8 minute read
Shoulder surfing Watch out for eagle-eyed snoopers peeking at your phone
Shoulder surfing:
Watch out for eagle-eyed snoopers peeking at your phone
Advertisement
Some fraudsters may use low-tech tactics to steal your sensitive information – peering over your shoulder as you enter that data is one of them
We live in an age of pervasive connectivity. But our always-on, mobile-centric lives also expose us to risk. For many people, it is the prospect of phishing, remotely deployed malware, and other online risks that pose the greatest threat to their personal and professional data. Sometimes the old ways like shoulder surfing or even dumpster diving offer the best ROI, and there are plenty of opportunistic fraudsters about to give it a go.
Shoulder surfing has been around far longer than smartphones and highly portable laptops. Just ask anyone who has had their credit card PIN or their phonecard digits stolen by unscrupulous passers-by. But today there are far more opportunities to cash in.
Our hurried, multi-device lifestyles are a magnet for shoulder surfers. A few small behavioural changes could be enough to keep you safe.
A cautionary tale (or two) Most of us dismiss shoulder surfing. We think we’d be able to spot someone lurking behind us with their eyes glued to our screen. But the bad guys only need to get lucky once. And we give them plenty of opportunities through the working day, especially now that society is opening up again.
ESET’s Jake Moore recently revealed two occasions where he managed to obtain the login details of friends’ online accounts, with their prior agreement. His research highlights well just how exposed many of us are to savvy attackers, especially in informal settings like bars, cafes and restaurants.
1. Snapchat surfing In his first experiment, Jake bet a friend he could hijack her Snapchat account, even one protected by two-factor authentication. Using the password reset function, he entered her phone number and selected the option to be messaged a confirmation code. By simply shoulder surfing the confirmation message when it popped up on her homescreen, he was able to take complete control of the account. Even a second SMS code sent as confirmation was ignored by the account holder but observed and entered by Jake.
Now, an attacker might not normally know their victim’s phone number, but they may be able to find it online from previously breached data troves or leveraging open-source intelligence, including on social media. By calling up the user and pretending to be an employee at said social media company, an attacker could theoretically trick the user into handing over their SMS code.
Of course, that’s not strictly speaking shoulder surfing. But imagine an office or education setting where colleagues or kids may be in the proximity of users whose phone numbers they do know. That makes the “password-reset shoulder surf” a more genuine risk. 2. PayPal problems In a similar second experiment, Jake bet a friend he could hijack one of his online accounts. This time he went to the PayPal login page to request a password reset. Knowing the user’s email, he typed this in and selected the security check option of an SMS code sent to his phone. In a similar way to the above example, Jake was able to covertly snoop on his mate’s device as the code flashed up. Thus, he had entry to the friend’s entire PayPal account.
Once again, an attacker here needs to get hold of a victim’s email, be it by shoulder surfing them, by finding a previously breached one on a dark web site, or through other means. Then they would need to get in close proximity to the user to spot that confirmation code as it flashed up. Again, an office or school would be the perfect place. However, if a shoulder surfer had their eyes on a target working in a public place for long enough, the chances are they would spot their email address eventually. What could shoulder surfing mean for you? The argument here is that the security bar is in many cases still too easy for malicious actors to jump – especially if they have eyes on your laptop or device. Too many of us allow notifications to flash up on our screens. We might have grown so desensitized that we ignore them. But those looking over our shoulder don’t.
It’s particularly pertinent that the victim in the PayPal example above was a cybersecurity veteran of 20-plus years. If he can get scammed like this, many others could, and once a bad actor has access to your account they could: • Change the logins and then extort the victims so that the latter can regain access • Use brute force techniques to try the same email/logins for access to other accounts • Steal your personal information for use in identity fraud attempts or follow-on phishing • Access and divert funds to their own accounts • Troll and bully victims by posting inappropriate content from their accounts What can you do to prevent shoulder surfing? The impact of such an account hijack can last many months. If bad actors have managed to steal funds and personal info, you may suffer a barrage of phishing attempts over the succeeding months. Recovering lost funds and resetting credit scores can take even longer. With that, here are a few mitigation strategies:
Never reuse passwords across accounts, and use a password manager to store unique, strong credentials. Switch on multifactor authentication (MFA). But choose an authentication app (e.g., Google Authenticator, Microsoft Authenticator) rather than an SMS code option.
