Shoulder surfing (computer security)
In computer security, shoulder surfing refers to using direct observation techniques, such as looking over someone's shoulder, to get information. It is commonly used to obtain passwords, PINs, security codes, and similar data.
Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:
- fill out a form
- enter their PIN at an automated teller machine or a POS terminal
- use a telephone card at a public payphone
- enter a password at a cybercafe, public and university libraries, or airport kiosks
- enter a code for a rented locker in a public place such as a swimming pool or airport
- enter a PIN or password on their smartphone
- public transport is a particular area of concern.
Shoulder surfing can also be done at a distance using binoculars or other vision-enhancing devices. Inexpensive, miniature closed-circuit television cameras can be concealed in ceilings, walls or fixtures to observe data entry. To prevent shoulder surfing, it is advised to shield paperwork or the keypad from view by using one's body or cupping one's hand.
Secure, the European Association for Visual Data Security, recommends that when you are in a situation with heightened risk, take steps to protect yourself by angling your screen away from the gazes of other people or using a special privacy screen shield to reduce the visibility of your screen. Secure also recommends that corporate IT security guidance includes directions on how to mitigate these threats. This could include the adoption of ISO/IEC 27001. You should also ensure that staff are properly educated to the risks involved with accessing information.
- 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
- 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
- 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.
Some automated teller machines have a sophisticated display which discourages shoulder surfers from obtaining displayed information. It grows darker beyond a certain viewing angle, and the only way to tell what is displayed on the screen is to stand directly in front of it. Although this prevents an observer obtaining some information, e.g. account balance, it is generally not required to protect the PIN, because the PIN is typically not displayed during entry.
Certain models of credit card readers have the keypad recessed, and employ a rubber shield that surrounds a significant part of the opening towards the keypad. This makes shoulder-surfing significantly harder, as seeing the keypad is limited to a much more direct angle than previous models. ISO 9564, the international standard for PIN management, mandates such measures thus:
|“||The PIN entry device shall be designed or installed so that the customer can prevent others from observing the PIN value as it is being entered.||”|
POS terminals often available in shops, supermarkets, and fuel outlets are more difficult to use in a way that prevents shoulder surfing as they are often located in exposed view on counters. It is good practice to shield the keypad with one hand while entering digits with your other hand.
On laptops, one can use a special "privacy screen" to prevent others from seeing the screen.
- Shorter Oxford English Dictionary (6th ed.), Oxford University Press, 2007, ISBN 978-0-19-920687-2
- "Government Minister avoids the train over visual data security fears". January 2013.
- "Visual Data Security - Secure - European Association for Visual Data Security". Visualdatasecurity.eu. Retrieved 2014-04-10.
- "Visual Data Security White Paper" (PDF). European Visual Data Security. Retrieved 2014-04-10.
- ISO 9564-1:2002 Banking — Personal Identification Number (PIN) management and security — Part 1: Basic principles and requirements for online PIN handling in ATM and POS systems, clause 5.4 Packaging considerations
- Barney, Karen. "Information security: Who's looking over your shoulder?". Retrieved 2015-12-22.