Skip to main content

It is the digital attack tactic that even the most inept of hackers could pull off: Attackers nearby or even across the room can study the movement of your finger as you type in your four-digit code.

With that information, they could access all the sensitive information safeguarded in your smartphone – digital access to your bank cards, conversations with your significant other, sensitive work e-mails and even potentially compromising photographs.

It’s called “shoulder surfing.” And a University of Waterloo study of more than 1,000 shoulder surfing attacks, carried out by 30 recruited participants, found that the most common way people try to protect their privacy is actually futile.

“Many people think that tilting the device screen away is going to protect their personal identification number, or PIN,” lead researcher Hassan Khan told The Globe and Mail. Similarly, people believed that if they’re across a room from someone else, their passwords and PIN numbers were safe from that person.

“Not so surprisingly, we found out that – given the known layout of the keypad – a lot of these attackers were able to make these guesses that were pretty correct.”

All experiments were conducted on a Nexus 5 Android device, but the research findings can be applied to any phone with a similar passcode system.

Forty-five per cent of attackers in the study accurately guessed the whole passcode for a tilted-away phone, and another 50 per cent were able to determine it partly. While tilting the device away at an angle of 70 degrees or higher prevented complete guessing of PINs, Mr. Khan and co-authors Urs Hengartner and Daniel Vogel found that smart attackers look for other clues – such as the proximity of someone’s finger to the corner of their phone.

“This was surprising, especially the far distance,” Mr. Khan said. Even at the point where an attacker was 5.5 metres away from the phone, the study found there was no difference in success rates.

An earlier study piqued Mr. Khan’s interest in the subject. Forty-eight per cent of that study’s 174 participants admitted to shoulder surfing before, though only 6 per cent were looking for access information. The No. 1 defence from surveyed victims of shoulder surfing was to tilt their body or phone display away. “It was subtle enough,” Mr. Khan said.

But a question emerged: How effective is that tactic?

A better strategy for those concerned about privacy would be to cover the screen with one hand while entering passwords, Mr. Khan said. “The problem with that is if you have your spouse, your sister, someone who’s close to you,” he said. Explicitly shielding your passwords from loved ones may lead to perceived issues with trust.

Better still would be changes at the software level, he suggested. While the tech industry is constantly developing new biometric lock options, such as fingerprint and facial recognition, traditional lock mechanisms such as PINs, passwords and pattern locks remain as a fallback. Mr. Khan recommends much longer passwords be used, or randomized keypads that are harder to duplicate from sight alone.

“People do not consider it as a serious threat as it is,” Mr. Khan said. “Shoulder surfing happens a lot more than people think it happens, and that’s why it’s something you should be concerned of.”