6.2. Shoulder Surfing

There's nothing technical about shoulder surfing (at least not traditionally). Shoulder surfing is the act of direct observation (such as looking over someone's shoulder) in order to obtain small pieces of crucial information such as usernames or passwords, ATM codes or (very popular at one time) long distance calling codes at payphones. Shoulder surfing is most successful in crowded places as it permits a greater potential of both targets and concealment.

A classic criminal example is surfing a pin code on a locker at the gym. As people tend to reuse their four digit codes you can be fairly certain that pin codes on the credit cards stored in the locker will be the same. Another example is the classic ATM scam. Criminals have been known to install small devices in ATM machines that capture cards. As the ATM user stands there trying to figure out what's happened, he's approached by the crook who tells him he had the same problem the other day and to just try entering the code again, which is discretely noted. Naturally, this doesn't work so the mark walks off to call his bank. The criminal walks away too, now in possession of both the card and the pin.

In this section I discuss the two more interesting things you can get through shoulder snooping: computer access codes (usernames, passwords, pins etc) and door codes. Shoulder surfing for computer codes can take place both within the target premises by discretely observing staff or outside in internet cafes, ...

Get Unauthorised Access: Physical Penetration Testing For IT Security Teams now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.