Shoulder-SurfingAll the technology products in the world will never protect you against shoulder surfing. Shoulder surfing occurs when someone overhears or sees another person entering their credentials into a system and learns what they are.

It has happened to most of us and shoulder surfing can be either accidental – you  happen to be next to a colleague and see him or her typing in their passwords – or intentional. When someone is on the lookout for inattentive individuals who log on to their PC or service without paying attention if anyone is looking. Either way, it’s a dangerous situation to be in.

I came across a story by Techdirt about a politician who was given a password that a member of the public overheard while attending as a patient at a medical laboratory.

The patient didn’t mean any harm and the laboratory should be grateful for that. Imagine what would have happened if those credentials feel into someone who had criminal connections or was involved in data and identify theft. A tech savvy criminal could use the credentials to access and acquire confidential patient files, in turn using the information to steal identities or even blackmail the patients.

Very often people don’t pay attention and do not protect what should be secret and personal. I have seen people typing in their credit card details and not covering the number as they type. People also give their credit cards to serving staff in a restaurant without realizing that their credit card is ‘lost’ for a few minutes. Even airport personnel have a habit of opening doors using the security keypad yet not shielding the numbers from prying eyes.

These things happen because people seldom realize that they have credit cards, passwords and passcodes because they need to protect something by using a secret(s). Pressing a number in an elevator is no different than typing in a passcode or using your credit – that is how some people think. Obviously, it’s not the case and this is why education is so important. Helping people understand what single- and multi-factor authentication is and how it fits into the security paradigm should not be dismissed.

Anybody using technology should learn that when a computer program asks an authorized user for a password it is doing so to ascertain the authorized user’s identity. A computer program doesn’t have eyes that can recognize people so it tries to accomplish this by asking the user a question that only that person should know the answer to, or a password. If other people are aware of that password then the computer cannot distinguish the real authorized user from the others – all the computer is interested in is that the user knows the password and is therefore the authorized user. Anyone who has that password can log in and the computer will accept it because the identity of the user has been authenticated.

The system will continue to accept that identity until the compromised password is invalidated by an administrator. The same thing applies to keypads. The key code to open the door is an alternative to having a guard 24/7 allowing only authorized persons to pass through. The door cannot identify who is standing in front of it unless that person keys in the code which will allow it to determine who it should allow through the door. If a bystander sees the code and keys it in, the door will open because the code is correct and allows the bystander to pass.

The concept behind credit cards is different. Credit cards are assumed to be items that only their legitimate owner has on his or her person. That is why it is very important to never let a credit card out of your sight. Computer systems will always assume that the holder of that credit card is its authorized user. They work on that assumption even if presented with a copy of the credit card rather than an original. Credit cards should be considered as nothing more than portable passwords.

What I have discussed so far is single-factor authentication. It is single-factor because each of the users above uses a single security mechanism. These security mechanisms include either something a person knows (password, pass code) or something a person has (credit card). There is another security mechanism that can be used and that’s based on something a person ‘is’. Something a person ‘is’, is a security factor used in biometrics – a palm print scan or retina scan. To further strengthen security you can use two or all of them at the same time. Two-factor authentication is becoming more popular these days. Credit card users now also have to use a pin code to validate any purchases / withdrawals. Stealing a credit card is useless unless you have the code.

When users understand how authentication methods work, they might be motivated to protect the details more than they currently do. Let’s face it, no one wants someone else to take and use their identity!

When we allow people to overhear or see our credentials, or we give them enough time to take a copy of our credit cards, we are giving them the tools they need to take our identity and use ‘our’ secrets in conjunction with any system that requires them.

If that isn’t motivating enough, then perhaps this will work.

A computer acknowledges a legitimate user if the credentials used are correct; thus if those credentials are misused in any way, it is the legitimate user who will face the music. Querying the system will only show that the ‘person’ who abused the system is the legitimate owner.

A forensic analysis and investigation might clear the victim of any wrongdoing but that would not always be possible in every circumstance. The best way protect your credentials is to keep them secret and always look over your shoulder when keying in passwords. You never know who is looking.

Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!