User:Naga Sravani Dasari/sandbox2

In computer security, shoulder surfing is a type of social engineering technique used to obtain information such as personal identification number, password and other confidential data by looking over the victim's shoulder. This attack can be performed either from a closer range by directly looking over the victim's shoulder or from a longer range by using a pair of binoculars. To implement this technique attacker do not require any technical skills, keen observation of victims surroundings and the typing pattern is sufficient. Crowded places are the more likely areas for an attacker to shoulder surf the victim. In the early 1980s shoulder surfing was practiced near the public pay phones to steal calling card digits and make long distance calls or sell them in the market for the cheaper prices. However, with the advent of modern day technology like hidden cameras and secret mikes made shoulder surfing more easier and gave more scope for the attacker to perform long range shoulder surfing. A hidden camera allow's the attacker to capture whole login process and other confidential data of the victim, which ultimately lead to financial loss or identity theft.

Occurrences
Shoulder surfing is more likely to perform in the crowded places because it is easy to observe the information without dragging the victim's attention. Various situations where an attacker can easily shoulder surf the victim are, while filling out a form(bank withdrawal, deposit form or a loan form), entering their PIN at an automated teller machine or a at a POS terminal, using their telephone card at a public payphone, entering their password at a cybercafe, public and university libraries, or airport kiosks, entering their code for a rented locker in a public place such as a swimming pool or airport, entering their PIN or password on their smartphone.

A survey of IT professionals in a white paper for Secure found that:


 * 85% of those surveyed admitted to seeing sensitive information on screen that they were not authorised to see
 * 82% admitted that it was possible information on their screens could have been viewed by unauthorised personnel
 * 82% had little or no confidence that users in their organisation would protect their screen from being viewed by unauthorised people.

PIN entry
Personal identification number is used to authenticate oneself in various situations, while withdrawing or depositing the money from automatic teller machine, unlock a phone, door, laptop or PDA. Though this method of authentication is a two step verification process in some situations, it is vulnerable to shoulder surfing attack. An attacker can obtain the PIN either by directly looking over the victim's shoulder or by recording the whole login process. So, various shoulder surfing resistant PIN entry methodologies are proposed to make the authentication process secure.

Cognitive trapdoor game
The cognitive trapdoor game had three groups involved in it: a machine verifier, a human prover, and a human observer. The goal of each group is, human prover has to input the PIN by answering the questions posed by the machine verifier while the observer tries to observe the interaction between the machine verifier and the human prover to know the PIN. A token is assigned to the prover as a unique identification by a authentic channel to prove his/her own identity. As the prover need to authenticate him self/herself in my steps it is not easy for the observer to remember the whole login process unless the observer had a recording device. The cognitive trapdoor mechanism is resistant to direct shoulder surfing but not against the recording shoulder surfing.