Threats & AttacksMedium
Shoulder Surfing
A physical security attack where attackers observe users entering passwords, PINs, or other sensitive information by looking over their shoulder
Skill Paths:
Physical SecuritySocial EngineeringSecurity AwarenessIncident Response
Job Paths:
Physical Security SpecialistSecurity Awareness TrainerIncident ResponderSecurity Analyst
Relevant Certifications:
CompTIA Security+CISSPSANS SEC301ASIS CPP
Content
What is Shoulder Surfing?
Shoulder surfing is a physical security attack where attackers observe users entering passwords, PINs, credit card numbers, or other sensitive information by looking over their shoulder or using other observation techniques. This attack can occur in public spaces, workplaces, or any location where sensitive information is entered.
How Shoulder Surfing Works
Attack Methods
- Direct observation – Looking over the victim's shoulder
- Reflection techniques – Using mirrors or reflective surfaces
- Video recording – Recording with cameras or smartphones
- Binoculars or telescopes – Long-distance observation
- Hidden cameras – Covert surveillance devices
Common Locations
- ATMs and banks – PIN entry and banking activities
- Public computers – Internet cafes and libraries
- Workplaces – Office environments and cubicles
- Public transportation – Trains, buses, and airplanes
- Retail locations – Point-of-sale terminals
Types of Information Targeted
Authentication Credentials
- Passwords – Computer and online account passwords
- PINs – ATM, credit card, and phone PINs
- Security codes – Two-factor authentication codes
- Access codes – Building and system access codes
Personal Information
- Credit card numbers – Card details and CVV codes
- Social security numbers – Personal identification numbers
- Phone numbers – Contact information
- Addresses – Personal and business addresses
Detection and Prevention
Physical Security Measures
- Privacy screens – Anti-glare and privacy filters
- Positioning awareness – Be aware of surroundings
- Secure areas – Use private spaces for sensitive input
- Surveillance monitoring – Security cameras and monitoring
- Access controls – Restrict access to sensitive areas
User Education
- Security awareness training – Educate users about risks
- Best practices – Safe password entry techniques
- Situational awareness – Be mindful of surroundings
- Reporting procedures – Report suspicious activity
Technical Controls
- Multi-factor authentication – Additional verification layers
- Biometric authentication – Fingerprint, facial recognition
- Virtual keyboards – On-screen keyboard entry
- Session timeouts – Automatic logout features
- Encryption – Protect sensitive data
Response and Recovery
Immediate Actions
- Change compromised credentials – Update passwords and PINs
- Monitor accounts – Watch for unauthorized activity
- Report incidents – Notify security teams
- Document details – Record incident information
Investigation Steps
- Review surveillance footage – Check security cameras
- Interview witnesses – Gather additional information
- Assess impact – Determine scope of compromise
- Implement improvements – Enhance security measures
Best Practices
- Use privacy screens – Protect against visual observation
- Be aware of surroundings – Check for suspicious activity
- Use secure areas – Enter sensitive information privately
- Enable multi-factor authentication – Additional security layers
- Regular password changes – Update credentials regularly
- Report suspicious activity – Help prevent future attacks
Quick Facts
Severity Level
6/10
Goal
Steal passwords, PINs, or other sensitive information
Method
Direct observation of user input
Prevention
Privacy screens, awareness, multi-factor authentication
Impact
Unauthorized access, identity theft, data breach
Related Terms