Understanding Shoulder Surfing in the Wild: Stories from Users and Observers

Research has brought forth a variety of authentication systems to mitigate observation attacks. However, there is little work about shoulder surfing situations in the real world. We present the results of a user survey (N=174) in which we investigate actual stories about shoulder surfing on mobile devices from both users and observers. Our analysis indicates that shoulder surfing mainly occurs in an opportunistic, non-malicious way. It usually does not have serious consequences, but evokes negative feelings for both parties, resulting in a variety of coping strategies. Observed data was personal in most cases and ranged from information about interests and hobbies to login data and intimate details about third persons and relationships. Thus, our work contributes evidence for shoulder surfing in the real world and informs implications for the design of privacy protection mechanisms.

[1]  Ioana Alexandra Horodnic,et al.  Prevalence and trends , 2019, Dependent Self-Employment.

[2]  Lorette K. Woolsey The Critical Incident Technique: An Innovative Qualitative Method of Research , 1986 .

[3]  Johannes Schöning,et al.  Falling asleep with Angry Birds, Facebook and Kindle: a large scale study on mobile application usage , 2011, Mobile HCI.

[4]  Michael Weber,et al.  Password entry usability and shoulder surfing susceptibility on different smartphone platforms , 2012, MUM.

[5]  Volker Roth,et al.  A PIN-entry method resilient against shoulder surfing , 2004, CCS '04.

[6]  Nicolas Christin,et al.  Undercover: authentication usable in front of prying eyes , 2008, CHI.

[7]  Shari Trewin,et al.  Perceptions of Risk in Mobile Transaction , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[8]  Luís Carriço,et al.  Measuring snooping behavior with surveys: it's how you ask it , 2014, CHI Extended Abstracts.

[9]  Heinrich Hußmann,et al.  You Can't Watch This!: Privacy-Respectful Photo Browsing on Smartphones , 2016, CHI.

[10]  A. Feinstein,et al.  High agreement but low kappa: I. The problems of two paradoxes. , 1990, Journal of clinical epidemiology.

[11]  R. Tourangeau,et al.  Sensitive questions in surveys. , 2007, Psychological bulletin.

[12]  M. Dewey,et al.  Coefficients of Agreement , 1983, British Journal of Psychiatry.

[13]  Albrecht Schmidt,et al.  Increasing the security of gaze-based cued-recall graphical passwords using saliency masks , 2012, CHI.

[14]  Kirstie Hawkey,et al.  Somebody Is Peeking!: A Proximity and Privacy Aware Tablet Interface , 2015, CHI Extended Abstracts.

[15]  Jan-Michael Frahm,et al.  Seeing double: reconstructing obscured typed input from repeated compromising reflections , 2013, CCS.

[16]  R. Krueger,et al.  Handbook of research methods in personality psychology , 2007 .

[17]  Jun Gong,et al.  Protecting private data in public , 2006, CHI EA '06.

[18]  Konstantin Beznosov,et al.  Know your enemy: the risk of unauthorized access in smartphones by insiders , 2013, MobileHCI '13.

[19]  Luís Carriço,et al.  Snooping on Mobile Phones: Prevalence and Trends , 2016, SOUPS.

[20]  Ian Oakley,et al.  The phone lock: audio and haptic shoulder-surfing resistant PIN entry methods for mobile devices , 2011, Tangible and Embedded Interaction.

[21]  Jacob Cohen A Coefficient of Agreement for Nominal Scales , 1960 .

[22]  Simson L. Garfinkel,et al.  Usable Security: History, Themes, and Challenges , 2014, Usable Security: History, Themes, and Challenges.

[23]  Florian Alt,et al.  GazeTouchPass: Multimodal Authentication Using Gaze and Touch on Mobile Devices , 2016, CHI Extended Abstracts.

[24]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[25]  Stuart E. Schechter,et al.  Can i borrow your phone?: understanding concerns when sharing mobile phones , 2009, CHI.

[26]  Heinrich Hußmann,et al.  Easy to Draw, but Hard to Trace?: On the Observability of Grid-based (Un)lock Patterns , 2015, CHI.

[27]  J. V. Khan,et al.  Dynamic layering graphical elements for graphical password schemes: creating the difference , 2014 .

[28]  Heinrich Hußmann,et al.  My Scrawl Hides It All: Protecting Text Messages Against Shoulder Surfing With Handwritten Fonts , 2016, CHI Extended Abstracts.

[29]  Kevin A Hallgren,et al.  Computing Inter-Rater Reliability for Observational Data: An Overview and Tutorial. , 2012, Tutorials in quantitative methods for psychology.

[30]  Heinrich Hußmann,et al.  SwiPIN: Fast and Secure PIN-Entry on Smartphones , 2015, CHI.

[31]  Albrecht Schmidt,et al.  SmudgeSafe: geometric image transformations for smudge-resistant user authentication , 2014, UbiComp.

[32]  Barry A. T. Brown,et al.  100 days of iPhone use: understanding the details of mobile device use , 2014, MobileHCI '14.

[33]  J. Carlin,et al.  Bias, prevalence and kappa. , 1993, Journal of clinical epidemiology.

[34]  Susan Wiedenbeck,et al.  Design and evaluation of a shoulder-surfing resistant graphical password scheme , 2006, AVI '06.

[35]  Wei Hu,et al.  Smart privacy-preserving screen based on multiple sensor fusion , 2013, IEEE Transactions on Consumer Electronics.

[36]  Deirdre K. Mulligan,et al.  Respectful cameras: detecting visual markers in real-time to address privacy concerns , 2007, 2007 IEEE/RSJ International Conference on Intelligent Robots and Systems.

[37]  Matthew Smith,et al.  Now you see me, now you don't: protecting smartphone authentication from shoulder surfers , 2014, CHI.

[38]  Heinrich Hußmann,et al.  ColorPIN: securing PIN entry through indirect input , 2010, CHI.

[39]  David J. Crandall,et al.  Sensitive Lifelogs: A Privacy Analysis of Photos from Wearable Cameras , 2015, CHI.

[40]  Tanzima Hashem,et al.  Protecting mobile users from visual privacy attacks , 2014, UbiComp Adjunct.

[41]  Alexander De Luca,et al.  Glass Unlock: Enhancing Security of Smartphone Unlocking through Leveraging a Private Near-eye Display , 2015, CHI.

[42]  Alexander De Luca,et al.  It's a Hard Lock Life: A Field Study of Smartphone (Un)Locking Behavior and Risk Perception , 2014, SOUPS.

[43]  Desney S. Tan,et al.  Spy-resistant keyboard: more secure password entry on public touch screen displays , 2005, OZCHI.

[44]  George T. Probst Analysis of the Effects of Privacy Filter Use on Horizontal Deviations in Posture of VDT Operators , 2000 .

[45]  Yang Wang,et al.  Flying Eyes and Hidden Controllers: A Qualitative Study of People’s Privacy Perceptions of Civilian Drones in The US , 2016, Proc. Priv. Enhancing Technol..

[46]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[47]  Alireza Sahami Shirazi,et al.  Graphical Passwords in the Wild: Understanding How Users Choose Pictures and Passwords in Image-based Authentication Schemes , 2015, MobileHCI.

[48]  Andreas Butz,et al.  Is Anyone Looking? Mitigating Shoulder Surfing on Public Displays through Awareness and Protection , 2014, PerDis.

[49]  Alexander De Luca,et al.  ColorSnakes: Using Colored Decoys to Secure Authentication in Sensitive Contexts , 2015, MobileHCI.

[50]  Simine Vazire,et al.  The self-report method. , 2007 .

[51]  Linda Little,et al.  Private whispers/public eyes: Is receiving highly personal information in a public place stressful? , 2009, Interact. Comput..

[52]  J. C. Flanagan Psychological Bulletin THE CRITICAL INCIDENT TECHNIQUE , 2022 .

[53]  Volker Roth,et al.  Pitfalls of Shoulder Surfing Studies , 2015 .