Understanding Shoulder Surfing in the Wild: Stories from Users and Observers

  title={Understanding Shoulder Surfing in the Wild: Stories from Users and Observers},
  author={Malin Eiband and M. Khamis and Emanuel von Zezschwitz and Heinrich Hussmann and Florian Alt},
  journal={Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems},
Research has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present the results of a user survey (N=174) in which we investigate actual stories about shoulder surfing on mobile devices from both users and observers. Our analysis indicates that shoulder surfing mainly occurs in an opportunistic, non-malicious way. It usually does not have serious consequences, but evokes… 

Figures and Tables from this paper

The Interplay between Personal Relationships & Shoulder Surfing Mitigation

It is shown that the user-observer relationship impacts the choice of mitigation methods and that users often do not want observers to know they were caught, with implications for designing socially acceptable privacy protection mechanisms on mobile devices.

Communicating Shoulder Surfing Attacks to Users

This work presents out shoulder surfer detection mobile application, called DSSytem, and reports on a focus group that helped to design this system and the results of a user study, in which it is reported that vibro-tactile feedback results in the lowest reaction time of the participants and is also favoured throughout the follow-up semi-structured interviews.

An Investigation of Shoulder Surfing Attacks on Touch-Based Unlock Events

It is found that only a small fraction of shoulder surfing incidents that occur during authentication are actually perceived as threatening, which suggests that the notions of (un)safe places need to be rethought.

Understanding Bystanders’ Tendency to Shoulder Surf Smartphones Using 360-degree Videos in Virtual Reality

360-degree videos in Virtual Reality (VR), recorded in staged real-life situations on public transport are proposed to allow novel insights on observers’ tendency to shoulder surf another person’s phone authentication and interaction to be gained.

Shoulder Surfing through the Social Lens: A Longitudinal Investigation & Insights from an Exploratory Diary Study

This work advocates moving away from one-size-fits-all privacy solutions and supports the design of user-centred shoulder surfing mitigation methods that consider social aspects, and concludes with directions for future research to assist security researchers and practitioners.

Understanding Shoulder Surfer Behavior and Attack Patterns Using Virtual Reality

An understanding of factors influencing shoulder surfing behavior is derived, common attack patterns are revealed, and a behavioral shoulder surfing model is sketched to serve as a basis for creating novel approaches to mitigate shoulder surfing.

User strategies for mobile device-based interactions to prevent shoulder surfing

This work performs a user study and observed 32 participants while interacting with smartphones using different kinds of eyes-free device-based interaction techniques and identified several strategies that users had to prevent shoulder surfing.

Understanding Shoulder Surfer Behavior Using Virtual Reality

This work investigates shoulder surfing using virtual reality (VR) to derive an understanding of factors influencing shoulder surfing behavior and recruited 24 participants and observed their behavior in two virtual waiting scenarios.

PrivacyScout: Assessing Vulnerability to Shoulder Surfing on Mobile Devices

This work investigates three common types of content susceptible to shoulder surfing: text, photos, and PIN authentications and presents PrivacyScout – a novel method that predicts the shoulder-surfing risk based on visual features extracted from the observer’s face as captured by the front-facing camera.

Shoulder Surfing: From An Experimental Study to a Comparative Framework




Is Anyone Looking? Mitigating Shoulder Surfing on Public Displays through Awareness and Protection

This work provides participants with awareness of shoulder-surfing moments, which in turn helps both parties regulate their behaviours and mediate further social interactions, and provides methods that protect information when shoulder-Surfing is detected.

Pitfalls of Shoulder Surfing Studies

This work reviews empirical studies that evaluate the resilience of various PIN entry methods against human shoulder surfers and distilled a set of recommendations that it believes should be followed to assure that studies of this kind are comparable and that their results can be interpreted well.

Now you see me, now you don't: protecting smartphone authentication from shoulder surfers

The results indicate that switching the sides increases security while authentication speed stays relatively fast (≤ 4 seconds), and insights on accuracy of eyes-free input (as used in XSide) are provided.

My Scrawl Hides It All: Protecting Text Messages Against Shoulder Surfing With Handwritten Fonts

This work proposes to display the text in the user's handwriting, assuming that people can read their own handwriting easier and faster than strangers, to protect text messages on mobile devices from shoulder surfing.

Design and evaluation of a shoulder-surfing resistant graphical password scheme

The design and evaluation of a game-like graphical method of authentication that is resistant to shoulder-surfing is reported on, which shows that novice users were able to enter their graphical password accurately and to remember it over time.

Private whispers/public eyes: Is receiving highly personal information in a public place stressful?

Know your enemy: the risk of unauthorized access in smartphones by insiders

It is found that users are generally concerned about insiders accessing their data on smartphones and a stronger adversarial model must be considered during the design and evaluation of data protection systems and authentication methods for smartphones.

Password entry usability and shoulder surfing susceptibility on different smartphone platforms

The results show significant differences in the usability of password entry (required password entry time, typing accuracy) and susceptibility to shoulder surfing and provide insights for security-aware design of on-screen keyboards and for password composition strategies tailored to entry on smartphones.

Increasing the security of gaze-based cued-recall graphical passwords using saliency masks

A novel gaze-based authentication scheme that makes use of cued-recall graphical passwords on a single image to increase password security and creates a realistic threat model for attacks that may occur in public settings, such as filming the user's interaction while drawing money from an ATM.

Perceptions of Risk in Mobile Transaction

A user study of perceived risk for information technology workers accessing company data, consumers using mobile personal banking, and doctors accessing medical records reveals differences in the way the groups think about network-related threats.