Shoulder surfing (computer security)

In computer security, shoulder surfing is a social engineering technique used to obtain a user's authentication information without their permission.^[1] In a shoulder-surfing attack, observation may be conducted remotely or at close range by covertly looking over the target's shoulder. For example, a shoulder surfer may spy on a person entering their PIN in an ATM.^[1]

Overview

Shoulder surfing can be performed at close range (by directly looking over the target's shoulder) or at long range with equipment such as binoculars, hidden cameras, and hidden microphones.^[2] Shoulder surfing is more likely to occur in crowded places because it is easier to observe the information without attracting the victim's attention.^[3]

Shoulder-surfing attacks may be executed by direct observation or by recording. In direct observation attacks, information is obtained by directly monitoring the target interacting with the confidential data. In recording attacks, this information is recorded for later analysis.^[4]

For targets, shoulder surfing can lead to financial losses or identity theft.^[5]

Countermeasures

Graphical passwords

The primary benefit of graphical passwords compared to alphanumeric passwords is improved memorability. However, the potential detriment of this advantage is the increased risk of shoulder-surfing. Graphical passwords that use graphics or pictures or a combination of graphics and audio are likely subject to this increased risk, though the risk can be mitigated.^[6][7] Photo-based passwords have been criticized as easy to hack due to users choosing predictable authentication information.^[8]

Graphical passwords have been proposed as an anti–shoulder surfing mechanism.^[9][10] Proposed input schemes include the swipe scheme (perform a swipe gesture on an image), color scheme (select colored boxes), and scot scheme (both the swipe and color scheme).^[10]

PIN entry

PIN entry is vulnerable to shoulder surfing. To counteract risks of shoulder-surfing, PIN pads may have built-in privacy shields. On devices such as mobile phones with glossy screens, the user could leave smudges on the screen, revealing a PIN.^[11] PIN entry may be part of a multi-factor authentication process in some situations.

Some highly advanced attacks use thermal cameras to see the thermal signature of the PIN entered.^[12] Thermal attacks take advantage of heat fingerprints remaining on keys after the authenticating person is done entering the secret.^[13] To guard against attacks with thermal cameras, devices may have metal buttons,^[14] shielding, reflectivity, or internal heating.^[13] The transfer of heat through wiping with warm objects or hands is also found effective to counter thermal attacks.^[13]

Alternative PIN entry methods, such as the "cognitive trapdoor game", have also been proposed. In the cognitive trapdoor game, the user enters authentication information via participation in a game; "winning the game is well within the bounds of human's cognitive capacity if the correct PIN is known."^[15]

Biometrics

Smartphones and other devices may use biometrics, such as fingerprint scanning or facial recognition, which cannot be replicated by a shoulder surfer.

Eye tracking

With gaze-based password entry, the user enters the password via eye tracking. The approach can be used both with an on-screen keyboard for character-based passwords, and with graphical password schemes.^[16]

Virtual reality

A user could wear a virtual reality headset to mitigate the issues of shoulder surfing; however, gesture controls, buttons pressed, and voice commands could still be monitored.^[17]

See also

• Credit card fraud
• Eavesdropping
• Information diving
• Phishing