Shoulder Surfing - Preventing Visual Password Theft
About 2 min read
Shoulder surfing is a technique of stealing confidential information such as passwords or PIN codes by peering over someone's shoulder at their screen or keyboard. The risk is especially high in public places such as cafes, trains, and airports. It is a low-tech attack that requires no advanced skills, yet the damage can be serious. With the spread of remote work, reports of incidents at cafes and coworking spaces increased throughout 2024-2025. It is classified as a form of social engineering.
Real-World Use Cases
"While logging into the corporate VPN at a cafe on a business trip, it later came to light that someone behind me had photographed my screen with a smartphone. We have since distributed privacy filters company-wide and established rules for authentication operations in public places."
Shoulder Surfing Tactics
Beyond direct peeking, tactics include photographing with a smartphone camera, observing from a distance with binoculars, and abusing surveillance camera footage. The main targets are PIN entry at ATMs, unlocking smartphones, and password entry on laptops.physical security books on Amazon can help you learn countermeasures.
Real Damage Scenarios
There are cases where, while working at a cafe and logging into online banking, the screen is photographed with a smartphone from a seat behind, leaking the ID and password. There are also reported cases where accessing a corporate system in an airport lounge allowed a person in the adjacent seat to spy out the VPN credentials, leading to unauthorized intrusion into the corporate network. Working at business-trip destinations and coworking spaces carries especially high risk, so countermeasures are needed as part of security for remote work.
Countermeasures
Using a privacy filter (an anti-peeping film) is the easiest and most effective measure. Habitually checking your surroundings when entering a password and making use of biometric authentication are also effective. If you use randomly generated passwords through a password manager's autofill, you can minimize keyboard input and greatly reduce the risk of being watched. Put this into practice together with security measures in public places.mobile security books (Amazon) are also a useful reference.
Was this article helpful?