Shoulder surfing is a social engineering act of looking over a user's shoulder to gain unauthorized data. A prime example of shoulder surfing is watching someone's keystrokes as they type their password. Password theft via shoulder surfing is not easily trackable, but dangerous nonetheless. Anti-shoulder surfing mechanisms must be used to prevent credential theft.

Remember in the movie Snowden, when Edward Snowden threw a blanket over himself and his laptop to avoid anyone from seeing his password typed? He was preventing shoulder surfing, whether intentional or unintentional. Data targeted for theft by criminals through shoulder surfing can include login credentials, debit card PINs for bank access, and more.

Advanced forms of shoulder surfing involve criminals using high-powered binoculars to watch people type credentials from afar. Another example is using CCTV and other video footage to record a person's keystrokes at their computer in a coffee shop or at an ATM. Sometimes, even public cameras can show a person's login information.

How to Prevent Shoulder Surfing

There are different defenses for different types of shoulder surfing. But some of the best practices for mitigating shoulder surfing risk are

• Avoid letting any bystanders see you type your username and password in public. We very weary of typing your password outside of secure places. Even the footage of security cameras of a private establishment, such as a restaurant, could be seen by malicious actors. 
• Use a privacy screen on your monitor to prevent bystanders from seeing content on your computer. But even with this defense, people can still see you type your password on your keyboard.
• Using 2FA prevents anyone that was able to see you type your password from logging in. 2FA acts as the second layer of protection in case the username and password are compromised.
• Using a passwordless login method prevents bystanders from seeing you type your passwords at all. 
• Utilize a password manager to ensure that all, if not most, of your passwords do not have to be typed manually.