on the other accounts if happened.[21]


Gaze-based password entry[edit]

The basic procedure for gaze-based password entry is similar to normal password entry, except that in place of typing a key or touching the screen, the user looks at each desired character or trigger region in sequence (same as eye typing). The approach can, therefore, be used both with character-based passwords by using an on-screen keyboard and with graphical password schemes as surveyed in.[22] A variety of considerations is important for ensuring usability and security. Eye tracking technology has come a long way since its origins in the early 1900s.[23] State of the art eye trackers offers non-encumbering, remote video-based eye tracking with an accuracy of 1˚ of visual angle. Eye trackers are a specialized application of computer vision. A camera is used to monitor the user’s eyes. One or more infrared light sources illuminate the user’s face and produce a glint – a reflection of the light source on the cornea. As the user looks in different directions the pupil moves but the location of the glint on the cornea remains fixed. The relative motion and position of the center of the pupil and the glint are used to estimate the gaze vector, which is then mapped to coordinates on the screen plane.

Painting album mechanism[edit]

Painting Album Mechanism is an anti-shoulder surfing mechanism, which has characteristics of both recall and recognition graphical techniques. Thus, this mechanism is also a hybrid graphical password anti-shoulder surfing mechanism. It was developed based on results of user’s affinity of choices,[24] and through observation on the way kids are behave, while they paint the picture. When this mechanism was developed, results from user’s affinity of choice survey had become the mechanism’s architecture. Meantime, outcome of the observation have created this mechanism three input schemes, where we named it Swipe Scheme, Color Scheme, and Scot Scheme. In Painting Album Mechanism, Swipe Scheme, Color Scheme, and Scot Scheme are the methods for password creation. Each input scheme is non-identical, and it is user’s options to choose the input scheme they prefer

Input Schemes Input Methods
Swipe Scheme Swipe the pictures
Color Scheme Touched the picture, then, select the colored boxes.
Scot Scheme Swipe the picture, meantime, touch the pictures and picked the colored boxes

Text based graphical password schemes[edit]

To overcome the drawbacks of text-based authentication, researchers have been developed new password scheme which uses images, pictures as a password known as graphical password scheme. This scheme is used as an alternative to the alphanumeric password. Current authentication methods are categorized into three main areas: Token based authentication, Biometric based authentication, Knowledge-based authentication. In addition to this, a comparison of current graphical password techniques classified graphical password schemes into two categories viz. recognition-based and recall based approaches. Results answer the questions like “Is a graphical password as secure as a text-based password?” It also strives to find the answer to the question: “What are the major design and implementation issues for graphical passwords?” This study is useful in graphical password methods and wants to find the alternatives to overcome the susceptibility of it.[25]

Secret tap method[edit]

Because of the important to take measures against covert observation in order to prevent authentication information from being stolen, Secret Tap method proposes a technique that do not expose the authentication information during entry, even if other individuals try to view the input process. Additionally, it should be noted that the risk of covert observation is not restricted to direct observation by other individuals, camera recordings also pose a threat. Therefore, it is necessary to make the authentication process more complex in order to prevent authentication information from being stolen even if cameras and/or other individuals observe the information input process numerous times. There are two types of shoulder-surfing attack: direct observation attacks, in which authentication information is obtained by a person who is directly monitoring the authentication sequence, and recording attacks, in which the authentication information is obtained by recording the authentication sequence for later analysis.

Secret Tap authentication method uses icons and a touch panel liquid crystal display. The goals and design policy used are,

  • Covert observation resistance Maintain the resistance strength at a level that prevents the authentication information from being revealed to other individuals, even if the authentication operation is performed numerous times.
  • Recording attack resistance Maintain the resistance strength at a level that prevents the authentication information from being analyzed by other individuals even if the authentication operation is fully recorded.
  • Brute-force attack resistance Maintain the resistance strength at a level that prevents the authentication process from broken more easily than by a brute-force attack on a four digit PIN. This policy follows the standard put forth in ISO 9564-1.[26]
  • Usability Maintain a level of usability that permits operators to perform the authentication operation with ease.

