Shoulder surfing (computer security)
|This article needs additional citations for verification. (June 2010)|
In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.
Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
- fill out a form
- enter their PIN at an automated teller machine or a POS terminal
- use a telephone card at a public payphone
- enter a password at a cybercafe, public and university libraries, or airport kiosks
- enter a code for a rented locker in a public place such as a swimming pool or airport
- public transport is a particular area of concern
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one's body or cupping one's hand.
Secure, the European Association for Visual Data Security, recommends that when you are in a situation with heightened risk, take steps to protect yourself by angling your screen away from the gazes of other people or using a screen shield to reduce the visibility of your screen. Secure also recommends that corporate IT security guidance includes directions on how to mitigate these threats. This could include the adoption of ISO/IEC 27001. You should also ensure that staff are properly educated to the risks involved with accessing information.
- 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
- 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
- 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.
Newer[quantify] automated teller machines have a sophisticated display which discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, e.g. account balance, it is generally not required to protect the PIN, because the PIN is typically not displayed during entry.
Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. ISO 9564, the international standard for PIN management, mandates such measures thus:
|“||The PIN entry device shall be designed or installed so that the customer can prevent others from observing the PIN value as it is being entered.||”|
Also some keypads alter the physical location of the keys after each keypress. For example the digit 1 may be the upper left on the first press, then moves to the bottom right for the second. Also, security cameras are not allowed to be placed directly above an ATM.[where?]
POS terminals often available in shops, supermarkets, and fuel outlets are more difficult to use in a way that prevents shoulder surfing as they are often located in exposed view on counters. It is good practice to shield the keypad with one hand while entering digits with your other hand.
- Shorter Oxford English Dictionary (6th ed.), Oxford University Press, 2007, ISBN 978-0-19-920687-2
- "Government Minister avoids the train over visual data security fears". January 2013.
- ISO 9564-1:2002 Banking — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, clause 5.4 Packaging considerations