Latest Social Engineering Posts

Protect Against Shoulder Surfing


Lookout For Shoulder Surfing When Entering Sensitive Data.

As opposed to the majority of articles on this blog relating to company manipulation and exploitation, this Is based and viewed from a "defensive standpoint" namely you, as the social engineer, having the knowledge and skill set on how to protect against a very clever tactic used by many SE'ers named "shoulder surfing". Unlike traditional attack vectors that predominantly happen remotely, such as obtaining a victim's full name and date of birth over the phone by pretending to be a customer service agent from his credit card provider, shoulder surfing Is performed In a physical environment- either targeting someone you know, or anyone at random. So what exactly Is this, and how does It work? Well, I'm glad you've asked! I'll be more than happy to answer your question, as well as briefly explain preventative measures In a very easy to understand manner.

As Its name suggests, shoulder surfing Is used by social engineers to look over the shoulder of their victim, as they're entering/ typing their user credentials Into their computer or cell phone. The objective Is to memorize the details entered- such as usernames & passwords typed by the victim when logging Into their online account to the likes of Facebook, Twitter and any other platform that requires some form of authentication. As simple as It may sound, the SE'er does require a good set of skills to not only mentally capture the keys entered, but to also memorize each and every keystroke. To assist with this, as his target Is typing away, the social engineer will enter every detail Into his cell phone and save the results. Pretty clever, yes? I think so too. This can happen to anyone at anytime, even whilst you're punching In your password Into your PC at work- the cleaner standing behind you could be taking note!  

Thankfully, there are no tools Involved nor the need to purchase any expensive service to protect against shoulder surfing. The only thing that's required, Is "common sense and awareness" and to train yourself to make It a habit to be mindful with every move you make when keying In your sensitive Information. Simply put, be aware of your surroundings, by looking over your shoulder every time you authenticate via PINs, passwords and the like. Where possible, as you're entering your Info, keep your device as close as possible to your body, with the Intention of concealing the keystrokes typed. Also, be sure to not press the "password reveal button" In the Input field of the login form, but rather have It hidden behind the asterisks. In closing, remember to always look left to right and behind you, prior to hitting the keys on your device.