Shoulder surfing at ATMs is a form of social engineering approach used by cyber-criminals to gain data such as passwords, Personal identification number (PIN), and other private information. The cyber-criminal’s glance over the victim’s shoulder to gather the data. Shoulder surfing generally occurs in crowded places. Shoulder surfing does not require technical skills but carefully observing the user’s typing pattern and ATM surroundings. The criminals also use eye-tracking technology to identify the password or the PIN entered by the ATM user.
There are two types of shoulder surfing methods used by cyber-criminals, namely direct monitoring attacks and recording attacks.
In direct monitoring attacks, the data is obtained directly by the person who is monitoring the authentication sequence. But recording attacks involve recording the authentication sequence. The direct monitoring attacks are weaker, as the capacity of the attack is limited to humans, but recoding attacks equipped with automatic recording devices has a stronger impact. Other than surfing ATM PINS and passwords, shoulder surfing can uncover private content on mobile devices. Shoulder surfing attacks fall under the low technical ATM attack.
In shoulder surfing attacks, cyber-criminals follow the ATM user inside the ATM and peep over their shoulder to get PINs and other sensitive information. Once criminals get those PINs and other sensitive data of customers, they either initiate transactions or make fake ATM cards and use them to shop.
The hidden cameras and secret microphones are installed at the ATM without the knowledge of customers to record the data entered by the ATM users. The data is later retrieved by cyber-criminals and used for illegal activities.
Caution to users to tackle shoulder surfing :
• It is better to avoid entering credit card details and filling checkout pages in public places.
• Take some time to look around the ATM to check on the fellow ATM users. If any irregular behaviour is observed, then stop the transactions and inform the respective authorities.
• Never share the ATM cards password and PINs with anyone.
• Cover the keypad while entering the PINs, and never leave the card inside the ATM.
• Never disclose the ATM PINs to strangers nor take the help of strangers to make transactions.
• Check for hidden cameras and microphones during the transactions.
• Don’t let strangers to be in close proximity at the ATM while making transactions.
• Report to bank officials immediately if any additional device is discovered at the ATM that you feel should not be there.
• Wait at the machine and make sure that the transaction is completed and closed.
• It is always important to carefully tear and dispose of the ATM receipt.
• Hit no/cancel/exit before leaving the ATM if machines ask for another transaction.
Methods that can be used as a prevention of shoulder surfing
Rand Word: Rand word generation technology is adopted to overcome shoulder surfing issues. Implementing rand word generation technology makes it challenging for the attackers to spot the PIN details of the ATM account holder during transactions. As the technology uses the English alphabets to create a new password each time, and every single password has a unique random alphabet.
Color pass method: The color pass interface depends on the partially observable attacker module. The method challenges cyber-criminals to see the values generated by the system, while the customer is using the ATM. But the criminals get to observe the user’s response.
Gaze-based password entry: the gaze-based password entry allows the user to enter the password by looking at the required characters. A gaze-based password entry method uses eye-tracking technology and can be used both in the screen keyboard systems and graphical password systems. Researchers have developed this method to overcome shoulder surfing in mobile devices.
Measures used by banks to tackle shoulder surfing in ATM
• Cameras installed inside the ATM by the bank will monitor shoulder surfing attacks in ATMs, and measures will be taken if any irregular activity is found.
• The regular check-up of the ATM will help to remove unwanted devices if installed by cyber-criminals.
• Keypads with covers are implemented in the ATM to secure the privacy of the ATM users.
• The ATM screen will appear dark while using the ATM, except for the person standing directly in front of the machine. So, the attackers are not able to see the details entered by the ATM user.
The threat of shoulder surfing should not be underestimated, take necessary measurements to guard your ATM Network. The banking security experts at Netsentries have developed a series of hands-on vulnerability assessments that look at the entire ATM environment. We can identify software, hardware, and communication protocol vulnerabilities that can be exploited and provide remediation measures to effectively resolve them.
Please visit our website to know more about our ATM Security Assessment Services.