CIO article for Tanium by Jason Bloomberg
Multifactor authentication and employee training help, but given time and opportunity, even less-experienced attackers can break into poorly secured accounts. All it takes is one vulnerable individual to break into an account—or into an entire organization.
Purchase a cheap card swipe cloner off the Dark Web. Distract a hotel housekeeper for a moment and clone their master key.
Use your mark’s email address to access a login page. Choose to reset the password and have the code sent to the mark’s phone. Check their voicemail using the default last four digits of the number as the PIN.
Watch someone accessing their bank info or email account on their laptop in an airport lounge. They log off to get a drink but leave the laptop open. Quickly reset their password, sending the code to their phone which they conveniently left by their computer. Read the code off the phone screen without even unlocking the phone.
Or perhaps the easiest of all: wait for your victim to step away from their unlocked workstation and quickly copy down their plaintext passwords from their password manager app.
There are multiple takeaways from the examples above. First, attack surfaces continue to expand dramatically. The number and variety of endpoints are limited only by the imagination of the cybercriminal.
Second, none of these attacks requires much technical sophistication. Even the Dark Web might be optional. Simply google for a variety of tools to accomplish the malicious goal.
But perhaps most importantly: no amount of expensive cybersecurity gear will keep someone from typing in their password in view of prying eyes, losing sight of their RFID badge for a moment, or unlocking their phone in the presence of a threat actor. In recent years, researchers have reported that 73% of mobile device users have (deliberately or accidentally) observed someone else’s PIN being entered.
Multifactor authentication and employee training help, but given time and opportunity, even less-experienced attackers can break into poorly secured accounts.
We call this a basic type of social engineering attack shoulder surfing.
The simplest examples indeed involve looking over someone’s shoulder. The problem with shoulder surfing attacks is that there is no way to prevent all of them. Some of them are bound to succeed.
As with the more widely known phishing attacks, all it takes is one vulnerable individual to break into an account—or into an entire organization.
Shoulder surfing mitigation: start with good cyber hygiene
Prevention will never stop all attacks, but an ounce of cyber hygiene still goes a long way. MFA is a must-have. Employee training should also include shoulder surfing awareness.
You already have some form of social engineering mitigation (or if you don’t, then you should!). Shoulder surfing is technically a form of social engineering, but it differs from the more familiar approaches insofar as the target is often completely unaware they’re being pwned.
Social engineering prevention techniques focus on awareness of social interactions and identifying suspicious behaviors. While this is an important piece of the puzzle, some attacks will still go unnoticed, no matter how diligent the victim is.
Perhaps most important: adopt a zero-trust philosophy across your organization and cybersecurity roadmap. There is no longer any such thing as perimeter security. Do not grant trust without real-time evaluation of whatever network, device, or user account is accessing a resource. Trust, after all, is the most valuable asset an attacker can exploit.