Most of us have a laid back attitude when it comes to shoulder surfing. peeking over our shoulder. We think we can find someone hiding behind us with their eyes fixed on our screen. But scammers only need to be lucky once. And we give them many opportunities during the working day.
Ο Jake Moore, cybersecurity specialist from the company ESET, recently revealed two cases where he managed to obtain the login details of his friends's online accounts, with their consent. His research highlights how exposed we are to experienced attackers, especially in environments such as bars, cafes and restaurants.
Snapchat surfing
In his first experiment, Jake made a bet with a friend that his Snapchat account could be hacked, even one protected by two-factor authentication. Using the password reset feature, he typed in his friend's phone number and selected the option to send message with confirmation code. Peeking at the confirmation message when it appeared on his home screen mobile of his friend, he was able to take full control of his account. Even a second SMS code sent as confirmation was ignored by the account holder but noticed and used by Jake.
Of course, an attacker may not know their victim's phone number, but they may be able to find him or her online from previously violated data files or utilizing open sources of information, including social media. By calling the user and pretending to be the employee of that social media company, an attacker could theoretically trick the user and hand over the SMS code they received.
Of course, this is not a representative case of data interception by attackers secretly looking over our shoulder. But imagine an office or school environment where colleagues or children may be close to users who know their phone numbers. This makes "password reset shoulder surfing" a significant risk.
Problems with PayPal
In a similar second experiment, Jake he bet with a friend that he could steal one of his online accounts. This time he went to the PayPal login page to request a reset of the password. Knowing the user's email, he typed it and chose the security check option of an SMS code sent to his phone. In a similar way to the example above, Jake was able to secretly spy on his friend's device while the code was flashing. So he gained access to his friend's PayPal account.
Once more, the attacker must know the Email of the victim, either through shoulder surfing, or by finding an email that has previously been compromised on a dark web page, or by other means. It will then need to be close to the user to detect the confirmation code as it flashes. Again, an office or school would be the ideal place. However, if a shoulder surfer had focused on a target who has been working in public for a long time, chances are he would eventually find his email address.
What could it mean to you? shoulder surfing;
The argument here is that in many cases it's still very easy for malicious actors to jump the security bar - especially if they have the ability to be close to your laptop or device. Too many of us allow notifications to flash on our screens. We may have become so aware that we ignore them. But those who look over our shoulder do not.
It is particularly important that the victim in the above example PayPal worked in cybersecurity for more than 20 years. If he could be deceived in this way, many others would suffer the same.
Once a malicious perpetrator has access to your account, it could:
- To change the codes and then to blackmail his victims to give them access to their accounts.
- Use brute force techniques for to try the same Email/logins to access other accounts
- To steal your personal information to use them in attempts at identity fraud or phishing.
- To transfers money in his own accounts
- To cause and to intimidate victims by posting inappropriate content from their accounts
What can you do to prevent shoulder surfing?
The impact of such account piracy can last for many months. Cybercriminals may be able to steal money and personal information, and may use the account in phishing attacks for many months. Recovering lost money and restoring credit scores can take even longer.
With this in mind, here are some risk mitigation strategies:
- DO NOT use the same passwords on different accounts, and use a password manager to store unique, strong passwords. Enable Multi-Factor Authentication (MFA). But choose an authentication application (eg Google Authenticator, Microsoft Authenticator) and not a password option via SMS.
- ALWAYS BE ALERT ALWAYS WHEN LINKING TO YOUR PUBLIC ACCOUNTS. This could mean that you have to stop working on planes, trains, airports, hotel lobbies, etc. Or at least work with your back to the wall.
- USE PRIVACY FILTER on laptops to ensure that no one can spy on your screen.
- NEVER leave any device unattended in a public place. And make sure they are locked with strong passwords.
Shoulder surfing is still a largely underestimated threat. That doesn't mean it's more likely to happen to you than one attack phishing. But the same rules apply.
Be vigilant. Be prepared. Security is a priority.