Mari Frank is an attorney, mediator and digital privacy expert. As the chair of the Privacy Committee of the State Bar of California, Law Practice Management and Technology Section and a member of the Visual Privacy Advisory Council, Frank understands the lengths some criminals—and disgruntled employees—go to in order to embarrass a company, steal confidential data and visually hack when the opportunity is there. Visual hacking is a real threat, Frank warns—but one in which many workers aren’t prepared. From fake maintenance personnel in an office to eavesdropping business travelers in an airport, there are many scenarios that can cause major harm to an organization. With this in mind, Frank shared with CIO Insight details from the underhanded world of visual hacking—and what employers and employees can do to prevent falling to the tactics of cyber-criminals with a wandering eye.
CIO Insight: What is visual hacking?
Frank: Visual hacking is a low-tech method of data theft used to capture sensitive, confidential and private information for unauthorized use. It is a visual breach of sensitive data displayed on electronic devices or paper documents left in plain sight.
CIO Insight: Are visual hackers an opportunistic group, or do they target an individual and then try to glean information from them?
Frank: Visual hackers can target individuals, as well as glean information from “opportunistic” situations. For example, a sophisticated visual hacker can gather confidential data through social engineering, perhaps as a visitor to a competitor’s office or posing as maintenance personnel. The visual hacker could use their smartphone camera to maliciously capture sensitive data from computer screens, confidential papers left on desks, discarded material in unlocked trash bins and other places where sensitive data is left in plain view.
A visual hacker can also seize an opportunity to take advantage of a trusting person who is less than careful about protecting privacy and confidentiality when using a mobile device in public places. For example, it’s easy for a visual hacker to view a tablet or a large smartphone on the airplane or train seat next to them. Business travelers working on confidential documents are easy prey for a hacker to view, or capture information that could hurt the company. In spaces such as airplanes, public transportation, coffee shops and workplaces with open floorplans, situational awareness and privacy screens are critical to protecting visual privacy.
CIO Insight: Is there a danger of visual hacking while an employee is in the relative safety of the office?
Frank: Employees are definitely at risk of visual hacking when in their office, especially in light of today’s open, shared workspaces. Case in point: if an employee has had a poor performance review and believes he may be fired, he may maliciously capture sensitive data in order to embarrass the company. Or worse yet, a trusted staff member may use their smartphone camera to access sensitive data in plain view onscreen or offline and sell it to criminals for profit. The honest employee would have no reason to suspect a coworker of visual hacking unless they are aware of the insider threat and are trained in what to look for and what to do. The honest employee, unless trained, will typically not question someone with a visitor badge–even when that person is taking photos of screens and documents. The 3M Visual Hacking Experiment conducted by Ponemon Institute on behalf of the Visual Privacy Advisory Council and 3M Company indicates that very point–visual hacking goes unnoticed. A white hat hacker was sent into several corporate and government offices with the goal of stealing sensitive and confidential information using only visual means. In the experiments, the hacker was only stopped in 30 percent of attempts, but even then it was too late. On average, 2.8 pieces of sensitive information were obtained per interrupted visit. This also means that 70 percent of the time, visual hacking went unnoticed or unchallenged by employees.
CIO Insight: Has social media created more opportunities for criminals? The movie ‘Bling Ring’ comes to mind. It’s based on true events—it’s about a group of teens who burglarized celebrity homes. They knew when celebrities, such as Paris Hilton, would be away from home by following them on Facebook and Twitter.
Frank: Social media has made it easier for burglars and identity thieves to target innocent people who divulge vast amounts of information online. For example, if a person puts his entire birth date, including the year and where he was born, there is a way, available online, to determine that person’s social security number—the key to the kingdom of identity theft.
Facebook and all social networking sites provide a great way to connect with friends and colleagues and to meet new people. But they come with a dark side: your information, no matter how private you make it, is viewable for criminals to obtain. Whether for identity theft, to burglarize a home while its owners are away or to stalk–we all need to consider that whatever we post online may be seen by the world. Whatever information we make available can be accessed by individuals with malicious intent.
There are many resources available to help us protect ourselves. The government has the website OnguardOnline, and the Visual Privacy Advisory Council provides checklists and advice on StopVisualHacking.org, among others.
CIO Insight: Can you give an example of the type of information a visual hacker obtained, how they got it and what they did with it?
Frank: The Visual Hacking Experiment tested how well businesses were able to prevent and detect visual hacking in the office environment. The white hat hacker was able to view sensitive company information from unprotected paper documents, computer screens and other mobile devices. During the two-hour session at each business, the hacker recorded access and login credentials, client personal data, employee information, business correspondence, confidential documents, attorney-client privileged documents, and financial, accounting, and budgeting information. The undercover hacker viewed and used a smartphone camera to take pictures of these confidential documents. Through this experiment, we now have clear evidence that visual hacking happens quickly: 45 percent of hacks occurred in less than 15 minutes and 63 percent of visual hacks occurred in less than a half hour.
CIO Insight: Is it the responsibility of the organization or of the employee to be sure employees aren’t a soft target for a visual hacker?
Frank: The company holds the ultimate responsibility and liability if an employee maliciously or unknowingly allows visual hacking to occur and a consumer or client is consequently hurt or damaged. The company has a duty to train its employees in best practices, and to equip all employees with visual privacy tools like privacy screens to protect sensitive company data. An organization can be sued if there is a security breach and customers become victims of fraud. Obviously, if the employee has conspired to defraud, then they are subject to criminal prosecution and perhaps restitution, but the initial responsibility lies with the employer. Whether it is intellectual property, customer data, or personal information, employees deal with confidential data each day. The company must do its due diligence when hiring, training and equipping employees with the resources they need to ensure cyber-security and visual privacy.