Quiz Entry - updated: 2026.07.05
What is shoulder surfing, and where is it most dangerous?
Literally watching someone enter their credentials over their shoulder — a low-tech attack that still works against high-tech systems.
Where it happens:
- ATMs and payment terminals — PIN entry
- Cafés, libraries, trains — laptop logins
- Open-plan offices — coworkers seeing screens
- Through cameras — security cams or hidden devices recording PIN pads
What attackers harvest:
- Login passwords
- Credit card PINs and CVV codes
- 2FA codes (especially SMS — visible from afar)
- Unlock patterns on phones
Defenses:
- Privacy filters on laptop screens (narrow viewing angle)
- Cup your hand when entering PINs
- Position your back to a wall in public
- Disable lock-screen notifications so codes don't appear preview
- Use biometrics or hardware keys instead of typed passwords where possible
Modern variant — long-range shoulder surfing:
Researchers have shown that with a smartphone camera + zoom + AI, attackers can reconstruct typed passwords from across a coffee shop by analyzing finger positions on screen reflections, or even from the movement of shoulders/elbows.
Tip: PIN pads on ATMs increasingly use randomized button layouts to defeat camera-based attacks — the "1" isn't always in the top-left.
Go deeper:
Shoulder surfing (Wikipedia) — close-range and long-range (camera) variants and high-risk locations.