Skip to main content

It is the digital attack tactic that even the most inept of hackers could pull off: Attackers nearby or even across the room can study the movement of your finger as you type in your four-digit code.

With that information, they could access all the sensitive information safeguarded in your smartphone – digital access to your bank cards, conversations with your significant other, sensitive work e-mails and even potentially compromising photographs.

It’s called “shoulder surfing.” And a University of Waterloo study of more than 1,000 shoulder surfing attacks, carried out by 30 recruited participants, found that the most common way people try to protect their privacy is actually futile.

Story continues below advertisement

“Many people think that tilting the device screen away is going to protect their personal identification number, or PIN,” lead researcher Hassan Khan told The Globe and Mail. Similarly, people believed that if they’re across a room from someone else, their passwords and PIN numbers were safe from that person.

“Not so surprisingly, we found out that – given the known layout of the keypad – a lot of these attackers were able to make these guesses that were pretty correct.”

All experiments were conducted on a Nexus 5 Android device, but the research findings can be applied to any phone with a similar passcode system.

Forty-five per cent of attackers in the study accurately guessed the whole passcode for a tilted-away phone, and another 50 per cent were able to determine it partly. While tilting the device away at an angle of 70 degrees or higher prevented complete guessing of PINs, Mr. Khan and co-authors Urs Hengartner and Daniel Vogel found that smart attackers look for other clues – such as the proximity of someone’s finger to the corner of their phone.

“This was surprising, especially the far distance,” Mr. Khan said. Even at the point where an attacker was 5.5 metres away from the phone, the study found there was no difference in success rates.

An earlier study piqued Mr. Khan’s interest in the subject. Forty-eight per cent of that study’s 174 participants admitted to shoulder surfing before, though only 6 per cent were looking for access information. The No. 1 defence from surveyed victims of shoulder surfing was to tilt their body or phone display away. “It was subtle enough,” Mr. Khan said.

But a question emerged: How effective is that tactic?

Story continues below advertisement

A better strategy for those concerned about privacy would be to cover the screen with one hand while entering passwords, Mr. Khan said. “The problem with that is if you have your spouse, your sister, someone who’s close to you,” he said. Explicitly shielding your passwords from loved ones may lead to perceived issues with trust.

Better still would be changes at the software level, he suggested. While the tech industry is constantly developing new biometric lock options, such as fingerprint and facial recognition, traditional lock mechanisms such as PINs, passwords and pattern locks remain as a fallback. Mr. Khan recommends much longer passwords be used, or randomized keypads that are harder to duplicate from sight alone.

“People do not consider it as a serious threat as it is,” Mr. Khan said. “Shoulder surfing happens a lot more than people think it happens, and that’s why it’s something you should be concerned of.”

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed.

If your comment doesn't appear immediately it has been sent to a member of our moderation team for review

Read our community guidelines here

Discussion loading…

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.