Physical Attack Vector · Credential Theft

ShoulderSurfing

A low-tech, high-yield attack where an adversary physically observes a target entering sensitive credentials - exploiting proximity, distraction, and public blind spots to harvest passwords, PINs, and authentication data in real time.

⚠ Threat: High
Type: Physical / Social
Vector: Line-of-Sight
👁️
Method
Direct Visual Observation
No malware, no network access required - pure physical presence
📍
Location
Public & Shared Spaces
Cafés, airports, trains, open offices, ATMs, lobbies
📱
Targets
Screens, Keypads & PINs
Passwords, PINs, 2FA codes, card numbers, unlock patterns
🎥
Modern Variant
Camera-Assisted Surfing
Zoomed phone cameras and smart glasses amplify range to 30+ feet
// Attack Scenarios - Select a Location
// Environment: Coffee Shop
┌─────────────────────────────────┐ │ ☕ CORNER COFFEE - WiFi: FREE │ │─────────────────────────────────│ │ │ │ [VICTIM] │ │ ┌──────────┐ │ │ │ ██login██│ ← screen │ │ │ pass:●●●●│ exposed │ │ └──────────┘ │ │ │ │ [ATTACKER] │ │ "just reading" │ │ 📱 zoom ↗ │ │ │ │ ⚠ CREDENTIAL CAPTURED │ └─────────────────────────────────┘
Coffee Shop Attack
Cramped seating, open laptop screens, and distracted workers create an ideal environment. Attackers pose as regular customers, often sitting at adjacent or rear-facing tables with a direct sightline to the victim's screen.
  • Back-to-wall seating is rare - most users face others directly
  • Work calls reveal company names, project titles, and colleagues
  • Frequent VPN logins and credential entry in concentrated window
  • Relaxed environment lowers vigilance compared to office settings
// Environment: ATM Vestibule
┌─────────────────────────────────┐ │ 🏧 FIRST NATIONAL BANK │ │─────────────────────────────────│ │ │ │ ┌───────────┐ │ │ │ WELCOME │ │ │ │ ENTER PIN│ │ │ │ [●][●][●][●]│ [VICTIM] │ │ └───────────┘ │ │ │ │ [ATTACKER] │ │ "waiting in queue" 📷 │ │ or overhead camera │ │ │ │ ⚠ PIN + CARD NUMBER CAPTURED│ └─────────────────────────────────┘
ATM PIN Harvesting
One of the oldest shoulder surfing environments. Attackers queue close behind, use positioned mirrors or tiny cameras attached to the machine, or film the keypad from a shallow angle to capture PIN entry sequences.
  • Forced proximity - single-file queue normalizes closeness
  • Miniature cameras can be attached to ATM hood in seconds
  • Stolen card + observed PIN = immediate full account access
  • Poor lighting and enclosed vestibules assist concealment
// Environment: Subway / Train
┌─────────────────────────────────┐ │ 🚇 METRO LINE 4 - DOWNTOWN │ │─────────────────────────────────│ │ │ │ ════════════════════════════ │ │ │ [VICTIM][ATTACKER] │ │ │ │ 📱 typing │ standing │ │ │ │ password │ behind ↙ │ │ │ │ │ 📷 │ │ │ ════════════════════════════ │ │ │ │ Crowding = forced proximity │ │ Motion = distraction │ │ │ │ ⚠ MOBILE CREDENTIALS CAPTURED│ └─────────────────────────────────┘
Transit Shoulder Surfing
Crowded trains and buses create unavoidable proximity. Standing passengers have a natural overhead view of seated users' phones and tablets. Commute time drives high-value activity - email login, banking, MFA codes - all visible.
  • Standing angle provides direct top-down view of phone screen
  • 2FA codes entered in transit are extremely high-value targets
  • Background noise and motion increase cognitive load, reduce awareness
  • Victims rarely shift position - route is predictable and extended
// Environment: Open Plan Office
┌─────────────────────────────────┐ │ 🏢 OPEN WORKSPACE - FLOOR 3 │ │─────────────────────────────────│ │ │ │ ┌────┐ ┌────┐ ┌────┐ │ │ │ 💻 │ │ 💻 │ │ 💻 │ │ │ └────┘ └────┘ └────┘ │ │ victim attacker │ │ (typing VPN pass) │ │ │ │ Also: contractor badge, │ │ visitor pass, maintenance │ │ │ │ ⚠ INTERNAL CREDS HARVESTED │ └─────────────────────────────────┘
Insider Threat Variant
Open floor plans eliminate physical privacy. A disgruntled colleague, contractor, or planted insider can observe privileged credentials, admin passwords, or MFA codes from a nearby desk or during a "help session."
  • No physical barrier between workstations - full screen exposure
  • Trusted context means victims don't guard their screens from colleagues
  • IT "help" sessions - admin enters credentials directly on victim's machine
  • Visitor and contractor passes grant floor access to malicious actors
// Environment: Airport Gate / Lounge
┌─────────────────────────────────┐ │ ✈️ GATE B22 - BOARDING 14:45 │ │─────────────────────────────────│ │ │ │ Power outlet row: │ │ ┌──┐ ┌──┐ ┌──┐ ┌──┐ │ │ │💻│ │💻│ │💻│ │💻│ │ │ └──┘ └──┘ └──┘ └──┘ │ │ exec surfer │ │ VPN login watching │ │ 📷 glasses │ │ │ │ ⚠ VPN + EMAIL CREDS CAPTURED│ └─────────────────────────────────┘
Airport Executive Target
Airports concentrate high-value targets - executives, government officials, and travelling IT staff - in a fatigued, distracted state. Power outlet rows force side-by-side seating. Smart glasses and zoomed cameras can capture screens from 15–30 feet away.
  • Business travellers routinely access VPNs, banking, and sensitive docs
  • Smart glasses record credentials imperceptibly from a distance
  • Fatigue and time pressure reduce screen-shielding behaviour
  • Lounge seating designed for comfort - not privacy or screen shielding
// Attack Flow - Click Any Phase Node
🗺️
01
Venue
Selection
Scout location
🎯
02
Target
Profiling
Identify mark
🪑
03
Position
& Cover
Optimal angle
👀
04
Active
Observation
Harvest creds
📝
05
Data
Recording
Log / memorize
🚪
06
Exfil &
Access
Use stolen creds
🌊
07
Escalation
& Pivot
Deeper access
// Step-Through Workflow - Detailed Phase Analysis
// Phase 01 - Reconnaissance
Venue Scouting
Before any attack, the adversary identifies and evaluates locations with high concentrations of target behaviour - credential entry, payment processing, or screen-based work. The ideal venue combines proximity, cover, and predictable victim patterns.
  • Assess density: busy spaces reduce suspicion, too crowded limits sight lines
  • Map seating arrangements - bench rows, back-to-back chairs, or standing zones
  • Identify cover props: newspapers, menus, phone angled as if in use
  • Evaluate exit routes to avoid post-capture confrontation
  • Note lighting conditions - bright screens in dim rooms are highly visible
// Attacker Decision Matrix
High Value: Airport lounges, bank ATM vestibules, corporate café concourses

