Know your enemy: Shoulder surfing

January 2019

People working on trainResearcher and ISSG member Wendy Goucher MBCS provides a timely reminder that even during the daily commute your data may not be safe from prying eyes.

You know what shoulder surfing is, it’s that thing you do when the train, bus or plane is crowded, and you happen to glance over someone’s shoulder to see what they are doing.

In the days when I took a train to work, broadsheet newspapers were the vogue amongst my fellow commuters. I was long sighted which meant that instead of fighting with the opening and folding of the beast (which I never did master) I would read the newspapers of those sat around me. Harmless really, but deprived The Times, Telegraph or Guardian newspapers of my purchase.

Working on a train

About eight years ago while travelling around I noticed that the interesting things to read were displayed on laptops. I only looked out of curiosity, no harm done really.

Although I was tempted to get in touch with the customer of a man I travelled next to on a train to Glasgow. He was composing an email to explain how he could persuade their customer that it wasn’t his company’s fault they hadn’t delivered the service promised.

It was all going to be smoke and mirrors, the end point being that the customer was to be made to believe it was actually their fault. I really wish I had found out how that had turned out. The point is, that was not ‘harmless’ information. It would just have taken a phonecall to spoil the salesman’s day.

Research and experiments

Later, I carried out some academic research to see if I was alone in noticing sensitive information being displayed in public. The answer from that work, and by anecdote almost every time I have talked about it since, assured me I was not alone in my suspicion. While musing on these results I realised that it was not so much the casual glance at a display that was the risk. It was if a copy was taken of that display.

So, I carried out an experiment to see what a smartphone could capture from a tablet or laptop display, this in the time of the iPhone 4 and iPad 2. The answer was that the best place to observe from a laptop or tablet was from about two rows back with the observer standing. Then the photos showed a reasonable shot down to font size 12.

I repeated the experiment a couple of years ago, using the iPhone 6, to both display and capture. One had a privacy screen and one just a standard display. The headline result was that even two rows back, a good quality photo could be taken of the data on a smartphone screen. With the privacy screen it was best to be stood directly behind, but two rows back was still good.

Oh, and it was also possible to take a little video of the document as the user scrolled down which is particularly important for documents on smartphones as the display is reduced in size.

Why should you care? Well, when your staff, or you, come to that, are on public transport, or in a public area such as a coffee shop, and looking at business sensitive material, you should be aware that it can be seen, copied and shared.

The ready availability of the internet means that not only might an observer share with colleagues, they could share on social media. Although it might be a bit of stretch to call this a ‘cyber attack’, it can certainly be cyber-boosted.

Taking responsibility for data

In the pain and paperwork of the run up to GDPR day in May this year, people were made responsible for protecting personal data. You don’t want staff working on such material in public environments because that could be expensive in ICO fines. Don’t coat your desk with Teflon and tell yourself it is the user’s fault for working there.

Generally speaking, I doubt people work in public because it is their favourite place, with the possible exception of working on a plane on a long flight, because of the lack of phone interruptions (for the moment).

People work as they travel to fit more work into the working day so they don’t have to do it in their ‘own’ time. So, maybe we have to look at how organisations place pressures on their staff to frequently do more work than fits into a working day. If they do have too much, and they work on it while commuting, and there is a leak, whose fault is that? It’s an interesting question. I suspect the answer will come on the slow train from case law.

So what is my point? Am I here to just spread gloom? No. I like to think that’s not my style. Years ago when I used to lecture in management, we used to talk about push and pull motivation.

That is motivation that is generated or kindled within the member of staff, the motivation they take to their job, which is push motivation; and motivation that is driven on from outside - think a ‘Wolf of Wall Street’ motivational speech or information from the security awareness CPT package, which is pull motivation. Both can work, best still if both work together in the same direction.

So how can we make people want to take care on their devices?

They need to understand the risk at a personal level. That doesn’t mean they need to suffer, but they need to be in the position of understanding the risk to their own data that viewing their screen in a public place might bring, and that needs to be an understanding that drives safer behaviour.

There is a concept known as ‘behavioural intent’ that talks about the need to change people’s actions by first changing their intention to behave. Think of it like a New Year’s resolution, they work don’t they? Well, often, no. To change behaviour in the medium or long-term there needs to be that internal push motivation. This then fires up the super-charger to make the change more likely to stick.

Too often I find companies believe that just telling someone to change their way of working (and threatening to reduce their access to the coffee machine), means it will change. No matter how often I come upon this attitude, I still find it hard to understand that anyone who has been around a growing child, or indeed a stroppy adult, could still believe that telling = action.

We know it doesn’t in just about any situation, so why do we believe it will in the world of security? Most especially, when the users are operating outside the office, and you really don’t know what they are doing.

My point? There is a risk of someone reading over your shoulder if you are working or reading in public. Super clear device screens make it super easy to capture an image from quite a distance. Connectivity of devices means that more information than ever can be accessed on the move, then displayed and potentially copied by an unauthorised person.

Because there is rarely going to be any obvious evidence of a copy being made, we can’t use that as an incentive. We have to make security more relevant and reasonable if we want staff to tighten up their mobile working practice. My Selfish Security approach leads me to ask users to consider the screen that is captured is the user’s own banking app. What about if the sequence videoed is them logging on to do a bit of banking admin? Ah, now they are listening.

Wendy Goucher is the author of Information Security Auditor, available from the BCS bookshop.

Image: gettyimages/Laurence Dutton