Visual hacking, also dubbed shoulder surfing, is the act of accessing sensitive or relevant data by taking advantage of a physical position that allows the intruder to visualize another person’s device screen. Variations consist in determining the password from the most worn out keyboard key or taking pictures of another person’s display/gear, photos that will later be used to retrieve significant information.
This behavior may be just an annoying habit or it might represent an intentional, continuous data retrieving activity. Having visual hackers around is extremely problematic in public places and in work environments, since the victims are either unaware of the real issue, or are embarrassed to draw (or keep on reinforcing) the normal limits when private data is concerned.
Although CIO reacted to the term of visual hacking with a post that denies the cyber-security implications of visual hacking, the matter deserves some attention, especially when considering it in the context of an enterprise environment.
The study on visual hacking
The Ponemon Institute approached this insider threat in a study entitled Visual Hacking Experiment. The Visual Adisory Council (VPAC) sponsored the study conjoined with 3M Company, a business solutions provider headquartered in St. Paul, Minneapolis. We will note that 3M markets their own visual hacking deterrent product.
The study, released a year ago, underlines how this method of visually accessing information is fast, easy, tailored for open spaced offices and presents risks in what companies’ data and assets are concerned. In order to test these allegations and provide study cases, false part-time employees worked in the offices of eight U.S. companies and managed to get sensitive information in a percent of 88 of the cases, without anybody acting out to stop them (in 70% of the cases). The companies came from relevant sectors, such as global financial services, IT services or national banking; various functional areas were tested (customer services, sales management, data center operations and so on).
The targeted information comprised personally identifiable information (PII), customer data, credentials, various relevant business information and documents. As the experiment revealed, the most hacked type of data regarded the contact list and directory, followed by customers and consumers information. Screens listed second after desktops as the prevalent information retrieval areas, and sensitive information was in proportion of 20%, as opposed to ordinary business-related information. Out of the 20 percent mentioned, 47 percent represented access and login credentials, followed by classified or confidential documents.
All it took for a complete visual hack was less than 15 minutes in 45 percent of the cases.
This white hat hacking method is not overwhelmingly widespread, at least not according to this study results, but it is however present and may represent a reason for concern when a company decides to avoid all risks and follow a security strategy in detail. The 3M website designates the results as being “alarming”, but then again, there company has its own agenda. In order to prevent this type of data theft, 3M offered a solution – a solution deemed ridiculous by CIO, since their article denied visual hacking being a real risk.
However, there are examples where visual hacking is seriously taken into consideration by security professionals. A specialized provider’s website lists visual hacking as being the second IT security risk for 2016, following Java security risk – yet the quoted source is the same Ponemon study.
For further Ponemon study related details, there is also an available website under the aegis of the Visual Privacy Advisory Council, labeled “stopvisualhacking”.
Solutions for preventing visual hacking
If the radical position manifested by CIO by not even admitting visual hacking/shoulder surfing as a real threat has made a lasting impression, it would be useful to check this CSO Online article that takes the opposite approach. In fact, the CSO article is a response to the CIO post – and it counter-arguments their “visual hacking is not hacking” allegation completely.
In conclusion, while the cyber-security online editors may have opposite views, the potential targets could go by the saying “better safe than sorry” and try to reduce the data theft risks to the minimum.
As means to a more secure end, there are two types of approaches that can be employed conjointly for better efficacy:
- Establishing a special section in your company cyber-security strategy that would cover any possible visual hacking incidents: inform and train your employees to be aware of the potential risk situations and be able to take the appropriate measures if necessary (usually people avoid confronting the intruder, therefore establish rules and insist they are respected and enforced, even between coworkers); set rules in what desktop customization is concerned, such as setting the screen to switch off when unused and further requiring authorized login; also tackle the situations where work is taken outside the company premises in various mobility instances and the possible mobile privacy issues.
- Employ special tools against visual hacking, such as privacy filters for laptops (here is an older article on HP integrated privacy filters and you may also check the 3M easy-on privacy filters on their webpage), or smartphone filters.
Depending on the number of employees a company has and on its retention rates, investing in training and monitoring work habits might be efficient, or, on the contrary, might prove insufficient. Deciding to go for the human awareness policy or for both a cyber-security strategy and the privacy tools is up to each company.
Visual hacking remains a debatable issue and there are various ways in which it can be resolved. As a final suggestion, check this simple question an employee addressed on a cyber-security webpage: “How should I securely type a password in front of a lot of people?” and the answers it received.