Moderate Value: Public libraries, co-working spaces, fast food restaurants

Lower Value: Isolated venues with few targets and high staff attention
82%
of people never use privacy screens in public
30ft
max camera-assisted observation distance
// Phase 02 - Target Identification
Selecting the Mark
Not all targets are equal. Attackers perform rapid visual triage to identify individuals with high-value access signals - corporate laptops, premium devices, work-branded accessories, or visible corporate ID badges that suggest elevated system permissions.
  • Corporate laptops with company stickers or security tags signal business access
  • Visible ID badges or lanyards identify employer, often mapping to known systems
  • Professionals on video calls inadvertently display names, org charts, and dashboards
  • Individuals entering PINs at POS terminals are immediate financial targets
  • Users with multiple device logins suggest sysadmin or developer-level access
// High-Value Target Indicators
target_score: {
corp_laptop: +40pts,
visible_badge: +30pts,
work_call: +25pts,
multiple_auth: +35pts,
facing_crowd: −20pts,
privacy_screen: −80pts
}
54%
of workers use corporate devices in public weekly
3min
avg. attacker target assessment time
// Phase 03 - Positioning
Optimal Angle & Cover
Successful shoulder surfing depends on establishing a position with a clear sightline to the target's screen or keypad while maintaining a plausible, innocuous presence. The attacker minimizes movement and blends entirely into the environment.
  • Optimal angle: 30–60° behind and slightly elevated above the target
  • Cover behaviour: appear to be reading, on a call, or using their own device
  • Camera technique: phone held at waist height angled toward target screen
  • Mirrored sunglasses or reflective surfaces used for indirect observation
  • Patience - wait for the right moment of extended credential entry
// Sightline Geometry
✓ IDEAL 45° rear-elevation, 3–8ft
✓ GOOD Adjacent seat, slight angle
~ OK Directly behind, same level
✗ POOR Head-on / face-to-face angle
✗ FAIL Privacy filter installed
// Cover Props Used
📰 Newspaper / magazine held upright
📱 Own phone positioned as video camera
🕶 Reflective sunglasses for indirect view
👓 Smart glasses with built-in camera
📚 Open laptop angled toward target
// Phase 04 - Active Observation
Harvesting Credentials
With position established, the attacker actively captures credentials through direct observation or recording. This phase exploits distraction moments - phone notifications, conversation interruptions, or fatigue - when the victim's guard drops and credential entry is most likely.
  • Password fields: observe keystrokes not the masked characters on screen
  • PIN pads: watch finger travel pattern across the physical keypad layout
  • Pattern unlock: phone swipe patterns visible from 10+ feet away
  • MFA codes: 30-second window - attacker relays in real time via phone call
  • Credit card details: shoulder surf while victim types into checkout form
// What Can Be Captured
🔴 Critical: VPN passwords, SSO credentials, banking PINs

