Needles and Pins… And Shoulder Surfing
The early 1960s saw the release of the hugely popular single “Needles and Pins”.
While needles have decidedly fallen out of favor, being the sharp pointy instruments of pain that they are, PINs are still very popular – especially with the tech world.
Whenever we visit an ATM or supermarket, there is a definite tendency to punch in PIN numbers using an index finger. Often, no care is taken to cover the hand and disguise the number being punched. It is important to realize that a bystander can easily obtain your PIN simply by observing you, even standing a couple of meters away. This is especially true at ATMs as the number keypad is often quite large and contains adequate spacing in between the numbers.
Ask someone if they believe that only they know the PIN and you will almost always get the response that they indeed feel safe that only they know the number.
While they may feel a good level of confidence, the reality is that a bystander can find out what the PIN is, let alone someone with the intent to discover what your number is. This type of activity is known as shoulder surfing, and it can have dire repercussions for the security of your personal data and identity. While in the case of an ATM, a criminal still requires your actual bank card in order to illicitly withdraw money, shoulder surfing in the office environment can have more direct and immediate consequences.
In an office, due to the proximity of people working together, your awareness may become slack. What happens is that someone in the office may, even without intent, take a peek over your shoulder and see what you’re working on. If there is intent, then confidential documents and even passwords could be at risk because you’re not expecting something like that to happen in the office. Such situations become even more complex because our world is so dependent on digital devices, with multiple devices – tablets, smartphones and laptops often sharing the same password.
With a few simple precautions you can mitigate these risks, without becoming too paranoid.
- Try to position your monitor so that people directly behind you cannot clearly see what’s on your screen
- Rather than typing passwords with index fingers, touch typing helps to obfuscate your sequence… provided it is not “asdfg” or “qwerty”
- Do not use the same password for multiple accounts. With different passwords, if one of them is compromised, the others will not be.
- Never leave your password on a post-it note, blue-tacked to your monitor!
And the moral of the story:
Protecting something with a password only makes it as secure as the person holding the key. While you can never be 100% secure, it never hurts to take a few simple precautions to safeguard your passwords and PINs. The needles can be left to fend for themselves…
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!
In a time when open cubicles and open office spaces are the norm, this is quite a problem.
I hear people from accounting getting credit card information over the phone and repeating the confidential data within earshot by the person next to him.
People working on confidential proprietary information who still has their monitors faced other people is cause for concern for management.
You’re right. Even if recruitment and onboarding procedures are so stringent on getting people with character, there is no fool proof system. There will always be people who will be tempted to get information, use them or even sell them much to the detriment of the organization. Be wary.
I’ve worked in environments where someone will ask them to print something off a locked workstation, and shout their password over several rows of workstations. Any level of security is worthless if you disregard the physical senses, and how one might perceive the information you are supposed to protect to keep yourself and your peers safe.
I always believe that people are inherently trusting, despite being warned by our parents when we were children to be wary. Of course, the few who have had been through difficult circumstances would develop a learned skepticism and distrust with other people. But for most people, rarely do we have the foresight to accommodate the possibility that people, too, regardless of how spotless their reputation might have been, will falter and attempt to take advantage of useful information that’s within their reach, especially if they don’t even have to try hard to get that information, i.e. passwords spoken within earshot or information placed on open desks.
I keep on telling people: trust people but lock your doors.