Always be alert when logging-in to your accounts in public. That could mean stop working altogether in crowded airplanes, trains, airports, hotel lobbies and the like. Or at least, work with your back to a wall.
Use a privacy screen on laptops to ensure anyone trying to spy on your screen from an angle can’t do so.
Switch off on-screen notifications for messages, emails and alerts to stop the kind of attack Jake demonstrated above. If one does come in, and it wasn’t you, investigate immediately.
It goes without saying, but never leave any devices unattended in a public space. And ensure they are locked with strong passcodes.
Shoulder surfing is still a largely underestimated threat. That doesn’t mean it’s more likely to happen to you than a phishing attack. But the same rules apply. Be alert. Be prepared. And practice “safety first”. www.eset.com/uk
Greendale Construction achieve ‘excellent rating’ from BREEAM for Studland House, Bournemouth University
Chartered Builders, Greendale Construction Limited, has achieved a BREEAM rating of excellent for its work at Studland House, Bournemouth University.
BREEAM (Building Research Establishment’s Environmental Assessment Method) is the world’s leading sustainability assessment method for master-planning projects, infrastructure, and buildings. It recognises and reflects the value in higher performing assets across the built environment lifecycle, from new construction to in-use and refurbishment.
The 25 week works on phase 2, and 28 weeks on phase 3 of Studland House, carried out by Greendale during the £2.1 million contract for Bournemouth University, involved the complete refurbishment of floors one, three and four, plus the local refurbishment of the toilet areas on the ground floor. The new space on the ground floor now provides additional active travel facilities along with new accessible, gender-neutral toilets. The upper floors also benefited from toilet refurbishments on each floor in the core areas, larger open plan office arrangements with separate meeting rooms, and break-out spaces, store-rooms and kitchenettes. The same theme across all the floors were maintained, but layouts were tailored to the individual department needs.
Chris Cave, Commercial Director, Greendale Construction Ltd, commented: “BREEAM completes its assessment through third party certification of an asset’s environmental, social and economic sustainability performance, using standards developed by BRE (Building Research Establishment). This means BREEAM rated developments are likely to be more sustainable environments that enhance the well-being of the people who live and work in them, help protect natural resources and make for more attractive property investments. Greendale was fortunate to have the assistance of assessors, Adam Watkins & Laura Tenor of Sustainable Construction Services, to help advise, and meet all the requirements on this project in order to achieve the BREEAM excellent rating, which included: • Registering the site with the
Considerate Contractors Scheme and scoring 35 points on the review. • Recording energy & water usage. • Recording transport for all delivery and collections. • Provide a building user guide and training schedules. • Source materials from sustainable sources including materials brought to site to be low VOC content. • Record all timber delivery including location used and also obtain copies
FSC certification from suppliers. • Obtain secure by design certificate from local police advisor. • Energy monitoring to be fitted to allow post-construction monitoring of all energy use for the building. • Reduction in flush volumes and flow restrictors of sanitaryware installed. • All insulation installed to be
Green Guide A+ rated. • Provide early stage waste reduction. • Site Waste Management Plan undertaken and tracked through construction period. Marcin Grabowski, Estates Programme Manager, BU, commented: “Alongside the delivery of a number of landmark new buildings, BU continues its effort to improve and transform BU estate, recognising the importance of refurbishment, remodelling and optimisation of the existing buildings.
“Fully refurbished Studland House will provide consolidated, high quality central hub for BU’s Professional Services at Lansdowne Campus.
“In line with BU’s commitment to environmental sustainability, all our major refurbishments must achieve BREEAM ‘very good’ as a minimum.
“Thanks to the fantastic effort from BU and Greendale Construction Limited, the Studland House project has now surpassed BU internal target and Greendale contractual obligations and achieved BREEAM ‘Excellent’ rating. It is even more impressive considering that the original target has been exceeded by almost 18%.
“Greendale’s collaborative approach and willingness to go the extra mile was fundamental to this project’s overall success, resulting in fantastic, sustainable facilities and satisfied end-users.”
Chris Cave, Commercial Director at Greendale Construction Limited
www.greendaleconstruction.com
