The threat of shoulder surfing should not be underestimated

Ira Winkler questions a recent column on the topic of shoulder surfing, also called visual hacking, and suggests that a better understanding of security awareness would go a long way.

Author note: This article does not intend to personally criticize the author in question. However, it will criticize the ideas and beliefs expressed in the column. It is also important to note that there is frequent use of the word, ignorant, in this article, which is defined as unknowing. I believe the lack of understanding on the subject expressed in the column in question serves as a great lesson in the need for awareness on many physical security concerns, as well as the history of hacking.

Normally when I see a column I don’t agree with, I let it go. Highlighting something, whether for good or bad, brings more attention to it. However, I recently read an article criticizing security terms and tools in a way that trivializes significant security concerns. I believe it deserves to be set straight.

While the column, Visual hacking is not hacking, was listed as an opinion piece, as is this article, it can be considered a dangerous opinion if it ever gets traction. At the same time, the ignorance (defined as unknowing) serves to identify a critical area to consider regarding security and security awareness.

The column in question criticizes 3M’s use of the term “Visual Hacking,” which for lack of a better term is shoulder surfing. This is where you look at a computer or monitor, over someone’s shoulder, and watch what the person types, such as their passwords, or what is on their screen. There are incredibly naïve statements that if you are in the workplace, looking over someone’s shoulder is collaboration and teamwork. The column also says that only creepy people will look at your iPad while you are in the elevator, and that you shouldn’t be using your iPad in an elevator.

Let’s first examine the criticism of the term, “hack” in the column. There is a fundamental misunderstanding of security. The article implies that the term is a computer term that has now been bastardized for non-computer related issues, such as “Life Hacks”. As a person who has been in the security field for decades, I’ve observed there is a gross lack of knowledge of the history of the hacking field.

The term “hack” was coined long before computers, and for computer purposes seems to have originated at MIT where computer hacking was iconic. Hacking is defined as a clever, benign, and ethical prank. The computer field essentially hijacked the term, as early “hackers” did so to bypass controls to make the computer more useful, or to overcome the lack of documentation. Claiming the term originated to define breaking into computers, displays ignorance of the field. Hack has also been used as an expression in countless other settings, including golf, taxis, chopping, and horses, which all can possibly lay claim to the origination of the term hack with regards to computers.

The column also claims that true hackers only focus on hacking computers. Well, there is the Defcon Capture the Flag contest, which focuses on social engineering -- which is not hacking per that definition. Also having presented on social engineering and other non-technical hacks at Black Hat on multiple occasions, non-technical attacks are of interest to the “real live hackers.”

The article gets dangerous by trivializing the importance of screen protectors to prevent “visual hacking”, while promoting shoulder surfing as a tool of teamwork and collaboration.

I prefer the use of shoulder surfing over visual hacking, however it is a highly critical issue for security practitioners. First, lets examine the straightforward claim of teamwork and collaboration. The column assumes that everyone inside a company is entitled to see all information inside a company. Anyone who has been in a modern office environment knows that there is little privacy. While some people might have data that is OK for the entire organization to know, there are visitors that can go through the facility. There are many areas where information should be restricted, such as accounting, human resources, engineering, legal, sales, customer data, vendor data, and any area where there is intellectual property of any note. There are also many areas where information is legally restricted from distribution. I really wonder what environment wants free collaboration.

Then I am bewildered by the comment about the odds that, “the dude next to us gives a rat’s behind about what is on our screen.” This is just gross ignorance. It is a major awareness and security concern for people traveling with sensitive information, and in some cases organizations are legally required to protect the information.

Let’s be clear about the comments being made; the article contends that being concerned about shoulder surfing is ridiculous and is easy to take care of by shouting, “teacher, he’s copying me!” (that is written in the column.) There is of course the ignorance of not realizing that someone may not know when someone is actually looking over their shoulder.

Shoulder surfing is a serious issue, and has legal implications as well. Despite the column appearing in CIO magazine, where the “I” stands for “Information” and not computers, it fails to understand that companies have to protect information in all of its forms, and not just the underlying technology of computers. A “hacker” doesn’t care if they get the information by compromising computer technology, stealing a laptop from a car, or looking over someone’s computer on an airplane. More important, there are more than just “real live hackers” in Las Vegas, but criminals, competitors, malicious insiders, and even the “creepers” that he refers to as well.

A “real live security professional” knows that they have to protect information in all of its forms. They know that laptops frequently outnumber desktops. They know that they have to secure mobile workforces. They know that there are frequently computer monitors in public spaces, where you want to limit the observability of information available on computer screens, not withstanding medical offices, security desks, any computer with personally identifiable information, etc.

While this article is not intended as endorsement for 3M privacy filters, these serve a critical role in securing corporate information. I began writing this article to stress that shoulder surfing was a critical physical security concern that security programs should address with a combination of increased awareness about the concern, as well as with other protections, such as 3M privacy filters. I grew more horrified by the lack of security awareness the more I read.

And for the record, training your users to yell, “teacher, he’s cheating off me,” is not enough. Users need to know that shoulder surfing is a serious concern, and companies need to also take other precautions, like investing in privacy filters, to secure users further. Awareness needs to be proactive, as should the other countermeasures you put in place.

Ira Winkler, CISSP can be reached through his company Secure Mentem at

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGoogleMIT

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ira Winkler

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place