In a recent experiment, a white hat hacker was successful 88 percent of the time in visually hacking sensitive information, such as employee access and login credentials, that could put corporate data at risk.
In the 3M Visual Hacking Experiment [PDF], conducted by the Ponemon Institute on behalf of 3M and the Visual Privacy Advisory Council, a security expert entered the offices of eight U.S. companies claiming to be a temporary or part-time worker. The white hat hacker used the following methods to visually hack sensitive information:
- walking through the office scouting for information in full view on desks, screens and other indiscrete locations
- taking a stack of business documents labeled as confidential
- using his smartphone to take a picture of confidential information displayed on a computer screen
All of the above tasks were completed in full view of other office workers. In fully 70 percent of cases, the visual hacker was not stopped by employees, even when using a cell phone to take a photo of data displayed on a screen. When the visual hacker was stopped by an employee, he was still able to obtain an average of 2.8 pieces of company data, compared to 4.3 when not stopped.
“In today’s world of spear phishing, it is important for data security professionals not to ignore low tech threats such as visual hacking,” Ponemon Institute chairman and founder Larry Ponemon said in a statement.
“A hacker often only needs one piece of valuable information to unlock a large-scale data breach,” Ponemon added. “This study exposes both how simple it is for a hacker to obtain sensitive data using only visual means, as well as employee carelessness with company information and lack of awareness to data security threats.”
The study also found that 45 percent of companies were visually hacked in less than 15 minutes, and 63 percent were visually hacked in less than half an hour.
An average of five pieces of information were visually hacked per trial, including employee contact lists (63 percent), customer information (42 percent), corporate financials (37 percent), employee access and login information (37 percent), and information about employees (37 percent).
Fifty-three percent of the sensitive information acquired was obtained from a computer screen, far more than from vacant desks (29 percent), printer bins (9 percent), copiers (6 percent) and fax machines (3 percent) combined.
Open floor plans made visual hacking easier — in companies with an open office layout, an average of 4.4 information types were visually hacked, while companies with a traditional office layout saw an average of 3.0 information types visually hacked.