James O'Sullivan, CEO and Founder at Nuke From Orbit, discusses the importance of safeguarding personal phones from the intrusive eyes of fraudsters committing shoulder surfing, trying to prevent data theft and other threats.
Smartphones have become our constant companions, holding the keys to our personal and professional lives. While these pocket-sized powerhouses offer unparalleled convenience, they have inadvertently exposed us to a subtle, yet increasingly pervasive threat – shoulder surfing. Once associated with ATMs, this seemingly innocuous act of peering over someone's shoulder to glean sensitive information, such as passwords, PINs, or confidential messages, is a tactic that criminals are learning to exploit with increasing effectiveness.
Recent data highlights the escalating threat of shoulder surfing, particularly in the UK. A 27% surge in mobile phone thefts in the 12 months leading up to August 2023 has created fertile ground for opportunistic shoulder surfers. Busy public spaces like train stations, airports, cafes, and even public transportation are prime locations for these attacks, where a momentary lapse in vigilance can have devastating consequences.
As biometric access has proliferated, the number of times we use the PIN on our phones has fallen dramatically. However, after a string of failed face or fingerprint scans, devices tend to require the PIN to reactivate face/finger access. Typically, this happens when the device has been ‘activated’ by accident in a pocket or a bag, meaning the user is not expecting to enter the PIN when they next use their phone. Because it has become less habitual, and the user is not thinking about who can see that PIN, they are unlikely to mind their surroundings.
Although this happens infrequently for each individual, it becomes a numbers game for criminals operating in busy environments like bars, pubs, or the street. Criminals do not care which PIN they see, only that they see any PIN.
Shoulder surfers have honed their craft, employing diverse techniques to achieve their nefarious goals. Some rely on simple observation, discreetly watching victims enter passwords or PINs. Others utilise hidden cameras, reflective surfaces, or specialised apps to record screens, capturing sensitive information without the victim's knowledge. Social engineering tactics, such as posing as helpful strangers or authority figures, are also deployed to manipulate victims into divulging confidential data, often by triggering the need for a PIN to be entered themselves.
While offering convenience, the rise of contactless payments and biometric authentication has not deterred shoulder surfers. A fleeting glance at someone entering their PIN can be enough for a skilled shoulder surfer to capture valuable information, and with that PIN in their possession, there remains enough time to steal that specific device.
The reason they can afford to spend so much time on a target is because the value they can get is significantly higher than it used to be. Payments made using phone wallets can be well into the thousands of pounds, and there are often multiple cards to choose from.
Impersonate the victim convincingly to friends, family, and co-workers using email, messaging, and other communication tools. They use this authenticity to ask the network to send them money for whatever reason.
See personal details in various apps. These details are often hidden to the public, but acting as the victim, on their device, they can build an accurate file of personal information, great for future ID theft and/ or sale to third parties.
Attempt to access other financial apps, like banking or crypto, which are often secured using the same or similar PIN to the one used to unlock the device (along with other protections they can bypass with your phone like two-factor authentication and stored passwords).
Reconfigurate the device to be unlocked with a different fingerprint, which can further be used to steal private data and access financial apps and, therefore, authorise payments.
Protecting yourself and your data from shoulder surfing requires a multi-faceted approach, encompassing individual vigilance and organisational measures.
Maintain situational awareness. Be aware of your surroundings in public spaces, particularly when entering sensitive information on your mobile device.
Shield your screen. Physically shield your screen when entering your PINs, exactly like you would at an ATM. Consider using privacy screen protectors that limit viewing angles.
Be wary of unsolicited help. Exercise caution when accepting help from strangers, especially when it involves your mobile device.
Employee education. Conduct comprehensive security awareness training programs to educate employees about the risks of shoulder surfing and other social engineering tactics.
Privacy screens and physical security. Invest in privacy screens for company-issued devices and implement physical security measures, such as security cameras and restricted access areas, to deter shoulder surfing attempts.
Advanced authentication. Deploy advanced authentication technologies like multi-factor authentication (MFA) or risk-based authentication (RBA) to add an extra layer of protection.
Security monitoring and incident response. Implement robust security monitoring and incident response procedures to detect and respond to shoulder surfing attempts or data breaches.
The threat of shoulder surfing is a stark reminder that convenience and security often exist in a delicate balance. As our reliance on mobile devices grows, so does the need for heightened vigilance and proactive security measures. By understanding the tactics of shoulder surfers and taking steps to protect ourselves, we can minimise the risk of falling victim to this insidious threat. It is a collective responsibility that requires the collaboration of individuals, businesses, and the tech industry to foster a safer mobile landscape.
By remaining vigilant and prioritising security, we can collectively create a future where shoulder surfing becomes a relic of the past and our mobile devices truly serve as tools of empowerment, not vulnerability.
James O'Sullivan has a proven track record of founding, building, and scaling multiple SaaS businesses across various industries. He founded Kobas in 2009, a comprehensive hospitality management platform installed in hundreds of pubs, bars, restaurants, and quick-service locations across the UK. Kobas manages close to GBP 500 million of trade annually. James's entry into the FinTech and cybersecurity sectors was driven by personal experience. He founded Nuke From Orbit, a fintech and security platform designed to mitigate the impact of security breaches. Nuke From Orbit enables users to immediately shut down access to all personal data, preventing identity theft and safeguarding banking, cryptocurrency, health, social media accounts, and personally identifiable information (PII) from cyber criminals.
Founded in 2023, Nuke From Orbit is a UK-based company developing a service that allows subscribers to block access to multiple services and accounts simultaneously, avoiding account compromise issues and monetary loss when their smartphone gets stolen. For more information and to see how the service works, visit https://nuke.app.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now