Shoulder Surfing
What is Shoulder Surfing?
Shoulder SurfingObserving someone's screen, keyboard, or PIN pad over their shoulder — directly or via cameras — to steal credentials, codes, or sensitive information.
Shoulder surfing is a low-tech, high-impact information-gathering technique. It includes glancing at a colleague's laptop during a flight, recording PIN entry at ATMs and POS terminals, watching MFA codes in shared offices, and using long-lens or ceiling cameras to capture data from a distance. Because the target is the human–device interface rather than the technology stack, traditional controls do not help directly. Mitigations include privacy screens, awkward typing angles, clean-desk and clear-screen policies, masked PIN displays, biometric or push-based MFA that does not leak codes, secure entry of credentials in private settings, and physical positioning that limits sightlines.
● Examples
- 01
Reading a traveler's email through the screen on a packed train.
- 02
Using a hidden camera near an ATM to capture PINs and card details.
● Frequently asked questions
What is Shoulder Surfing?
Observing someone's screen, keyboard, or PIN pad over their shoulder — directly or via cameras — to steal credentials, codes, or sensitive information. It belongs to the Attacks & Threats category of cybersecurity.
What does Shoulder Surfing mean?
Observing someone's screen, keyboard, or PIN pad over their shoulder — directly or via cameras — to steal credentials, codes, or sensitive information.
How do you defend against Shoulder Surfing?
Defences for Shoulder Surfing typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Shoulder Surfing?
Common alternative names include: Visual eavesdropping.