Shoulder Surfing is the practice of surveilling a nearby target to obtain information they are displaying or inputting. Strangers shoulder surf to record sensitive data or Personally Identifiable Information (PII) that is then weaponized against the victim, account, or setting.
Shoulder surfing generally takes place in person as a kind of hyper-local trespassing. Intruders hover or lurk in the personal space of bank customers in ATM queues, listen to telephone conversations, surreptitiously observe username and password conventions, record smartphone videos or others’ logins, sidle up to busy consumers at supermarket checkouts, or simply keep tabs as victims open a PIN-locked door.
Since bad actors rely on victims’ unsuspecting or trusting nature, shoulder surfing can be mitigated with vigilance particularly when authenticating and when identification must be displayed.
“A delivery person the deli uses has an interesting appreciation of personal space. He’s a big shoulder surfer. Rather than ring our doorbell he waits until an employee is PINning into our door to make his delivery. The reason he chills in the vestibule is to get the PIN to our door. Cycle that PIN and get the deli on the phone, please.”