The nosy neighbor has been a stock character in TV shows for about as long as there have been TV shows. On the screen they’re usually played for laughs, though most of us learn pretty quickly that they’re less amusing in real life.
That’s especially true when those nosy neighbors are criminals. You’ll often find them near ATMs, or casually taking up a table near the cash register at your favorite coffee shop. Despite appearances, they’re not absorbed in their phone or book. They’re shoulder surfing: watching and eavesdropping for any sensitive personal information you might incautiously reveal. It’s a lot lower-tech than hacking, but surprisingly widespread and disturbingly effective. Here’s what you need to know about it.
Is Shoulder Surfing Really a Thing?
You may find it hard to take shoulder surfing seriously. Online hackers and data breaches are threatening because they’re something you have little control over; but it’s relatively easy to notice when someone in the real, physical world is encroaching into your space. If you’re at the ATM and somebody is looming behind you, it’s not rocket science to cancel your transaction and go inside the branch instead.
The reality is that a lot of shoulder surfing takes place in crowded places like cafes, bars, shopping centers and public transit, where a lot of people are already in your space. In these spaces, we tend to lose our wariness, simply because having people around is familiar and expected. In one academic study — focused on casual shoulder surfing, not the criminal/malicious variety — only 7 percent of respondents reported that they’d been caught in the act.
More alarmingly, although they weren’t deliberately prying, respondents managed to observe a lot of sensitive information. These included emails and messages, PINS, passwords, and the finger-swipe patterns many users use to unlock their phones. If bored strangers can pick up that kind of information without even trying, it’s not hard to imagine how much a determined criminal could glean.
What Shoulder Surfing Looks Like in Reality
Real-world shoulder surfing, then, isn’t usually a question of someone visibly looming over you. It’s the bored-looking person absorbed in a phone, several feet away. It’s one random person in the press of bodies around you on the bus or in the subway, the person behind you in the checkout line, or maybe even physically behind you in a different checkout line.
Anyone who can see your screen, or follow the movement of your fingers on a PIN pad, is potentially a shoulder surfer. So is anyone within earshot, if you’re on the phone with someone and happen to blurt out any usable information. It doesn’t take much thought to know you shouldn’t be speaking your SSN, driver’s license or credit card number over the phone, though you may find yourself doing it unthinkingly. An eavesdropping scammer might also overhear you giving the answer to a security question, such as your mother’s maiden name, which is a less obvious but still meaningful threat.
In short, anything you do in public that involves a PIN, a screen, or speaking something out loud is vulnerable to old-fashioned, low-tech shoulder surfing (“in public” includes your workspace, unless you’re really sure you know and can vouch for everyone else who shares the space).
Technology-Assisted Shoulder Surfing
This isn’t to say that shoulder surfing doesn’t make use of technology when it’s appropriate. The most obvious example is cell phone cameras, which — thanks to some really astonishing advances in technology — can easily get good-quality closeups of your screen, and hands, from across a room. Shoulder surfers don’t actually need to see your fingers push the buttons; the button layout is already known so they just need to see the motions of your hand. One engineer even demonstrated that a camera equipped with infrared sensors can actually tell which buttons you pressed, and in which order.
Tiny microphones, cameras and recording devices are available from “spy stores” and any number of online vendors, and shoulder surfers can also use those to extend their reach. A spy cam anywhere near the keypad on an ATM or debit machine could yield a rich harvest of PINs, for example. Finally, really serious shoulder surfers take advantage of poorly secured public wi-fi, or your own device’s Bluetooth capability, to eavesdrop electronically. Apple’s AirDrop technology has a well-known vulnerability as well. Scammers then combine data from those digital sources with their own analog snoopery.
In the most extreme examples, criminals might even install a card skimmer or fake keypad over top of the real card reader and keypad. These record the data from your card and the input from your keypresses, when you unwittingly use the machine, and use those to create and use illicit duplicates…to the detriment of your bank balance and credit limit.
Protecting Yourself from Shoulder Surfing
So if everyone in sight is a potential shoulder surfer, how can you protect yourself? You can start with some simple, commonsense precautions.
- If you’re using the PIN pad of an ATM or debit machine, shield it from view while you punch in your PIN.
- Better yet, use a tap-enabled card (or a phone-based payment app) so you don’t need a PIN at all.
- Avoid logging into sensitive sites or apps (bank apps, credit card companies, etc.) in public places if at all possible.
- If you absolutely need to log into a sensitive site, sit or stand in a place where it’s difficult for anyone to try to see your screen (and would be obvious, if they do). In a corner or with your back to a wall is best, but be mindful of windows or reflective surfaces behind you. That’s just as good as a direct line of sight.
