Shoulder surfing: Watch out for eagle-eyed snoopers peeking at your phone
Some fraudsters may use low-tech tactics to steal your sensitive information – peering over your shoulder as you enter that information is one of them.
We live in an age of pervasive connectivity. But our always-on, mobile-centric lives also expose us to risk. For many people, it is the prospect of phishing, remotely deployed malware and other online risks that pose the greatest threat to their personal and professional data. But criminal activity is about more than bits and bytes. Sometimes the old ways like shoulder surfing or even dumpster diving offer the best ROI, and there are plenty of opportunistic fraudsters about to give it a go.
Shoulder surfing has been around far longer than smartphones and highly portable laptops. Just ask anyone who has had their credit card PIN or their phonecard digits stolen by unscrupulous passers-by. But today there are far more opportunities to cash in.
Our hurried, multi-device lifestyles are a magnet for shoulder surfers. But just a few small behavioral changes could be enough to keep you safe.
A cautionary tale (or two)
Most of us dismiss shoulder surfing. We think we’d be able to spot someone lurking behind us with their eyes glued to our screen. But the bad guys only need to get lucky once. And we give them plenty of opportunities through the working day, especially now that society is opening up again.
ESET’s Jake Moore recently revealed two occasions where he managed to obtain the log-in details of friends’ online accounts, with their prior agreement. His research highlights well just how exposed many of us are to savvy attackers, especially in informal settings like bars, cafes and restaurants.
1. Snapchat surfing
In his first experiment, Jake bet a friend he could hijack her Snapchat account, even one protected by two-factor authentication. Using the password reset function, he entered her phone number and selected the option to be messaged a confirmation code. By simply shoulder surfing the confirmation message when it popped up on her homescreen, he was able to take complete control of the account. Even a second SMS code sent as confirmation was ignored by the account holder but observed and entered by Jake.
Now, an attacker might not normally know their victim’s phone number, but they may be able to find it online from previously breached data troves or leveraging open-source intelligence, including on social media. By calling up the user and pretending to be an employee at said social media company, an attacker could theoretically trick the user into handing over their SMS code.
Of course, that’s not strictly speaking shoulder surfing. But imagine an office or education setting where colleagues or kids may be in the proximity of users whose phone numbers they do know. That makes the “password-reset shoulder surf” a more genuine risk.
2. PayPal problems
In a similar second experiment, Jake bet a friend he could hijack one of his online accounts. This time he went to the PayPal log-in page to request a password reset. Knowing the user’s email, he typed this in and selected the security check option of an SMS code sent to his phone. In a similar way to the above example, Jake was able to covertly snoop on his mate’s device as the code flashed up. Thus, he had entry to the friend’s entire PayPal account.
Once again, an attacker here needs to get hold of a victim’s email, be it by shoulder surfing them, by finding a previously breached one on a dark website or through other means. Then they would need to get in close proximity to the user to spot that confirmation code as it flashed up. Again, an office or school would be the perfect place. However, if a shoulder surfer had their eyes on a target working in a public place for long enough, the chances are they would spot their email address eventually.
What could shoulder surfing mean for you?
The argument here is that the security bar is in many cases still too easy for malicious actors to jump – especially if they have eyes on your laptop or device. Too many of us allow notifications to flash up on our screens. We might have grown so desensitized that we ignore them. But those looking over our shoulder don’t.
It’s particularly pertinent that the victim in the PayPal example above was a cybersecurity veteran of 20-plus years. If he can get scammed like this, many others could, and once a bad actor has access to your account they could:
Change the log-ins and then extort you so they can regain access
Use brute force techniques to try the same email/log-ins for access to other accounts
Steal your personal information for use in identity fraud attempts or follow-on phishing
Access and divert funds to their own accounts
Troll and bully you by posting inappropriate content from their account
What can you do to prevent shoulder surfing?
The impact of such an account hijack can last many months. If bad actors have managed to steal funds and personal info, you may suffer a barrage of phishing attempts over the succeeding months. Recovering lost funds and resetting credit scores can take even longer. With that, here are a few mitigation strategies:
Never reuse passwords across accounts, and use a password manager to store unique, strong credentials. Switch on multi-factor authentication (MFA). But choose an authentication app (e.g., Google Authenticator, Microsoft Authenticator) rather than an SMS code option.
Always be alert when logging-in to your accounts in public. That could mean stop working altogether in crowded airplanes, trains, airports, hotel lobbies and the like. Or at least, work with your back to a wall.
Use a privacy screen on laptops to ensure anyone trying to spy on your screen from an angle can’t do so.
Switch off on-screen notifications for messages, emails and alerts to stop the kind of attack Jake demonstrated above. If one does come in, and it wasn’t you, investigate immediately.
It goes without saying, but never leave any devices unattended in a public space. And ensure they are locked with a strong passcode.
Shoulder surfing is still a largely underestimated threat. That doesn’t mean it’s more likely to happen to you than a phishing attack. But the same rules apply. Be alert. Be prepared. And practice safety-first.