COWABUNGA…SURFING’S UP!       by Dstringer

In several blogs now, we have discussed Social Engineering and other means of compromising security in this technical age.  While technological advancement has no doubt made life much more interesting and convenient, it has also caused much more danger and frustration.

So no wonder many of my blogs are dedicated to security awareness and prevention.  This one is no different.  A technological development that was designed primarily for convenience has once again been compromised for the sake of the "bad guys"...the ATM machine.

The new security catch phrase of which everyone must be aware is "Shoulder Surfing".

What is it...?

SHOULDER SURFING - The practice of spying on the user of an ATM, computer, or other electronic device in order to obtain their personal access information.

Just this morning while I was listening to the local news channel, the lead story was a "Shoulder Surfing" incident in Torrance, California involving Bank of America.

It seemed that BofA was being targeted because there was a substantial delay when logging out on their ATM machines...a long enough delay so that if a "bad guy" was "shoulder surfing" a customer to memorize their "PIN", he could easily log back in after the customer was done, punch in their "PIN", and drain the account of funds!

And note, "shoulder surfing" is not limited to the ATM...

Shoulder surfing is particularly effective in crowded places because it is relatively easy to observe someone as they:

  • fill out a form
  • enter their PIN at an automated teller machine or a POS terminal
  • use a calling card at a public pay phone
  • enter passwords at a cybercafe, public and university libraries, or airport kiosks
  • enter a code for a rented locker in a public place such as a swimming pool or airport.

Let’s add to that the following opportunities which can also be easily exploited by a “shoulder surfer”:

  • Entering personal information on your laptop while sitting next to a stranger. Are you aware of where that stranger’s attention is being focused?
  • Entering credit card information on your hand-held tablet while the person in line next to you shoots video from his phone. Is that camera aimed in your direction?
  • Confirming your hotel reservation with credit card information while talking on your cell phone. Can your conversation be overheard?

So, what do you do to limit the risk?

In regard to ATMs, advice seems common sensical.  Yet, Republic Bank regularly advises its customers on the following points...

  • Always hide your PIN
  • Stand as close as possible to the ATM machine, so that your body will shield the machine
  • Use your hands to protect your PIN, by covering the number pad
  • NEVER reveal your PIN to anyone

And, of course, it bears repeating to include the best possible tips to avoid Identity Theft of any kind...

  1. Regularly check your statements. 
  2. Report discrepancies to the bank  immediately.
  3. Watch your credit. Monitor your credit and protect against identity theft. Equifax Credit Watch™ delivers the peace-of-mind you deserve - quickly and easily! Order copies of your credit report every year from each of the three major credit reporting agencies. They are: Equifax, 800-685-1111, P.O. Box 105851, Atlanta, GA 30348,; TransUnion, 800-888-4213, P.O. Box 1000, Chester, PA 19022,; and Experian, 888-397-3742, P.O. Box 2002, Allen, TX 75013, Report errors promptly and in writing.
  4. Never disclose your personal data. Never divulge information such as Social Security number, birth date, or mother's maiden name unless you initiate the transaction. On paper documents, don't include such data unless required to do so on an official application for employment, financing, or insurance. Never put such information on personal Web pages or publicly posted résumés or directories.
  5. Don't carry ID that contains sensitive data like your Social Security number unless absolutely necessary.
  6. Safeguard your driver's license and other government ID at all times. Lock desks, cabinets, and safes containing such information in your office and home.
  7. Shred and destroy.Before throwing out files containing Social Security numbers, account numbers, and birth dates, shred them with a cross-cut shredder. Destroy CDs or floppy disks containing sensitive data by shredding, cutting, or breaking them. Use hard-drive shredding software or remove and destroy your hard drive before discarding a computer. Just deleting files isn't enough.
  8. Guard mail. Consider using a locked mailbox or slot to receive mail at home. Deposit mail in postal mailboxes or in the post office to discourage mail theft.
  9. Avoid Skimming.Try not to let waiters, sales clerks, or gas-station attendants disappear from view with your credit or debit card, to avoid "skimming." Crooks can use a handheld card reader to copy the information from your card's magnetic strip.
  10. Avoid using private or strange-looking automated teller machines.They may be rigged to skim data off your card's magnetic strip. Six-or seven-character PINs (personal identification numbers) are harder to crack than shorter ones, but you may not be able to use them at machines abroad.
  11. Watch out for"shoulder surfers"when using pay phones or public Internet access. Use your free hand to shield the keypad.
  12. Don't use cordless phones to conduct sensitive financial or medical business, because eavesdroppers on other phones and those using eavesdropping equipment may be able to overhear your conversations.
  13. Firewalls and Virus Software.Install firewalls and virus-detection software on your home computers to discourage hackers.
  14. Log off. Quit your browser and log off after using public Internet-access computers in libraries, Internet cafes, and the like. Don't pay bills, bank, or conduct other financial transactions on public computers. If you have a high-speed Internet connection at home, unplug the computer's cable or phone line when you are not using it to discourage hackers.
  15. Deal only with reputable Web sites. Check privacy and security policies of Web sites before making purchases, trading stocks, or banking online. A professional-looking Web site is no guarantee of security. Don't respond to unsolicited e-mail requests for personal information. Call the company if you are unsure of the site.
  16. Report suspicious activity to the FTC.Send the actual spam to [email protected]. If you believe you've been scammed, file your complaint at, and then visit the FTC's Identity Theft Web site ( to learn how to minimize your risk of damage from identity theft. Visit to learn other ways to avoid email scams and deal with deceptive spam.

And finally, remember...if it sounds too good to be true, it probably is.

Unfortunately, it will forever be a battle to stay on top of criminal activity...and the battle has become unique with the addition of modern technology.

So, we must remain ever diligent to continue to protect ourselves and our identity.