Over Shoulder Capture

From SQRLauth.net
Jump to: navigation, search

The Over Shoulder Capture (also known as Shoulder Surfing) is an attack where a hacker reads or scans the target's computer activity. Through this method, the hacker could obtain information entered into forms, or (by observing the keyboard directly) obtaining secret information such as passwords. It can be done directly or over a distance.

In the context of SQRL, the danger is in a hacker scanning the QR code of a SQRL-enabled website on the user's screen, and logging in before the user can. With good timing, the hacker could fool the user into thinking he's logged in as himself when in reality he's authenticated as the hacker. The hacker can therefore get anything the user enters into that web site, including credit card numbers and other sensitive information.

In reality, in such a case the user's SQRL authentication will fail as the nut is no longer valid. In such a case, the SQRL client should give an error message to the user along with information about the dangers should the authentication have the illusion of having worked.

Care should be taken when using SQRL in a public area, or any other place where others could grab the screen's QR code, or watch the user type the Master Password on the keyboard. Keep in mind that these can be observed from a distance using binoculars, so this can occur even if the screen is visible through a window or via a CCTV camera.

Many laptops have privacy screens, and alternate methods of unlocking the SQRL client such as fingerprint readers can foil a hacker trying to observe the Master Password.

See Also

Wikipedia page on Shoulder Surfing