What is shoulder surfing and why is it my problem?

Shoulder surfing is looking over someone’s shoulder to gain information. 

It can happen on purpose when you’re showing a co-worker a video on your computer or accidentally when you are sitting in an arena full of people, and every one three rows behind you can see what you’re looking at.

In computer security, shoulder surfing is a social engineering technique that attackers use to steal private information.

How is shoulder surfing done? 

Someone can shoulder surf by putting themselves behind you, either in a crowded environment or at a distance with a viewing device like binoculars or digitally by intercepting a digital signal such as public WiFi. 

Why is shoulder surfing my problem?

Shoulder surfing is a great way to share personal information with those around you unintentionally. Often, shoulder surfing is done out of boredom, and the person surfing watches your device like a TV while travelling in the subway or eavesdropping on a conversation. Other times, it is on purpose, and the surfer tries to gain information about you, your business, or your contacts. 

When am I most vulnerable to shoulder surfing? 

One of the most accessible places to shoulder surf is raised arena seating, such as a football or hockey game. Each row gives a perfect view of the people below and their devices. 

If you are in an area where others can see your screen, they can shoulder surf you. 

Some areas that jump to our mind are: 

• Arena seating, such as sports or theatre
• Restaurants or coffee shops 
• Elevators 
• Subway, bus, sky-tram, etc. 
• Hotel lobby 
• The mall food court 
• Public library

What are some other areas that you can think of? 

You are most vulnerable to shoulder surfing anywhere where someone can view your information.

An important point to make is that although the focus of this blog is on devices, shoulder surfing can include anything of yours. Post it notes, pictures, papers on your desk, etc. These are all things that others can use to collect information on us.  

What information can someone steal from me by shoulder surfing? 

Shoulder surfers can easily steal the following: 

• Usernames
• Passwords 
• PIN s 
• 2-factor authentication/Multi-factor Codes 
• Social Security Numbers 
• Bank account numbers 
• Confidential data such as emails and texts
• Intelligence
  • Your habits and likes 
  • Your work
  • Your contacts 
  • The applications that you use

An attacker can then use this information in a future attack on you or your business. Shoulder surfing can lead to a breach in your security.

How can I protect myself from shoulder surfing? 

The most significant way to protect yourself from shoulder surfing is to be highly aware of your surroundings and who can view your device. 

• Don’t pay bills or access your banking in public locations. 
• Use a password manager to assemble passphrases you don’t need to type in. 
• Have confidential conversations with others out of earshot. 
• Don’t read your credit card, debit number, or other sensitive information out loud in public. 
• Don’t work on sensitive data, such as employee records or your business’s secret sauce, in public view. 
• Cover your ATM PIN with your hand. 
• Even though 2-factor authentication has its own issues and is susceptible to shoulder surfing, it adds another hoop for attackers to jump through. 
• Use a screen protector that makes it hard for shoulder surfers to see your screen from an angle. 
• Lock your devices when not in use. 
• When entering data on your phone in a public space, sit against a wall. 
• Take a moment to see if you are in full view of any security cameras. 

We could make this list extremely long; what would you add to this list?