Shoulder Surfing Mobile Device Fraud

With increasing use of mobile devices for banking and contactless payment a small but significant threat has emerged from loss of the phone together with its access code. Shoulder Surfing refers to the thief somehow gaining access to the passcode before stealing the device. A criminal might secretly record the sign-in, use compromised CCTV footage or even rely on a skilled eye to study the code.

Having broken the code the perpetrator can then alter it together with any details required by the original owner to shut down or wipe the device remotely. The theif will still have access to any financial accounts. Contactless payments depend on the provider but for VISA the limit is £100 per transaction without requiring a PIN.

Combatting Shoulder Surfing

  • Use different access codes for applications, banking PINs and mobile device locking.
  • Do not store access codes as text within applications on a mobile device.
  • Use codes that are memorable but not obvious. Bad codes might include ‘1234’, ‘2023’ or your date of birth (possibly printed on other documents stolen along with the phone).
  • Be aware of your surroundings when entering access codes

The following strategies depend on the features of the device being protected. It is probable that a more up to date phone will be used for more varied functions and as such will benefit from improved security.

  • Use stronger access codes than 4 digits. The Apple default is now a 6 digit code  although the 4 digit option is still available. Alphanumeric codes can also be set making it much harder to guess the code.
  • Use biometric options such as fingerprint or face recognition.
  • Set the device to wipe all data after a set count of failed access attempts (the Apple default is 10). This step should only be taken after a backup is made of the device.
  • Consider if any applications can be allowed ‘access when locked’ to the device.

More from Security


eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that: ‘As of April …

Read post


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus