Visual Hacking is a cyber safety issue that is also known as 'shoulder surfing' where before smartphones and mobile phones people used calling cards to make calls when away from home. These cards were often compromised by persons obtaining the card number and PIN by standing behind the person using the card and recording the numbers.
2. BRADLEY W
DEACON
Session Speaker
Bradley W Deacon
Bradley is a former Federal Agent and was one of the first members of the
Australian Federal Police Computer Crime Unit Sydney where in 1995 his
team was successful in having the first jail sentence imposed on a computer
hacker.
Bradley is a qualified non practising lawyer focussing on Cyber related Law,
with degrees in criminal justice, law, and postgraduate studies in
Criminology and Law. Additionally Bradley has a Postgraduate Certificate in
Distance Ed specialising in Digital Delivery from Penn State University.
Bradley also has a Masters in National Security with his thesis centred
around digital technology: “Evolving Digital Technology Terrorist Financing
& The Threat To U.S National Security”
As a cyber bullying and stalking advocate, Bradley was approached by
VCAT in 2014 to design and facilitate delivery of a social media awareness
package in 2015 for Victorian Court Staff and the Judiciary and was recently
a keynote speaker at the Say No 2 Bullying Conference on the Gold Coast.
Bradley lectures at several Australian Universities and colleges in a variety
of Cyber related Law units and justice units and is about to undertake a PhD
in Social Media by ‘publication’.
3. Session Outline
Learning Outcomes
• Background to visual hacking (shoulder surfing)
• Types of visual hacking
• Corporate espionage
• Internal office visual control mechanisms to minimize
visual hacking
• External visual control mechanisms to minimize visual
hacking
4. Visual Hacking-Shoulder Surfing
Telephone Calling Cards Early 1990’s
● Cards linked back to home/business phone account
● When away from home/business key in card # and
PIN #
● Calls billed to home/business account
● Option to key it in from phone or call an operator
and pass on card details and PIN #
● Several vulnerabilities resulted from such practice
5. Visual Hacking-Shoulder Surfing
Vulnerabilities
● Travellers would use pay phones at bus terminus,
airports, railway stations, shopping centres,
casinos, hotel lobbies
● Criminal gangs would hover around such pay phone
locations and pretended to be on adjoining phone
● Victim would call operator and pass on details of
card which the ‘shoulder surfer’ would note down or
film the details being entered and at this point the
card is compromised
6. Visual Hacking-Shoulder Surfing
Black Market For Card Details
● Calling card access details very attractive on black
market
● Compromised card holder usually only received a
phone bill once a month
● Pending on billing cycle card could be ‘live’ for up to
30 days or more
● Shoulder surfer would on sell the card details for as
low as $20
● Sold usually at locations where card can be
demonstrated to work
7. Visual Hacking-Shoulder Surfing
Cost of Compromise
● Usually person who bought card details would also
on sell card for a profit hundreds of times
● The domino effect of such a compromise amounted
to phone bills for hundreds of thousands and even
millions of dollars being delivered to card owner
● Simultaneous calls were made to all corners of the
globe at a time when international calls were
anywhere between $2 per minute and $8 per
minute
8. Visual Hacking-Shoulder Surfing
Lack of Safeguards In Place By Phone Company
● As one card was connected at hundreds of
locations simultaneously phone companies failed to
have safeguards in place to detect such activity
● As a result of the scenario in the following
Infographic in the next slide a recommendation
report was put forward to the phone companies to
implement security safeguards to detect
simultaneous use by one card
10. Visual Hacking-Shoulder Surfing
A Simple Solution That Eliminated The Issue
● Safeguards implemented by the phone companies
were not expensive to roll out
● Provided a barrier that prevented card from being
used simultaneously
● Customer education was also a key component of
the phone companies strategy
● As a result of proactive activity, reducing fraud
companies that were becoming more reliant on
computers in the early 90’s started to look at
security as a front of mind process
11. Visual Hacking 2016 Style
From 1990’s to 2016 Visual Hacking
● Shoulder surfing now has a more appropriate name
for the digital age
● ‘Visual Hacking’ which can be defined simply as to
being as “obtaining or capturing sensitive
information for unauthorized use”
12. Visual Hacking-Shoulder Surfing
Examples of Visual Hacking
● Taking photos of documents left on a printer or
information displayed on a screen
● Memorising details seen on a screen or a desk
● Micro audio recording of details seen
● Simply writing down employee login information that
is taped to a computer monitor
● External visual hacking via telephoto lenses through
untinted windows
14. Visual Hacking-Shoulder Surfing
Visual Hacking Experiment
● In the Visual Hacking Experiment, a study
conducted by Ponemon Institute and jointly
sponsored by 3M Company and the Visual Privacy
Advisory Council, white-hat hackers posing as
temporary or part-time workers were sent into the
offices of eight U.S.-based, participating companies.
15. Visual Hacking-Shoulder Surfing
Visual Hacking Experiment
● The hackers were able to visually hack sensitive
and confidential information from exposed
documents and computer screens.
● Able to visually hack information such as employee
access and login credentials, accounting
information and customer information in 88 percent
of attempts and were not stopped in 70 percent of
incidents.
● The following short video demonstrates the
experiment
16. Visual Hacking
Safeguards To Help Prevent Visual Hacking
● The best place to begin clamping down on visual
privacy threats, is to perform a visual privacy audit
● The visual privacy audit will help you assess your
key-risk areas and evaluate existing security
measures that are in place
17. Visual Hacking
Visual Privacy Audit
• Does your organization have a visual privacy policy?
• Are shredders located near copiers, printers and desks
where confidential documents are regularly handled?
• Are computer screens angled away from high-traffic
areas and windows, and fitted with privacy filters?
• Do employees keep log-in and password information
posted at their workstations or elsewhere?
18. Visual Hacking-Shoulder Surfing
Visual Privacy Audit Continued
• Are employees leaving computer screens on or
documents out in the open when not at their desks?
• Do employees know to be mindful of who is on the
premises and what they are accessing,
photographing or viewing?
• Are there reporting mechanisms for suspicious
activities?
19. Visual Hacking-Shoulder Surfing
Key Points To Take Away
• Visual Hackers can be anyone who has access to your office
or are in close proximity
• Reception areas are very vulnerable to visual hacking
• What will clients/visitors think of your privacy safeguards if
they can openly see information
• Make sure staff are aware of the phone card shoulder surfing
scenario and highlight to them using laptops and smartphones
in crowded places leave them open to visual hacking
• Simple safeguards and a visual privacy policy will help you
protect your business
21. Visual Hacking-Shoulder Surfing
Further Information & Sample Privacy
Audit Checklist
● For additional information on visual hacking go to
my LinkedIn Profile and see my LinkedInPulse Blog
● ‘Visual Hacking An Old Tactic With A New Name’
● https://www.linkedin.com/pulse/visual-hacking-old-
tactic-new-name-bradley-w-deacon?trk=mp-reader-
card