Comparison of risks between alphanumeric and graphical Passwords[edit]

The primary benefit of graphical passwords compared to alphanumeric passwords is the improved memorability. However, the potential detriment of this advantage is the increased risk of shoulder-surfing. Graphical passwords that use graphics or pictures [27] such as PassFaces, Jiminy,[28] VIP, Passpoints [29] or a combination of graphics and audio such as AVAP are likely all subject to this increased risk unless somehow mitigated in implementation. The results indicate the fact that both alphanumeric and graphical password-based authentication mechanisms may have a significant vulnerability to shoulder-surfing unless certain precautions are taken. Despite the common belief that nondictionary passwords are the most secure type of password-based authentication, our results demonstrate that it is, in fact, the most vulnerable configuration to shoulder-surfing.

PIN entry[edit]

Personal identification number is used to authenticate oneself in various situations, while withdrawing or depositing the money from automatic teller machine, unlock a phone, door, laptop or PDA. Though this method of authentication is a two step verification process in some situations, it is vulnerable to shoulder surfing attack. An attacker can obtain the PIN either by directly looking over the victim's shoulder or by recording the whole login process. So, various shoulder surfing resistant PIN entry methodologies are proposed to make the authentication process secure.[30]

Cognitive trapdoor game[edit]

The cognitive trapdoor game has three groups involved in it: a machine verifier, a human prover, and a human observer. The goal of each group is, human prover has to input the PIN by answering the questions posed by the machine verifier while the observer tries to observe the interaction between the machine verifier and the human prover to know the PIN. A token is assigned to the prover as a unique identification by an authentic channel to prove his/her own identity. As the prover needs to authenticate themself in it is not easy for the observer to remember the whole login process unless the observer had a recording device. The cognitive trapdoor mechanism is resistant to direct shoulder surfing but not against the recording shoulder surfing.[31]

See also[edit]


