Stealing passwords in the old days used to involve shoulder surfing — cruising past the mark while s/he’s tapping in her/his password into the computer/ATM/cookie dispenser.
But I had a scare today that made me realise that this is still a pretty easy way to get information. Newly landed in Hong Kong, I breezed over to a cash machine. ‘Internet bank with us!’ it said, or something similar, on the welcome screen. ‘It’s safe!’
Well, maybe, but anybody who was shoulder surfing me would have had a head start on my accounts. For a good 15 seconds, possibly longer, my account numbers were fully visible on the screen, as the ATM was processing my transaction. The message was: The following accounts can be accessed using this card, and then it listed them, nice and bold with double space, just in case the shoulder surfer has poor eyesight. How safe is that?
Maybe I’ve been hanging out with social engineers like Anthony Zboralski and Dave McKay too much (more of that anon). But these guys make me realise, if I didn’t already, that a) information is really, really easy to get using social trickery, and b) the institutions we entrust with our information don’t seem to get it that this is the case. Pfft. I’m changing bank in the morning, just as soon as I’ve changed my PIN.