Shoulder Surfing Mobile Device Fraud

With increasing use of mobile devices for banking and contactless payment a small but significant threat has emerged from loss of the phone together with its access code. Shoulder Surfing refers to the thief somehow gaining access to the passcode before stealing the device. A criminal might secretly record the sign-in, use compromised CCTV footage or even rely on a skilled eye to study the code.

Having broken the code the perpetrator can then alter it together with any details required by the original owner to shut down or wipe the device remotely. The theif will still have access to any financial accounts. Contactless payments depend on the provider but for VISA the limit is £100 per transaction without requiring a PIN.

Combatting Shoulder Surfing

  • Use different access codes for applications, banking PINs and mobile device locking.
  • Do not store access codes as text within applications on a mobile device.
  • Use codes that are memorable but not obvious. Bad codes might include ‘1234’, ‘2023’ or your date of birth (possibly printed on other documents stolen along with the phone).
  • Be aware of your surroundings when entering access codes

The following strategies depend on the features of the device being protected. It is probable that a more up to date phone will be used for more varied functions and as such will benefit from improved security.

  • Use stronger access codes than 4 digits. The Apple default is now a 6 digit code  although the 4 digit option is still available. Alphanumeric codes can also be set making it much harder to guess the code.
  • Use biometric options such as fingerprint or face recognition.
  • Set the device to wipe all data after a set count of failed access attempts (the Apple default is 10). This step should only be taken after a backup is made of the device.
  • Consider if any applications can be allowed ‘access when locked’ to the device.

More from Security

03/09/2024

Google and Facebook Single Sign On (SSO)

Single Sign On (SSO) options are commonly seen through providers such as Google, Facebook and to a lesser extent Apple.  There are also less …

Read post

13/08/2024

Ransomware in Healthcare

The ThreatLabz 2024 Ransomware Report highlights the relative susceptibility of the healthcare industry to ransomware attacks.  312 attacks on the Healthcare industry were reported …

Read post

29/07/2024

Bad Bots

Kindus has discussed the role of bots on the Internet and how webmasters can use ‘robots.txt’ to control them.  Unfortunately many bots do not …

Read post

22/07/2024

Lessons from the Cloudstrike Outage

On July 19, 2024 at 04:09 UTC, CrowdStrike released an update for ‘Falcon Sensor 7.11’ or above to Windows systems.  This caused a system …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories