What Is Shoulder Surfing?
Shoulder surfing will yield lots of information
The best definition to be able to explain this in easy-to-understand language comes from Computerhope.com.
"A term used to describe a person that looks over another person's shoulder as they enter data into a computer or other device. For example, someone might shoulder surf when you are entering your computer password, ATM pin, or credit card number. Criminals often use use this technique to gain access to your personal accounts or read personal information, such as e-mails."
Not always, but most of the time, shoulder surfing happens when someone is being stalked. This is not your typical hacker or password thief.
These are people who hand-picked their target for whatever reason, but we can learn a lot from them to be able to change our routines.
Shoulder surfing can be done at a distance with binoculars, using a closed circuit TV (ceiling or wall, inside the ATM machine) or when someone is close enough to you to listen or observe.
They are looking:
- to see your PIN at the ATM,
- to view your bank account number at the forms desk, your password at the library or cybercafe or
- if you'll give out your phone number while leaving a message with your cellphone.
Some people are very observant to listen when you order a lottery number on the spur of the moment, saying "Oh, I forgot to play my husband's birthday!" And now they have those numbers to add to their arsenal of knowledge.
Urban Dictionary defines shoulder surfing: "To look over the shoulder(s) of a person with whom you are currently engaged in conversation to see if you can find someone 'better' to talk to."
But webopedia.com had a definition that was closer to what I was looking for to share with you:
"Shoulder surfing refers to a direct observation, such as looking over a person's shoulder, to obtain information. In some cases shoulder surfing is done for no reason other than to get an answer, but in other instances it may constitute a security breach as the the person behind may be gleaning private information such as your PIN at a bank machine, or Credit card information as you enter it into a Web based shopping cart check-out. While shoulder surfing is most common in busy and crowed areas where the perpetrator is not as likely to be caught, shoulder surfing can also be done with the aid of binoculars or cameras from a more remote location."
But the best definition was the one I included above from Computerhope.com
Very good video explaining shoulder surfing
The photos to the right are called "skimmers." These are devices that are used for the sole purpose of getting your PIN or password from a financial services machine.
These blocking devices are what a sophisticated shoulder surfer might graduate up to using. It traps your ATM card and denies access to your money. The reinstatement process is exhausting and it may take a very long time to marry you up with your money again.
There will always be lurkers and eavesdroppers in the form of a real person. But we should always be alert for devices that will do the same thing. Sometimes you can't even see them on a machine because they blend in with the equipment so well. (see photos)
What you need to know about skimmers
Skimmers are rarely seen by a victim even though they are in plain view. Not too many people approaching their ATM begin to look for a skimmer as the first thing. They are usually looking to see if there is a waiting line, if the machine doesn't have an "out of order" sign on it and if the area around it looks safe enough to approach.
Skimmers almost always work in tandem with a camera, either in plain view or hidden out of sight. The camera captures you putting in your PIN or password and it gives added validity to the skimmer which actually does capture it in real time.
If a person were to lean over in the line of camera angle while entering their PIN or password, the camera would not have a clear view.
On-screen keyboards which are found on certain cell phones, computer Tablets and some ATM machines are a shoulder surfer's dream. The screen retains the information for up to 30 seconds after pressed and is available for recall to the screen.
Financial institutions now understand the dangers of passwords and PIN numbers being stolen by way of shoulder surfing, so some have taken measures to help protect the consumer.
PIN numbers and passwords are now obscured on the screen to help prevent spies from viewing the customer's information. However, it is not good enough.
Shoulder surfers can still see a victim's information on closed circuit replay, long distance cameras, and iPhones. In newer models, the numbers are hidden but the keys light up when pressed. It doesn't really help provide any measure of security.
Shoulder surfing is a problem of human nature, and companies will never be able to change human nature.
The best we can hope for is that they will continue to implement devices and safety features to help the consumer in their crusade to keep their personal information private.
Credit cards and phone bills
Certain models of credit card readers have a recessed keypad with a shield around the opening near the keypad. This shield makes shoulder surfing very difficult, because the line of vision to the keypad is skewed and limits the viewer from seeing it on a direct angle.
