Shoulder surfing Watch out for the prying eyes

Most of us have a laid back attitude when it comes to shoulder surfing. peeking over our shoulder. We think we can find someone hiding behind us with their eyes fixed on our screen. But scammers only need to be lucky once. And we give them many opportunities during the working day.

shoulder surfing

Ο Jake Moore, cybersecurity specialist from the company ESET, recently revealed two cases where he managed to obtain the login details of his friends's online accounts, with their consent. His research highlights how exposed we are to experienced attackers, especially in environments such as bars, cafes and restaurants.

Contents hide
Snapchat surfing
Problems with PayPal
What could shoulder surfing mean to you?
What can you do to prevent shoulder surfing?

Snapchat surfing

In his first experiment, Jake made a bet with a friend that his Snapchat account could be hacked, even one protected by two-factor authentication. Using the password reset feature, he typed in his friend's phone number and selected the option to send with confirmation code. Peeking at the confirmation message when it appeared on his home screen of his friend, he was able to take full control of his account. Even a second SMS code sent as confirmation was ignored by the account holder but noticed and used by Jake.

Of course, an attacker may not know their victim's phone number, but they may be able to find him or her online from previously violated data files or utilizing open sources of information, including social media. By calling the user and pretending to be the employee of that social media company, an attacker could theoretically trick the user and hand over the SMS code they received.

Of course, this is not a representative case of data interception by attackers secretly looking over our shoulder. But imagine an office or school environment where colleagues or children may be close to users who know their phone numbers. This makes "password reset shoulder surfing" a significant risk.

Problems with PayPal

In a similar second experiment, Jake he bet with a friend that he could steal one of his online accounts. This time he went to the PayPal login page to request a reset of the password. Knowing the user's email, he typed it and chose the security check option of an SMS code sent to his phone. In a similar way to the example above, Jake was able to secretly spy on his friend's device while the code was flashing. So he gained access to his friend's PayPal account.

Once more, the attacker must know the Email of the victim, either through shoulder surfing, or by finding an email that has previously been compromised on a dark web page, or by other means. It will then need to be close to the user to detect the confirmation code as it flashes. Again, an office or school would be the ideal place. However, if a shoulder surfer had focused on a target who has been working in public for a long time, chances are he would eventually find his email address.

What could it mean to you? shoulder surfing;

The argument here is that in many cases it's still very easy for malicious actors to jump the security bar - especially if they have the ability to be close to your laptop or device. Too many of us allow notifications to flash on our screens. We may have become so aware that we ignore them. But those who look over our shoulder do not.

It is particularly important that the victim in the above example PayPal worked in cybersecurity for more than 20 years. If he could be deceived in this way, many others would suffer the same.

Once a malicious perpetrator has access to your account, it could:

  • To change the codes and then to blackmail his victims to give them access to their accounts.
  • Use brute force techniques for to try the same Email/logins to access other accounts
  • To steal your personal information to use them in attempts at identity fraud or phishing.
  • To transfers money in his own accounts
  • To cause and to intimidate victims by posting inappropriate content from their accounts

What can you do to prevent shoulder surfing?

The impact of such account piracy can last for many months. Cybercriminals may be able to steal and personal information, and may use the account in phishing attacks for many months. Recovering lost money and restoring credit scores can take even longer.

With this in mind, here are some risk mitigation strategies:

  1. DO NOT use the same passwords on different accounts, and use a password manager to store unique, strong passwords. Enable Multi-Factor Authentication (MFA). But choose an authentication application (eg Google Authenticator, Microsoft Authenticator) and not a password option via SMS.
  2. ALWAYS BE ALERT ALWAYS WHEN LINKING TO YOUR PUBLIC ACCOUNTS. This could mean that you have to stop working on planes, trains, airports, hotel lobbies, etc. Or at least work with your back to the wall.
  3. USE PRIVACY FILTER on laptops to ensure that no one can spy on your screen.
  4. NEVER leave any device unattended in a public place. And make sure they are locked with strong passwords.

Shoulder surfing is still a largely underestimated threat. That doesn't mean it's more likely to happen to you than one phishing. But the same rules apply.

Be vigilant. Be prepared. Security is a priority.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.087 registrants.

ESETshoulder surfing

shoulder surfing, iguru

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).