  1. ^ Shoulder surfing - definition of shoulder surfing in ... (n.d.). Retrieved October 21, 2016, from
  2. ^ Kee, J. (2008, April 28). SANS Institute InfoSec Reading Room. Retrieved October 24, 2016, from
  3. ^ Long, J., & Mitnick, K. D. (2008). Shoulder surfing. In No tech hacking: A guide to social engineering, dumpster diving, and shoulder surfing (pp. 27-60). Burlington, MA: Syngress.
  4. ^ Goucher, W. (2011). Look behind you: The dangers of shoulder surfing. Computer Fraud & Security, 2011(11), 17-20. doi:10.1016/s1361-3723(11)70116-6
  5. ^ Luo, X., Brody, R., Seazzu, A., & Burd, S. (2011). Social Engineering [Abstract]. Information Resources Management Journal, 24(3), 1-8. doi:10.4018/irmj.2011070101
  6. ^ "Visual Data Security White Paper" (PDF). European Visual Data Security. Retrieved 2016-11-11. 
  7. ^ ISO 9564-1:2011 Financial services — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for PINs in card-based systems, Annex B.3 Privacy during PIN entry
  8. ^ Barney, Karen. "Information security: Who's looking over your shoulder?". Retrieved 2015-12-22. 
  9. ^ A Survey on Shoulder Surfing Resistant Text Based Graphical Password Schemes. (2015). IJSR International Journal of Science and Research (IJSR), 4(11), 2418-2422. doi:10.21275/v4i11.nov151759
  10. ^ Wiese, O., & Roth, V. (2015). Pitfalls of Shoulder Surfing Studies. Proceedings 2015 Workshop on Usable Security. doi:10.14722/usec.2015.23004
  11. ^ Manu Kumar, Tal Garfinkel, Dan Boneh, Terry Winograd, 2007, ‘Reducing shoulder-surfing by using gaze-based password entry’,Proceedings of the 3rd symposium on Usable privacy and security, ACM4
  12. ^ P. Shi, B. Zhu, and A. Youssef. A new pin entry scheme against recording-based shoulder-surfing. InProc. of 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE 2009), Athens/Vouliagmeni, Greece, June 2009. IEEE Computer Society.
  13. ^ Zhi Li, Qibin Sun, Yong Lian, and D. D. Giusto, 2005, ‘An Association-Based Graphical Password Design Resistant to ShoulderSurfing Attack’, IEEE International Conference on Multimedia and Expo (ICME).
  14. ^ Peipei Shi, Bo Zhu and Amr Youssef. Concordia Institute for Information Systems Engineering. “A Rotary PIN Entry Scheme Resilient to Shoulder-Surfing.”. Internet Technology and Secured Transactions, 2009. ICITST 2009.
  15. ^ Cheryl, Hinds and Chinedu Ekwueme, 2007, ‘Increasing security and usability of computer systems with graphical passwords’,Proceedings of the 45th annual southeast regional conference, ACM.
  16. ^ H. Tao and C. Adams. 2008. Pass-Go: A Proposal to Improve the Usability of Graphical Passwords. Int’l Journal of Network Security, 7, 2008, 273-292
  17. ^ Goucher, W. (2011). Look behind you: The dangers of shoulder surfing. Computer Fraud & Security, 2011(11), 17-20. doi:10.1016/s1361-3723(11)70116-6
  18. ^ Authored by Jose Rivera, LegalMatch Legal Writer. (n.d.). Shoulder Surfing Thefts. Retrieved November 21, 2016, from
  19. ^ Drake, E. (2007). 50 plus one tips to preventing identity theft. Chicago: Encouragement Press.
  20. ^ Shoulder Surfing. (n.d.). Retrieved from
  21. ^ Committing Shoulder Surfing Identity Theft? (n.d.). Retrieved December 12, 2016, from
  22. ^ Suo, X. and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of Annual Computer Security Applications Conference. Tucson, Arizona, USA, 2005.
  23. ^ Jacob, R. J. K. and K. S. Karn, Eye Tracking in HumanComputer Interaction and Usability Research: Ready to Deliver the Promises, in The Mind's eye: Cognitive and Applied Aspects of Eye Movement Research, J. Hyona, R. Radach, and H. Deubel, Editors. Elsevier Science: Amsterdam. pp. 573-605, 2003
  24. ^ L. K. Seng, N. Ithnin and H. K. Mammi, “User’s Affinity of Choice: Features of Mobile Device Graphical Password Scheme’s Anti-Shoulder Surfing Mechanism”, International Journal of Computer Science Issues, vol. 2, no. 8, (2011)
  25. ^ Henessey, C., B. Noureddin, and P. Lawrence. A Single Camera Eye-Gaze Tracking System with Free Head Motion. In Proceedings of ETRA: Eye Tracking Research and Applications Symposium. San Diego, California, USA: ACM Press. pp. 87-94, 2006.
  26. ^ Suo, X. and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of Annual Computer Security Applications Conference. Tucson, Arizona, USA, 2005.
  27. ^ R. C. Thomas, A. Karahasanovic, and G. E. Kennedy, "An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance," presented at Australasian Computing Education Conference 2005, Newcastle, Australia 2005.
  28. ^ L. K. Seng, N. Ithnin and H. K. Mammi, “User’s Affinity of Choice: Features of Mobile Device Graphical Password Scheme’s Anti-Shoulder Surfing Mechanism”, International Journal of Computer Science Issues, vol. 2, no. 8, (2011)
  29. ^ R. C. Thomas, A. Karahasanovic, and G. E. Kennedy, "An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance," presented at Australasian Computing Education Conference 2005, Newcastle, Australia 2005.
  30. ^ Lee, M. (2014, April). Security Notions and Advanced Method for Human Shoulder-Surfing Resistant PIN-Entry. IEEE Transactions on Information Forensics and Security, 9(4), 695-708. doi:10.1109/tifs.2014.2307671
  31. ^ Roth, V., & Richter, K. (2006). How to fend off shoulder surfing. Journal of Banking & Finance, 30(6), 1727-1751. doi:10.1016/j.jbankfin.2005.09.010