Better tablet displays and improvements in smartphone cameras make organisations increasingly vulnerable to data breaches through unauthorised visual data capture. Wendy Goucher, Senior Information Security Consultant at Idrach, reveals just how good the latest smartphones are at capturing data from hi-res tablet screens. Her prediction? The threat from shoulder-surfers will only get worse.
When I started my research into shoulder surfing, my fellow information security colleagues found it interesting – indeed were often able to share examples of things they had witnessed – but rarely saw how such stories would be a security risk. In the last two years, especially with the development of the tablet device and the increasing quality of smartphones, the importance of this work has changed significantly. People no longer look amused or vaguely interested – they look shocked. The transformation of ‘shoulder-surfing’ into ‘visual data capture’ heralds a time when the document being displayed is now duplicated and potentially disseminated in ways that could lead to financial loss or, potentially worse, the undermining of the organisational image or reputation if the images trend on social media.
And, dear reader, the risk is growing.
Just over a year ago, I conducted a series of experiments to test the quality of image that could be captured from a tablet device with a range of smart phones. The test card used ranges down to font size 10 and, as in the image shown here (from a Blackberry Pearl), font sizes of 12 and 14 can be clearly seen from a position representing two rows back with the viewer standing up.
Earlier this month, at COSAC, (the International Computer Security Symposium in Naas, Ireland) I was able to repeat part of that experiment with more up-to-date smartphones. Here is an image taken from the same position using a Samsung Galaxy S4.
Imagine if that was a sensitive, interesting document with an eye catching logo on the top, perhaps from a Fortune 500 company or a government department; how fast would that move around the Internet?
Given that many passengers appreciate the peace from interruption that travel gives, I think it’s safe to accept people are going continue to work on the move. I advise any organisation, but especially those with a higher public profile, to seriously consider their exposure to this risk – especially what would happen in the event of a leak of sensitive documents. Once they understand that risk, and their operational requirements get specialist advice. You can find it on this site; if your issue isn’t addressed please contact us, we will know the people to help you find your answers.
But whatever you do, do something – because you don’t want to be the first big leak. Do you remember all the data lost on USBs, badly disposed of computers and CDs in 2008? The general public only remember HMRC, partly because it affected them, but mostly because it was the first to capture the attention of the media. Don’t let your organisation be the ‘HMRC’ of Visual Data Capture.
Contact Wendy Goucher: firstname.lastname@example.org