During a lunch-hour penetration test in the company cafeteria, the tester stands behind an employee who is unlocking a workstation. By carefully watching the keystrokes and screen, the tester memorizes the user name and complex eight-character password. Later that day the tester logs in remotely with those credentials, successfully bypassing encryption, endpoint security, and other logical controls that were in place.
Which social-engineering technique allowed the tester to defeat those software safeguards?
Shoulder surfing is a physical observation attack in which the attacker watches (or records) a victim entering sensitive information such as a password or PIN. Because the credentials are captured before they are processed by the system, software-based protections like encryption or endpoint security do not prevent the compromise. Phishing, vishing, and tailgating involve deceit or physical entry but do not rely on visual capture of credentials at entry time.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is shoulder surfing in social engineering?
Open an interactive chat with Bash
How can users protect themselves from shoulder surfing?
Open an interactive chat with Bash
Why don’t encryption or endpoint security prevent shoulder surfing attacks?