• James O’Sullivan, CEO and Founder at Nuke from Orbit


• 11.10.2024 10:00 am
#SmartphoneFraud #CyberSecurity

Smartphones are pivotal in both our personal and professional lives. These devices grant access to everything from communications with family and colleagues to banking, payments, and other online services. Such convenience, however,  brings with it significant risks. A growing threat faced by individuals and businesses alike is shoulder surfing – the act of spying on someone’s screen to steal sensitive information, such as passwords, PINs, or banking credentials. Although typically associated with ATM fraud, this old-school technique is reemerging as a danger for fintech businesses tasked with safeguarding their financial platforms.

The Growing Risks of Shoulder Surfing
Mobile phone theft and its associated risks are on the rise globally. In London, for example, the Metropolitan Police reports that a phone is stolen every six minutes. In the US, 1 in 10 smartphone owners experience phone theft, with 68% never recovering the information from their devices. While biometric features such as FaceID and fingerprint scanning offer improved security, many smartphones still require a passcode after multiple failed biometric attempts. If a passcode is compromised, criminals can unlock access to personal messages, financial accounts, and even sensitive business data, presenting a massive risk for FinTech institutions and their clients.

As users rely more on biometric systems, they often become less conscious of their surroundings when entering passcodes, leaving them vulnerable to criminals who only need a quick glance to gain the necessary information to breach personal and business accounts. Criminals might observe targets in person, use reflective surfaces, or even deploy phishing apps to record screens and trick individuals into handing over their credentials.

The Impact on Fintech Businesses
The consequences of a successful shoulder surfing attack extend beyond the individual, especially when business devices are targeted. Once a device is unlocked, attackers can access sensitive corporate data, impersonate employees, or drain company accounts. A data breach can be catastrophic, with the global average cost of such incidents reaching $4.88m in 2024 – a 10% increase from the previous year. The impact can also be devastating for smaller businesses, with cyber-attacks potentially costing SMEs upwards of £31,000 per day of downtime.

For fintech companies, whose reputation relies on trust in the security of their platforms, such breaches can undermine client confidence and lead to severe regulatory penalties, legal costs, and long-term reputational harm. Since the sector innovates in offering customers cutting-edge financial solutions, its businesses must equally provide technological leadership in continuously updating security protocols and sharing the responsibility for safety with users. 

Proactive Measures for Enhanced Security
To address these evolving threats, fintech firms must adopt comprehensive security strategies:

• Enhanced Security Protocols: Businesses must invest in advanced security features such as multi-factor authentication (MFA) and risk-based authentication (RBA). Privacy screens for devices and increased surveillance in office spaces can also help deter shoulder surfing. Moreover, businesses should develop rapid incident response plans and invest in research to develop more user-friendly and secure authentication methods, like behavioural biometrics and continuous authentication.

• Employee Awareness: Regular security training programs can help employees stay informed about the risks of shoulder surfing and phishing attacks. Encouraging the use of password management tools like LastPass can also reduce the risk of compromised credentials.

• Collaboration and Information Sharing: The fintech sector can further bolster security by working together and sharing threat intelligence with law enforcement agencies, cybersecurity organisations, and industry peers. This collaborative approach can help create sector-wide countermeasures and boost consumer trust.

Though shoulder surfing may seem like a low-tech crime, it’s evolving to keep pace with digital advancements. Fintech firms must proactively safeguard their users and systems, from enhanced user education to sophisticated, multi-layered authentication protocols. As mobile wallets, digital payments, and remote banking continue to grow, ensuring secure transactions in public settings is critical to maintaining consumer confidence. By addressing these risks now, fintech companies can continue offering cutting-edge, secure, and convenient financial services that their users can trust.