For Your Eyes Only
Whilst reading an excellent article this morning in The Age ‘Keeping Out Smart Phone Snoops, by Brian Chen I noted the underlying theme of his article was locking your smartphone, where the article clearly stated: ‘One of the easiest ways to add a layer of security to your smartphone is requiring a password to get past the initial lock screen’.
Having read the article and agreeing with its range of valuable tips on protecting your data in your smartphone, I thought it prudent to bring to subscribers of Cyber Guardians Online the background of a common criminal activity known as ‘Shoulder Surfing‘ that surfaced in the early 1990′s.
I personally came across shoulder surfing as a Federal Agent, where as one of the inaugural members of the newly formed Computer Crime Unit in Sydney, a significant file came across my desk involving an Australian traveling on business in New York City and coming home to a home phone bill in excess of $2 Million. It was early in the 1990′s, pre mobile phones, where travelers could opt to link a home phone account to a ‘Calling Card‘. Calling cards were great, go to any phone in the world, call a local dedicated number and either tell the operator or on some occasions just key in your calling card number and personal identification number (PIN) to make a call anywhere and have it recorded on your home phone bill.
One major problem back then was that phone companies did not have safeguards built in to detect simultaneous calls from the same calling card that were being made from various locations around the globe and as such fraud was rife. The manner in which the fraud was conducted was quite simple, all one had to do was obtain the calling card number and PIN and all calls were made at the account holders expense.
Free international phone calls in a multicultural city like New York City was a commodity that was extremely valuable on the black market, where a person with just one calling card number and PIN could on sell the details hundreds of times a day usually for $20 and of course the purchaser of that calling card number and PIN would also then on sell the details as well. Furthermore, the illicit transaction could be guaranteed with all parties ‘testing’ the cards validity at a local phone box.
Obtaining the Account Number and PIN
As you could imagine obtaining calling card details became very lucrative and this is where criminal enterprises resorted to some basic surveillance 101 tactics of which I will refer to here in dot point form:
- Standing behind the person at the payphone and memorizing the persons account number and PIN (clearly an apprentice card counter in the making)
- Using telephoto lenses and video taping persons entering personal details into the payphone
- Standing close by or on the other side of the row of payphones in airports, bus interchanges and railway stations and writing down account details and PIN’s as customers spoke to a calling card operator.
As you can see it was not that hard to obtain such personal details and turn a simple few numbers into a positive cash flow operation within minutes and generally the card would remain active until the unsuspecting victim received a telephone bill he/she could not jump over.
Yes, phone companies became smarter over time and introduced safeguards similar to what banks have in place now with ATM card transactions. However, the above scenario was the breeding ground for producing ‘Shoulder Surfing’ experts who now operate with a view to obtaining your mobile/cell phone after securing your PIN from Shoulder Surfing.
Locking Your Phone Is Not Enough
Hence the underlying theme of this post is to warn you that locking your phone with a PIN is your first level of defense, your PIN needs to protected with vigilance. How many times do you sit in the open and enter your PIN without covering your actions whilst:
- At Bus/Train stops?
- On public transport?
- At bars/cafes?
- Walking along crowded streets?
- Opposite a work colleague?
Furthermore, how many of you have your mobile/cell phone PIN’s set the same as your bank ATM cards? Surprisingly a high majority do so and this opens a whole new Pandora’s box, with ATM and credit card fraud.
All it takes is for the person who has acquired your phones PIN code to obtain your phone and ATM cards either through pickpocketing, bag snatch and or surveilling you home or to work and obtaining your phone and cards where at times you may not notice the theft until the morning or at the end of your workday. The domino effect can lead to your suffering severe financial loss as banks are reluctant to reimburse funds to persons who do not protect PIN numbers.
Finally what other data is stored on your phone as The Age article highlighted and as indicated here in this post, crime gangs the world over have had years to perfect the simple art of ‘Shoulder Surfing’ and it is re-emerging as a criminal activity that will capitalize on unsuspecting citizens going about their daily business.
The Age, Chen, B., Sunday April 5 2013,