- Don’t use public wi-fi to log into any sensitive site; sacrifice a bit of your plan’s data instead.
- If you’re in a public place, avoid making calls that will require you to give sensitive information verbally. When it’s unavoidable, seek out a private spot — like a stairwell — where listeners couldn’t follow you without it being obvious.
- Set the Bluetooth on your device to be “non-discoverable” unless you’re actually pairing it with an accessory (and try not to do that in a public setting).
- Before using an ATM or other card reader, check for signs that a card skimmer has been installed, or that there’s a camera in the immediate vicinity. You’ll find lots of instructive articles and videos to tell you how, with just a quick internet search.
These are all things you can do easily, that require no special equipment and no advance notice; they’re just good habits you can consciously develop. In the meantime, while you’re developing those good habits, there are some more advanced steps you can take to protect yourself — and improve your overall digital security — as well.
Improving Your Overall Security Practices
If you’re willing to put a bit of effort into upgrading your overall approach to security, there are many other things you can do — some easy, some requiring a bit of tech know-how — to protect yourself. As a bonus, these will give you some protection against other threats as well, not just shoulder surfing.
- Use a password manager to store passwords for your sites and apps. Instead of typing in a password, you’ll simply copy and paste it, which gives snoops nothing to work with. As a bonus, this makes it easier to use strong passwords, and have a different one for every site. If an attacker successfully steals a password, only one site or app will be compromised.
- If you’re tech-savvy, or if you frequently need to use random wi-fi hotspots for work purposes, consider using a VPN to shield your data. A VPN basically sets up a private connection inside the public network, so your data’s protected from public wi-fi’s many vulnerabilities (you’ll still need to be wary of anybody watching you enter keystrokes).
- Set up your apps and services to use biometric login credentials rather than a PIN or password. This could be the fingerprint reader on your phone or computer, or facial recognition using a computer’s webcam or phone’s selfie camera. A PIN is relatively easy to steal, but your face is not.
- Set up multi-factor authorization (MFA), also sometimes known as two-factor authorization. It just means that anyone signing into your account needs to provide a second proof of identity. Most sites will text an authorization code to your phone, but that’s not as secure as you’d think. You can use your device’s biometric sensors for this, too, or use a hardware key that must be physically tapped or inserted into your device.
- Buy privacy screens for your devices. They’re inexpensive films that press onto your screen, and change the viewing angle so only the person who’s right in front of the screen can see it. To everyone else, it looks dark and blank (like the lenses of sunglasses).
Taking these extra steps requires a modest commitment in time, effort and money, but it can give you a lot of extra security in your online life.
The Rest of the Picture
Having taken all the steps you can to protect your information and identity, from shoulder surfers and scammers in general, there’s one further thing you need to do. That, simply, is to remain vigilant for signs that someone has still managed to wrangle some of your personal information for misuse.
Start by educating yourself about some of the tell-tale signs that your identity has been compromised, like inexplicable variations in your credit score or suspicious charges showing up on your bank and credit card statements. Those are always red flags. Keeping up to date on the latest scams by periodically reading the Better Business Bureau’s Scam Tracker or the FTC’s consumer scams page is also a good idea. If you really want to be proactive, the Dark Web monitoring that comes as part of a Spokeo Protect membership will tell you whether your key personal information has been offered for sale in the internet’s criminal underworld.
There are few guarantees in life, and it’s likely not possible to protect yourself completely. That being said, most criminals are looking for the easy mark, and the proverbial low-hanging fruit (if they wanted to work hard they’d have real jobs, right?). If you follow the steps given here, you can venture online — and to the coffee shop — confidently, knowing you’ve removed yourself from the “easy mark” category.
- CHI Conference on Human Factors in Computing Systems, 2017: Understanding Shoulder Surfing in the Wild: Stories From Users and Observers; Malin Eiband, et al.
- Business Tech Weekly: What is Shoulder Surfing?
- Consumer Affairs: Thermal-Imaging Devices can Steal Your PINs and Passcodes
- Northwest Community Credit Union: How to Spot an ATM Skimmer
- Lexington Law: How Shoulder Surfing Threatens Your Security
- Unify Financial Credit Union: Bluejacking, Bluesnarfing and Bluebugging…Oh My!
- Ars Technica: Apple’s AirDrop Leaks Users’ PII, and There’s Not Much They can Do About It
- Yubico: Protect Your Digital World With YubiKey
- Better Business Bureau: Scam Tracker
- US Federal Trade Commission: Avoiding and Reporting Scams