What is visual hacking? In essence, visual hacking is spying what’s on others’ computer screens and desks.
3M’s 2016 Global Visual Hacking Experiment has found that the overwhelming majority of companies across the globe are not prepared to detect visual hacking in business office environments or to protect their most valuable information. To test the efficacy of visual hacking techniques, 3M had a white hat assume the role of a temporary office worker.
White hat experiment
The person recieved a valid security badge worn in plain sight, and walked into 46 participating companies to perform three overt tasks:
- walk through the office scouting for information in full-view on desks, monitor screens and other indiscrete locations like printers and copy machines;
- take a stack of business documents labeled as confidential off a desk and place it into a briefcase;
- use a smartphone to take a picture of confidential information displayed on a computer screen.
The hacker completed all three of these tasks in full view of other office workers at each company. And in 91% of instances, these attempted visual hacks were successful. The hacker successfully captured 613 pieces of content, including login credentials, financial information, and privileged and confidential documents. In all, 27% of the data hacked classified as sensitive information.
Duration and employee response
Visual hacking happens quickly, too: It took less than 15 minutes to complete the first visual hack in 49% of trials.
Meanwhile, company employees seemed oblivious. In 68% of trials, the employees didn’t stop the white-hat hacker. In only three cases did a worker contact the office supervisor about a possible insider threat.
The study also found that certain situations are riskier: 52% of sensitive information was visually hacked from employee computer screens. But office layout affects visual hacking; traditional offices and cubicles make it easier to protect paper documents and more difficult to view a computer screen. In contrast, the open floor plan appears to exacerbate the risk of visual hacking.
On the whole, participating companies with sound control practices experienced on average 26% fewer visual privacy breaches.
Check out one of our other articles on hacking.