The security risks of mobile computing are a constant worry for business technology users - but how many users are aware of one of the lowest-tech threats, shoulder surfing? John Stokdyk reports on recent research from 3M.

The security risks of mobile computing are a constant worry for business technology users - but how many users are aware of one of the lowest-tech threats, shoulder surfing?

A recent report from Experian [1] warned that corporate executives on £50,000 or more a year were the top targets for identity thieves.

The Experian fraud dossier identified London as the UK's fraud hotspot, with Kensington and Chelsea the worst borough for ID theft.

The findings may not come as a huge surprise, but in addition to the obvious motive, well equipped executives working in WiFi hotspots and using public transport also present extra copious opportunities for low-tech snooping techniques.

Many senior executives now rely heavily on laptop PCs to work on business information while they are out and about. But the laptop's ubiquity brings a number of risks that are in danger of being overlooked. And being overlooked is one of the top low-tech risks, according to technology company 3M.

"Shoulder surfing" is the phrase used to describe the casual act of watching what laptop users are doing on their screens, but also applies to professional criminals who try to capture passwords and personal identity numbers as the basis for further fraudulent activity.

Shoulder surfing was one of the techniques covered in detail by convicted hacker Kevin Mitnick in his recent book No Tech Hacking: A Guide to Social Engineering, Dumpster Diving, and Shoulder Surfing. And one of the core points he makes is that simple, non-technical approaches often reap better quality results than the bedroom code-cracker working through the night.

Education is the best antidote, according to 3M business development manager Nick Hughes. To research the issue further, 3M surveyed IT journalists.

Based on the (somewhat questionable) assumption that the respondents would be more aware of the security dangers than ordinary business users, the survey asked them to recount their experiences travelling to and from work.

A third of the journalists spent between eight and 20 hours a week commuting with their laptops. Perhaps because of the nature of their work, 78% of the respondents admitted they looked over the shoulders of fellow travellers to see what was on their PC screens.

"It's human nature to be inquisitive, especially on an otherwise dull train journey. Also if the screens are 15in or 17in it’s hard not to look sometimes," said one writer.

Six out of 10 journalists said that that they would not work on financial information and 57% would not work on legal data in a public space. A quarter would not read emails on the move and 15% avoided viewing web pages due to privacy concerns.

To deal with shoulder snoopers, 55% said they had turned their screens away onlookers, 18% had turned off their laptops and 13% had confronted the shoulder surfer. Just under 3% of respondents said they would turn the screen towards the privacy infringer if they became aware of a fellow traveller was watching them work.

Nick Hughes, business development manager with 3M’s Optical Systems Hughes, commented: "I’ve been in situations on the train where a laptop user has their credit or debit card in one hand and is busy entering the data from the card into their laptop. There are clear security risks when tapping your personal details into your laptop in a public place. The risk of identity thieves on the prowl on trains is, I believe, a significant one that many commuters are unaware of."

According to research from analyst IDC, there were an estimated 2.4m laptop users in the UK who were at risk from prying eyes.

The journalists' experiences bear this out. An executive's laptop contains valable corporate data. Even though many organisations will pay lip service to data protection, individuals often fail to register that the strictures apply to them. As one of the survey respondents noted, "I’ve seen a few people working obliviously while people looked on."

There is an element of "they would say that, wouldn't they" to 3M's interest in shoulder surfing, as the company manufactures and sells laptop privacy screens, typically costing £25-£50 each.

The filters are made up of a thin plastic film that contains a horizontal array of "blades" - much like a venetian blind. As the viewer moves off centre, the blinds overlap to obscure the screen.

Even if you view the publicity campaign as a standard-issue scare to increase product sales, it should give you pause to stop and think. Shoulder surfing does happen and is a real threat - and one of the essential ingredients of a sound IT security policy is that you take the time and make the effort to identify the risks you may encounter, and take appropriate steps to mitigate them.