Shoulder surfing is a form of data theft where criminals steal personal information by observing victims when they're using devices such as ATMs, computers, kiosks, or other electronics. The term refers to thieves' peering over the shoulders of targets, waiting for them to inadvertently reveal confidential information that can lead to theft, identity theft, or fraud.
The History of Shoulder Surfing
Shoulder surfing is a criminal specialty that began before the Internet and smartphones. Its originators became adept at spying on payphone users and transcribing credit card numbers as callers punched them into phone keypads.
The skill, which often involved interpreting subtle finger motions more than actually "reading" pressed keys, readily translated to lifting personal information numbers (PINs) at ATMs and self-serve gas pumps. More recently, shoulder surfing has evolved to include extraction of information as it is entered onto tablets and smartphone screens.
Shoulder Surfing Can Happen Anywhere, Anytime
Shoulder surfing can happen anywhere you transmit personal information in public. That includes locations such as payment kiosks, where keypad and touchscreen entries can be watched, but it can also occur virtually anyplace you use a smartphone or tablet to enter personal data.
Shoulder surfers are experts at stealthy observation on buses and trains, at cafés and restaurants, and in crowds and ticket lines. They also can be keen listeners, tuning in when someone speaks an account number or other personal information aloud into a phone or across a counter or bar.
Thanks to technology, shoulder surfing can happen anytime -- even when you are ostensibly alone. Some thieves even use binoculars to observe from a distance, and a growing number employ tiny, high-quality digital cameras to watch for them when they're not there. These devices can snap photos or stream video that's sharp enough to reveal what's on your phone screen as well as what you tap into a payment terminal.
Consequences of Shoulder Surfing
Anytime a thief obtains a piece of your personal information such as a password, PIN, account number or Social Security number, it puts you at risk of fraud, in the form of phony purchases or cash withdrawals from the affected accounts. Even worse, it can increase your vulnerability to identity theft, and the possibility that criminals will open new accounts or take out credit in your name.
The risk of identity theft is particularly strong when shoulder surfing is combined with other forms of information theft. For instance, if a shoulder surfer observes your PIN at an ATM that's rigged with a card swiper to capture your account number, they can quickly gain access to your account
Similarly, if a thief watches you and learns the passcode of your phone or tablet, then steals the device, they can gain access to passwords and other information stored on the phone, before you have time to wipe it remotely.
Simple Steps for Preventing Shoulder Surfing
You can take these steps to keep yourself safe from these sneaky thieves:
- Keep account numbers on file. If you use your phone for account transfers or to make payments on credit card accounts, register your phone number with your financial institution(s) so they recognize when you're calling. You will need to enter a PIN to conduct transactions (and you'll still need to protect it as you type it in), but you'll avoid having to key in a full account number, which could be much more valuable to a criminal than a PIN.
- Don't say it out loud. If you are asked to provide your Social Security number in public (at a medical appointment, auto dealership, etc.), do not say it out loud. Write it on a piece of paper and ask the recipient to either shred it when they're done (and watch them do it). If they can't destroy it on the spot, have them give the paper back to you so you can do so yourself. (Then, of course, make sure you do destroy it at your earliest opportunity.) Or ask to provide the information in a more private area. Sometimes you may not even really need to share your SSN, so make sure it's completely necessary as well.
- Consider using a password manager such as the free Dashlane tool, which can generate and save strong passwords for you, so you don't have to type them (or even remember them). If you don't have to enter them, shoulder surfers can't see you typing them.
- Protect PINs. The screens on many self-checkout kiosks remind us to cover up the keypad when tapping in a PIN, but an informal survey of local gas pumps suggests few take that advice to heart. Try to get in the habit of hiding the keypad with one hand while typing with the other. Change your PIN a few times a year or anytime you think you might have been watched while using it.
- Assume you are on camera. It's really not paranoid to think you could be on video any time you use a screen in public. Don't sweat it when you're playing Candy Crush, but cover up when you're entering passwords or account numbers.
- Look into contactless payment. Google Wallet, Apple Pay, and custom payment apps available through many credit cards let you pay at a growing number of checkouts without swiping a card or typing in a PIN. This practice limits opportunities for shoulder surfers to grab your data.
- Take general precautions to prevent identity theft. Efforts to prevent identity theft in all its forms can help you avoid providing criminals with data they can supplement via shoulder surfing. Don't make thieves' jobs easier for them.
- Tug on card readers before you insert your card, to make sure they're not skimmers. (If they come loose, they're bogus.)
- Avoid unsecured public Wi-Fi networks, where thieves can easily hijack personal data.
- If possible, use fingerprint readers or other biometrics to unlock your phone, to minimize the need to key in a passcode; set passcodes of 6 digits or more on your mobile devices (four-digit codes are easily breakable); and get in the habit of locking screens on your mobile devices whenever they're not in use.
- Make your data harder to access through two-factor authentication.
If you think you may have been a victim of shoulder surfing or other data theft, consider using an identity theft protection product to alert you in case of suspicious credit activity in your name.
Identity theft is not solely the domain of computer hackers. Lower-tech thieves are still practicing and refining the art of shoulder surfing, which makes it just as important to exercise caution "in the real world" as it is online. By staying aware and vigilant, you can keep your data safe and your identity secure.