Shoulder surfing remains a very real - yet often unacknowledged - cyber security threat, if recent events in the UK are anything to go by.
On Wednesday 22 May 2024, The Times published a story using information from a private memo written by cabinet minister Johnny Mercer. The information was obtained by the publication after a passenger on the same train as Mercer took a picture of his laptop screen.
Mercer’s memo included a series of accusations against Downing Street, senior cabinet ministers, and special advisors that he described as “over promoted and underskilled”.
The incident marked a perfect example of shoulder surfing, an age-old social engineering technique whereby malicious actors are able to glean credentials or other forms of sensitive information by simply glancing over a victim’s shoulder while they’re using a device.
This tactic has been around for decades, originally deployed by criminals in the 1980s to steal calling cards from public pay phones. In the modern era, widespread access to smaller camera and microphone modules means threat actors don’t even need to physically look over your shoulder anymore, giving them the ability to perform longer range shoulder surfing attacks.
Chris Ainsley, head of fraud risk management at Santander, recently warned customers that shoulder surfing is on the rise, particularly targeting mobile banking users on their phones.
Speaking to ITPro, Simon Newman, CEO at the Cyber Resilience Centre for London, said shoulder surfing is one of the simplest forms of social engineering, noting the proliferation of smart devices with capable camera modules has only made it easier for budding cyber criminals to steal your information.
“Shoulder surfing is one of the easiest ways for cyber-criminals to steal sensitive information. It’s astonishing how many people still use their laptops on public transport without thinking about who’s around them and what they can potentially see,” he explained.
“With the improvements of smartphone cameras over the past few years, it only takes a second to take a picture of the screen or record the person entering their log-in details and the cyber-criminal has all the information they need.”
Shoulder surfing could see a resurgence in the era of hybrid working
Lucy Finlay, director at ThinkCyber, told ITPro the rise of hybrid working has increased the amount of exposure business devices have in public spaces, making a spike in social engineering attacks like shoulder surfing an inevitability.
“With the uptick of co-working spaces, remote working, and digital nomadism, it’s basically inevitable that this sort of social engineering will be capitalized upon. It’s also worth being conscious of another facet of shoulder surfing- the use of your phones and other devices in public places.”
With the number of employees signing on in cafés or shared workspaces, experts expect shoulder surfing attacks to rise in the coming years, due to the attacks' dangerous combination of accessibility and efficacy.
Courtney Evans, security consultant at Prism Infosec, told ITPro the threat posed by shoulder surfing is a significant one, noting that it also keeps the attacker protected, without the risk of leaving incriminating evidence after more complicated hacks.
“Due to the attack’s simplicity, shoulder surfing is definitely becoming more pronounced. It’s a great deal easier to take a photo of a user’s device than it is to hack it, particularly with modern day cyber security measures,” she said.“Additionally, remaining undetected during a shoulder surfing attack is trivial in comparison to the digital footprint left from an attempted hack. ”
Evans added that the combination of shoulder surfing with AI tools to enhance social engineering attacks could pose a significant threat to individuals and enterprises alike.
“But what’s concerning is that we’re already seeing social engineering ramp up due to AI which is being used for cloning. It’s possible to capture voice, for instance, while a person is on their phone and combine that with the information captured from the laptop to carry out a vishing attack. It’s how these attacks could be strung together that promises to make it a growing threat.”
How to protect yourself from shoulder surfing
David Emm, principal security researcher at Kaspersky, told ITPro cyber hygiene needs to catch up to the growing threat posed by techniques like shoulder surfing.
“Anyone accessing secure resources on a device using a password in a public space is not far off writing this information on a sticky note - a practice that has always been frowned on by security professionals, (even though it still goes on)”, he explained
“Similarly, engaging in sensitive business conversations in public could pique someone’s interest, potentially leading them to focus on what’s being said that can be reused later. We’re used to seeing clear and well understood physical security warnings in public spaces: it is just as important to be aware and cautious about the digital implications of our actions when out and about.“
Individuals are advised to take precautions such as restricting working on sensitive material in public places, and if you need to, being aware of your surroundings to ensure there are no lines of sight directly to your work device.
Those who frequently find themselves having to work on sensitive material in public places should consider investing in a privacy display, a physical filter you can apply to your display to limit the display’s viewing angles.
Other precautions like multi-factor authentication (MFA) and using VPNs when connecting to public Wi-Fi networks should also be an integral part of any security strategy.
