Shoulder surfing (computer security)

Last updated

In computer security, shoulder surfing is a social engineering technique used to obtain information such as personal identification numbers (PINs), passwords, and other confidential data by looking over the victim's shoulder. Unauthorized users watch the keystrokes inputted on a device or listen to sensitive information being spoken, which is also known as eavesdropping. [1]

Contents

Methods

Shoulder surfing can be performed at close range (by directly looking over the target's shoulder) or at long range with equipment such as binoculars, hidden cameras, and hidden microphones. [2] Shoulder surfing is more likely to occur in crowded places because it is easier to observe the information without attracting the victim's attention. [3]

Shoulder-surfing attacks may be executed by direct observation or by recording. In direct observation attacks, information is obtained by directly monitoring the target interacting with the confidential data. In recording attacks, this information is recorded for later analysis. [4]

For targets, shoulder surfing can lead to financial losses or identity theft. [5]

Countermeasures

Gaze-based password entry

With gaze-based password entry, the user enters the password via eye tracking. The approach can be used both with an on-screen keyboard for character-based passwords, and with graphical password schemes. [6]

Graphical passwords

The primary benefit of graphical passwords compared to alphanumeric passwords is improved memorability. However, the potential detriment of this advantage is the increased risk of shoulder-surfing. Graphical passwords that use graphics or pictures [7] such as PassFaces, Jiminy, [8] VIP, Passpoints [7] or a combination of graphics and audio such as AVAP are likely all subject to this increased risk unless somehow mitigated in implementation. The results indicate the fact that both alphanumeric and graphical password-based authentication mechanisms may have a significant vulnerability to shoulder-surfing unless certain precautions are taken. Despite the common belief that nondictionary passwords are the most secure type of password-based authentication, the results demonstrate that it is, in fact, the most vulnerable configuration to shoulder-surfing.

Graphical passwords have also been proposed as an anti–shoulder surfing mechanism. [9] [10] Proposed input schemes include the swipe scheme (perform a swipe gesture on an image), color scheme (select colored boxes), and scot scheme (both the swipe and color scheme). [10] Photo-based passwords have been criticized as easy to hack due to users choosing predictable authentication information. [11]

Fingerprint scanning

Smartphones use biometrics such as fingerprint scanning or facial recognition which cannot be replicated by a shoulder surfer.

The secret tap authentication method can use icons or some other form of system. The goals of a secret tap system are:

PIN entry

While PIN entry is part of a two-step verification process in some situations, it is vulnerable to shoulder surfing. On devices such as mobile phones with glossy screens, the user could leave smudges on the screen, revealing a PIN. [12] Some highly advanced attacks use thermal cameras to see the thermal signature of the PIN entered. [13] Thermal attacks take advantage of heat fingerprints remaining on keys after the authenticating person is done entering the secret. [14]

To counteract risks of shoulder-surfing, PIN pads may have built-in privacy shields. To guard against attacks with thermal cameras, devices may have metal buttons, [15] shielding, reflectivity, or internal heating. [14] The transfer of heat through wiping with warm objects or hands is also found effective to counter thermal attacks. [14]

Alternative PIN entry methods, such as the "cognitive trapdoor game", have also been proposed. In the cognitive trapdoor game, the user enters authentication information via participation in a game; "winning the game is well within the bounds of human's cognitive capacity if the correct PIN is known." [16]

Virtual reality

A user could wear a virtual reality headset to mitigate the issues of shoulder surfing; however, gesture controls, buttons pressed, and voice commands could still be monitored. [17]

See also

References

  1. "Shoulder surfing - definition of shoulder surfing in ... (n.d.)". Archived from the original on December 20, 2016. Retrieved October 21, 2016.
  2. Kee, Jared (April 28, 2008). "Social Engineering: Manipulating the Source". SANS Institute InfoSec Reading Room. Retrieved October 24, 2016.
  3. Goucher, Wendy (November 2011). "Look behind you: The dangers of shoulder surfing". Computer Fraud & Security. 2011 (11): 17–20. doi:10.1016/s1361-3723(11)70116-6.
  4. Eiband, Malin; Khamis, Mohamed; von Zezschwitz, Emanuel; Hussmann, Heinrich; Alt, Florian (May 2017). "Understanding Shoulder Surfing in the Wild: Stories from Users and Observers" (PDF). Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems. pp. 4254–4265. doi:10.1145/3025453.3025636. ISBN   9781450346559. S2CID   11454671 . Retrieved May 3, 2018.
  5. Long, Johnny (2008). "Shoulder surfing". No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. Burlington, MA: Syngress. pp. 27–60.
  6. 1 2 Suo, X. and Y. Zhu. Graphical Passwords: A Survey. In Proceedings of Annual Computer Security Applications Conference. Tucson, Arizona, USA, 2005.
  7. 1 2 R. C. Thomas, A. Karahasanovic, and G. E. Kennedy, "An Investigation into Keystroke Latency Metrics as an Indicator of Programming Performance," presented at Australasian Computing Education Conference 2005, Newcastle, Australia 2005.
  8. L. K. Seng, N. Ithnin and H. K. Mammi, "User's Affinity of Choice: Features of Mobile Device Graphical Password Scheme's Anti-Shoulder Surfing Mechanism", International Journal of Computer Science Issues, vol. 2, no. 8, (2011)
  9. Seng, Lim Kah; Ithnin, Norafida; Mammi, Hazinah Kutty (2012). "An Anti-Shoulder Surfing Mechanism and its Memorability Test". International Journal of Security and Its Applications. 6 (4): 87–96.
  10. 1 2 L. K. Seng, N. Ithnin and H. K. Mammi, "User's Affinity of Choice: Features of Mobile Device Graphical Password Scheme's Anti-Shoulder Surfing Mechanism", International Journal of Computer Science Issues, vol. 2, no. 8, (2011) https://www.researchgate.net/publication/266183490
  11. Spector, Lincoln (March 14, 2016). "Windows 10 picture password: Draw your own conclusions about its safety". PC World. Retrieved February 23, 2020.
  12. "Smudge attacks on smartphone touch screens | Proceedings of the 4th USENIX conference on Offensive technologies" (PDF). dl.acm.org. Retrieved July 25, 2020.
  13. "Thermal-imaging devices can steal your PINs and passcodes". consumeraffairs.com. September 2, 2014. Retrieved July 25, 2020.
  14. 1 2 3 Fritsch, Lothar; Mecaliff, Marie; Opdal, Kathinka W.; Rundgreen, Mathias; Sachse, Toril (2022). Towards robustness of keyboard-entered authentication factors with thermal wiping against thermographic attacks. Gesellschaft für Informatik e.V. ISBN   978-3-88579-719-7.
  15. "Stealing ATM PINs with thermal cameras". Naked Security. August 17, 2011. Retrieved July 25, 2020.
  16. Roth, V., & Richter, K. (2006). How to fend off shoulder surfing. Journal of Banking & Finance, 30(6), 1727-1751. doi:10.1016/j.jbankfin.2005.09.010
  17. Abdrabou, Yasmeen; et al. (June 6–10, 2022). Understanding Shoulder Surfer Behavior and Attack Patterns Using Virtual Reality (PDF). Proceedings of the 2022 International Conference on Advanced Visual Interfaces (AVI 2022), June 6–10, 2022, Frascati, Rome, Italy.