Overview

These attacks involve observing users as they enter sensitive information (such as passwords or PINs) on mobile devices, or gaining physical access to secure areas where mobile devices are used, often during login or payment processes. Tailgating occurs when attackers exploit user trust to gain unauthorized physical access, such as following someone into a restricted area. Shoulder surfing involves observing a user as they enter sensitive information, such as PINs or passwords. Both attacks rely on social engineering and physical proximity. Mobile devices are particularly vulnerable to these attacks due to their use in public spaces (e.g., cafes, and public transport).

Risk factors

Tailgating/shoulder surfing attacks can arise from:

  • Lack of user vigilance in public spaces.
  • Poorly enforced access control policies.
  • Over-reliance on physical tokens or credentials without additional verification.
  • Unsecured mobile device settings, such as visible notifications or lack of screen lock.
  • Use of mobile apps in crowded environments without privacy protections.

Consequences

If an attacker successfully conducts a tailgating/shoulder surfing attack, the following could happen:

  • Unauthorized access: Attackers gain entry to secure locations or systems.
  • Data theft: Observing login credentials can lead to compromised accounts.
  • Physical security breaches: Tailgaters may access restricted areas to plant malware or steal devices.

Solutions and best practices

To mitigate the risks associated with tailgating/shoulder surfing attacks, organizations should implement the following security measures:

  • Awareness campaigns: Train users to guard their screens and verify the identity of those entering secure areas.
  • Privacy shields: Use screen protectors that limit visibility from angles.
  • Access policies: Implement stricter access control mechanisms, such as badge-based authentication combined with MFA.
  • Monitoring systems: Deploy surveillance tools to detect and log unauthorized physical access.
  • Biometric security: Enable biometric authentication (e.g., fingerprint or facial recognition) on mobile apps to reduce reliance on observable PINs or passwords.

Get a free app security consultation
Schedule a call with our security experts to assess your app’s defenses and get tailored recommendations to protect your users and data. Take the first step toward a more resilient application.
Book a meeting

Fake login pages/mobile apps Previous QR code phishing attacks Next