Shoulder Surfing Mobile Device Fraud
With increasing use of mobile devices for banking and contactless payment a small but significant threat has emerged from loss of the phone together with its access code. Shoulder Surfing refers to the thief somehow gaining access to the passcode before stealing the device. A criminal might secretly record the sign-in, use compromised CCTV footage or even rely on a skilled eye to study the code.
Having broken the code the perpetrator can then alter it together with any details required by the original owner to shut down or wipe the device remotely. The theif will still have access to any financial accounts. Contactless payments depend on the provider but for VISA the limit is £100 per transaction without requiring a PIN.
Combatting Shoulder Surfing
- Use different access codes for applications, banking PINs and mobile device locking.
- Do not store access codes as text within applications on a mobile device.
- Use codes that are memorable but not obvious. Bad codes might include ‘1234’, ‘2023’ or your date of birth (possibly printed on other documents stolen along with the phone).
- Be aware of your surroundings when entering access codes
The following strategies depend on the features of the device being protected. It is probable that a more up to date phone will be used for more varied functions and as such will benefit from improved security.
- Use stronger access codes than 4 digits. The Apple default is now a 6 digit code although the 4 digit option is still available. Alphanumeric codes can also be set making it much harder to guess the code.
- Use biometric options such as fingerprint or face recognition.
- Set the device to wipe all data after a set count of failed access attempts (the Apple default is 10). This step should only be taken after a backup is made of the device.
- Consider if any applications can be allowed ‘access when locked’ to the device.