Shoulder Surfing Scam
In 2012, in Belgium, police posted warnings, geared especially to senior citizens, about crimes involving the information obtained from shoulder surfing crime reports. They said that there is almost always a two person team when their "mark" (the victim) is at the ATM trying to do business with their bank card.
One thief distracts the victim by dropping a high denomination of money in plain view. The second culprit brings the victim's attention to the dropped money and engages him in conversation, taking his attention away from the ATM and his bank card.
The first thief sweeps in and takes the victim's ATM card and leaves the area. When the victim goes back to continue his transaction he finds the machine in "pause" position. Thinking the ATM card is stuck in the machine, the second culprit now offers his assistance. He suggests the victim to key in the PIN number again while he watches over his shoulder, committing the code to memory.
The thief tells the victim that the machine has eaten his card and that on Monday, he can get his card back from the bank. The victim agrees, assuming the card is stuck in the ATM, when in fact it is no longer in the machine because the first thief ran off with it.
Most of these scams take place on Fridays after the bank closed so the victim cannot make a physical report of the lost card (I guess they don't have a phone reporting system) and the two thieves have all weekend to empty out the bank account. The victim learns by Monday that the card was actually stolen, and that his bank account is at zero or near zero balance.
The Belgium report goes on to say that all the cameras at the banks show that it was the same two thieves each time. They have managed to hide their faces from the camera on every occasion so police have not been able to identify them.
Caught on tape: Crimes committed after shoulder surfing
Take care at the ATM
Be aware of your surroundings and who is in your immediate area.
Don't get distracted while you are doing your bank business. If a distraction becomes too overwhelming, hit the STOP button and recover your card.
Never put your PIN in twice, especially if you are trying to recover a card that the machine has taken possession of. Note the date and time of the incident and report it to the HELP line of your bank. If possible, use your cellphone and do it while you are still at the ATM.
Always be suspicious of a Good Samaritan who offers to help you either at ATM, bank, public transportation kiosks, and any other area involving money exchange.
Cover your work the way you used to do in school so no one could copy your test answers.
If a computer screen is adjustable, turn it slightly away from the person next to you.
At the ATM, use both hands - one to cup over the keypad, one to key in your pin. If they have the side shields, make sure no one is directly behind you - insist on breathing space.
If you must leave your phone number in a message for someone, cover your mouth and speak only loud enough to make your message known to the receiving party or else call back when you are in a safer environment.
Never use a cellphone in a public bathroom or while waiting in line at Walmart type stores.
If you use computer libraries or cybercafes, change your password (use a different computer) as soon as possible. If you feel your PIN has been copied by anyone, ask for a new PIN.
If you don't want other people to know about your business, do your best to protect it from their eyes.
Be aware of the littlest of eavesdroppers. Parents have been known to pick up their smallest of children while standing in line and teaching them to repeat the numbers pushed on the keypad.
- Don't be distracted while performing a bank transaction;
- Never re-key your personal secret code to retrieve the ATM card
- Never approach the kiosk while speaking on your cellphone. You will not be able to be alert and aware of anything going on around you.
- If you lose your card, notify your financial institution immediately
- Stay focused on your task; don't even answer your cellphone or have a conversation with anyone while waiting in line.
Trust your instincts. If an ATM machine doesn't look real, has parts you are not used to seeing on other ATM machines, or prompts you more than once for your PIN, abandon and report the machine to your HELP line.
Never use or transact any business around an ATM machine if there are people loitering and lingering around for no apparent reason. Busy areas will have high foot traffic, but watch for people, places or things out of place at the ATM machine. If you are in an isolated area, it is best to save your transaction for a better time.
Be aware of people watching people who are watching the ATM machine, or watching the line. If they are watching people, one might assume they are up to no good.
Be sure to read my hub "How Safe Are Your Passwords?"
Rachael O'Halloran. March 25, 2014.
No part of this article may be reproduced without prior permission from the author. Use the following link to refer to this article. Do Not Copy. TYVM
© 2014 Rachael O'Halloran