🟡 High: Email logins, MFA codes, unlock patterns

🔵 Medium: Card numbers, personal PINs, app passwords
91%
of people never scan surroundings before typing passwords
7sec
avg. time to observe and memorize a 6-char password
// Phase 05 - Data Recording
Logging Stolen Data
Captured credentials must be recorded before memory decay. Sophisticated attackers use covert recording tools; opportunistic attackers memorize or use subtle notation methods. Data is correlated with target identification details gathered earlier.
  • Video recording: phone or glasses footage reviewed in slow motion post-attack
  • Discreet notation: typing into a notes app appearing to send a message
  • Memory technique: chunked memorization (first 4 chars, pause, last 4)
  • Target context logged: employer, visible app names, device type
  • Rapid exfil via AirDrop or encrypted messaging to handler if team-based
// Covert Recording Tools
📱 Smartphone camera - silent shutter, zoom lenses

👓 Smart glasses - Ray-Ban Meta, custom builds; imperceptible recording

🕰 Wearable cameras - disguised as watches, badge clips, pens

🖥 Screen capture apps - for insider threat scenarios at shared workstations
// Detection Risk at This Stage
Very Low - Recording appears identical to normal phone use. Without active CCTV review, covert cameras are rarely identified. Most victims never know they were observed.
// Phase 06 - Initial Access
Using Stolen Credentials
With credentials in hand, the attacker attempts immediate access - ideally before the victim's session expires or a password change is triggered. Speed is critical; attackers typically attempt access within minutes from a remote location to avoid physical association.
  • Immediate login attempt from separate device on different network
  • VPN credentials used to enter the corporate network directly
  • Banking PIN used alongside cloned or stolen card at nearby ATM
  • Email login grants access to password reset flows for linked accounts
  • SSO cascade: one credential unlocks Slack, GitHub, AWS, Salesforce simultaneously
// Access Timeline (Minutes)
[T+0:00] Credential observed + recorded
[T+0:03] Attacker exits venue / moves away
[T+0:08] Login attempt - VPN / email
[T+0:11] SUCCESS - session established
[T+0:15] Inbox rules modified, data copied
[T+1:00] Password reset links issued
[T+???] Victim unaware - no alert fired
<10m
median time from credential capture to first use
0%
of shoulder surfing attacks trigger IDS/IPS alerts
// Phase 07 - Escalation & Pivot
Deeper Network Access
A single observed credential is often just the entry point. Attackers leverage initial access to escalate privileges, pivot across systems using SSO and credential reuse, and establish durable persistence - transforming a brief moment of physical observation into a sustained breach.
  • SSO abuse: enterprise login unlocks dozens of SaaS platforms simultaneously
  • Credential stuffing: reuse observed password across other services
  • Password manager compromise: master password observed = all passwords exposed
  • Register persistent OAuth apps to survive future password resets
  • Internal phishing from compromised account to gain higher-privilege access
// Password Manager Attack
The single most dangerous shoulder surfing scenario: if an attacker observes a password manager master password, they gain access to every stored credential - email, banking, corporate VPN, cloud infrastructure - in a single cascade. One observation = total account takeover.
65%
of users reuse passwords across multiple accounts
197d
avg. dwell time before breach detected
Phase 1 of 7
// Defensive Countermeasures
🔲
Privacy Screen Filters
Polarised privacy screen protectors limit viewing angle to ±30°, making screens unreadable from shoulder surfing positions. First line of defence for all mobile workers.
🧠
Situational Awareness Training
Train staff to scan surroundings before credential entry, seek back-to-wall seating, and recognise suspicious positioning behaviour near keypads or ATMs.
🔑
FIDO2 / Passkeys
Hardware-bound authentication eliminates typed passwords entirely. Even if a passkey gesture is observed, it cannot be replayed without the physical device and biometric.
⏱️
Short-Lived Tokens & MFA
TOTP codes expire in 30 seconds. Observed codes become worthless within half a minute. Combined with FIDO2, this eliminates the observability window entirely.
🖐️
Physical PIN Shielding
Cover keypad with the free hand while entering PINs at ATMs and POS terminals. Simple, cost-free, and defeats both direct observation and planted camera attacks.
📋
Clean Desk & Screen Policy
Mandate auto-lock after 30 seconds, enforce privacy screens for all mobile workers, and prohibit credential entry in high-risk public venues without VPN and screen protection.