What is Shoulder Surfing? Tips to Prevent Shoulder Surfing Password Attacks

There are many different ways of stealing a password. You might think that all of them require technical knowledge or, at best, a computer that's connected to the Internet. That's not strictly true. With one technique, all you need to do to steal some pretty important information is a keen eye and a victim that isn't paying attention.

Shoulder surfing, as you might have guessed already, is the name of this technique, and it comes from the fact that in its most basic form, it involves literally peering over the victim's shoulder in order to obtain a password or another piece of sensitive data. There are other variations of the attack. Determined miscreants can steal passwords and other data from a significant distance as well with the help of binoculars or expensive filming equipment, for example, and in an especially James Bond-ish variant, the bad guys even make use of eye tracking technology to guess what your password is by examining which buttons on the on-screen keyboard you look at.

But how likely are you to be hit by a shoulder surfing attack exactly?

Every single person has their threat model, and this threat model is comprised of many different factors such as the person's job, their financial status, and whether or not there are other people who want to harm them. The likelihood of being targeted by a shoulder surfing attack is largely dependent on your threat model. Let's see some examples.

You may have heard of a certain Edward Snowden, a computer specialist that used to work for the NSA. Several years ago, he blew the proverbial whistle and embarrassed a few governments, which is why he currently resides in Russia. Many people in black suits would like to bring him back to the USA, and they wouldn't mind having all his passwords as well. In other words, Mr. Snowden is very likely to be targeted by shoulder surfing attacks which is why, we can imagine that he doesn't use public transport a lot. And when he was interviewed for a documentary called Citizenfour, he covered his head and laptop with a blanket when he entered his password, ensuring that nobody will see what he's typing or looking at.

At the other end of the scale, you have Muriel – a 69-year old pensioner who has an old computer she hasn't turned on in a while and a feature phone on a prepaid plan. It's fair to say that she's the last person the government would set up surveillance on, and even shoulder surfers looking for random victims won't be that interested in her.

In all probability, your threat model sits somewhere in the middle between Edward Snowden and Muriel. Being an active internet user and having a PIN-protected bank card means that criminals can profit from your sensitive data, but at the same time, you are unlikely to be the target of large-scale operation carried out by people who refer to their colleagues by codenames. This means that while you probably don't need a blanket every time you fire up your laptop, being wary of the danger is a good call.

What can you do to protect yourself from shoulder surfing attacks?

For a successful shoulder surfing attack, you need a small space with a lot of people crammed into it. The commuter trains and buses are an obvious choice and so is a queue at an ATM, but it can be basically any public place. It's sometimes easier said than done, but you should be aware of your surroundings when there are many eyeballs around you.

Avoid entering your credit card details and filling out checkout pages when you're in a public place, even if that means missing out on some tasty discounts. And if you absolutely must log in to your Facebook account while you're on the train, take the time to look around and ensure that your fellow commuters aren't overly curious. Using a strong password also helps because even if they see it, the crooks will have a hard time remembering it, and since most password managers enter passwords automatically, the attack will stop pretty much dead in its tracks if you use one.

It should be more common sense than wisdom, but when you're at the ATM, cover your PIN while you're entering it and try not to forget your card at the machine. In other words, be a bit more vigilant. After all, it's your money that's on the line.

Shoulder surfing isn't the most widespread attack, especially when it comes to targeting regular users. The rewards you get from compromising random commuters on the train could be negligible, and at the same time, the risks of getting caught are not insignificant. With so many people having their smartphones seemingly glued to their hands, however, pulling off a successful attack doesn't seem too hard. That's why, regardless of whether you're on your way to work or at an airport terminal, you need to keep your wits about you.