SCAM OF THE MONTH: Shoulder Surfing is Still a Thing for Successful Social Engineering Attacks

Social engineering isn’t concerned with either novelty or elegance. All that matters is whether it works. ESET’s Jake Moore described a case in point: “All someone might need to gain access to your account is look over your shoulder at the right moment, just like the kid at the next desk trying to cheat on a test back in elementary school. I recently looked at the top 10 free apps on the Apple App Store and decided to target one to see if I could take control of someone else’s account.” Moore settled for Snapchat for his test.

Sitting near a friend (from whom he’d obtained permission to attempt an account takeover, on the condition that he promised not to do anything with the account once he’d hacked it), he entered her phone number into Snapchat, said he’d forgotten the password, and requested a password reset. Then he watched for the pop-up confirmation to arrive on the friend’s phone, saw it, reset her password, and had control of her account.

Now, this was a demonstration, but the point is to remain aware of where you are, and what’s going on both in your surroundings and on your device. In this case, the test subject noticed neither the shoulder-peek nor the popup on the phone.

“Shoulder surfing as such is best thwarted by preventing anybody from covertly looking at your screen when you enter sensitive information into an app or website, especially in public places,” Moore wrote. “Better still, make sure you turn off notification previews so that they’re hidden from prying eyes when your phone is locked. Also, be sure to actively monitor your SMS messages when using your phone or tablet around other people.”

Stop, Look, and Think. Don’t be fooled.