In computer security, there are many risks and many forms that those risks can take.
Shoulder surfing is a form of social engineering.
It refers to a class of attack where an attacker gains information by looking at the victims equipment.
This historically involved physically looking over their shoulder but also encompasses techniques involving hidden cameras and the like.
Some payment terminals also include a built-in privacy cover over the PIN pad.
Some ATMs also remind users to check over their shoulders.
They may also feature a small mirror to let you check over your shoulder.
Note:The ATM mirror is often tiny and somewhat foggy.
Its good enough to let you check over your shoulder.
Its also not good enough to allow a well-placed attacker to see your PIN.
These countermeasures have led to more advanced techniques in the real world.
Many criminal enterprises have utilized hidden cameras to spy on the PIN pad.
Contents
Other Situations
Of course, shoulder surfing can also be a risk in other scenarios.
Any system with a short secret especially on a numbered PIN pad is open to this risk.
This is similar to if a more extreme variant of the thermal imaging concept.
The scenario of an attacker observing a password being entered is particularly interesting in computer security.
While you may not willingly tell people a password, there are other ways to get it.
Phishing is a relatively well-known and often underappreciated risk.
Shoulder surfing is also another risk.
This risk especially applies in public configs where you have no control over the people around you.
An attacker can also do the same if youre using a laptop.
Its easier as the keys are more prominent and easier to distinguish if you quickly bang out your password.
Other Content
Often the biggest target of shoulder surfers is something small of high value.
An opportunistic attack tends to be the observation of something of sensitive but not something useful to the attacker.
For example, some businesspeople work on public transport.
Someone sitting nearby may be able to see their screen and gather information.
In this case, the attacker may not even be an actual attacker.
They may be curious but have no intention of doing anything with what they learn.
This concept also applies to sensitive personal content, especially photographic or video.
Again, someone else may look at your screen.
Even if they dont share it further, that may still be an unwanted intrusion.
This may not necessarily provide the attacker direct access like a password would.
Like the previous example, other sensitive information can also be valuable to the attacker.
Conclusion
Shoulder surfing is a class of social engineering attack.
It involves an attacker gleaning information by looking at the victims actions or screen.
Shoulder surfing primarily covers attempts to identify passwords or PINs.
