Concept

Shoulder surfing (computer security)

Summary
In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification numbers (PINs), passwords and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping. This attack can be performed either at close range (by directly looking over the victim's shoulder) or from a longer range with, for example a pair of binoculars or similar hardware. Attackers do not need any technical skills in order to perform this method, and keen observation of victims' surroundings and the typing pattern is sufficient. In the early 1980s, shoulder surfing was practiced near public pay phones to steal calling card digits and make long-distance calls or sell them in the market for cheaper prices than the original purchaser paid. However, the advent of modern-day technologies like hidden cameras and secret microphones makes shoulder surfing easier and gives the attacker more scope to perform long range shoulder surfing. A hidden camera allows the attacker to capture the whole login process and other confidential data of the victim, which ultimately could lead to financial loss or identity theft. Shoulder surfing is more likely to occur in crowded places because it is easier to observe the information without getting the victim's attention. There are two types of shoulder-surfing attack: direct observation attacks, in which authentication information is obtained by a person who is directly monitoring the authentication sequence, and recording attacks, in which the authentication information is obtained by recording the authentication sequence for later analysis to open the device. Apart from threats to password or PIN entry, shoulder surfing also occurs in daily situations to uncover private content on handheld mobile devices; shoulder surfing visual content was found to leak sensitive information of the user and even private information about third-parties.
About this result
This page is automatically generated and may contain information that is not correct, complete, up-to-date, or relevant to your search query. The same applies to every other page on this website. Please make sure to verify the information with EPFL's official sources.