Peter Cochrane's Blog: Beware the new phishers

Compiled in San Francisco Airport having observed a young man 'cruising' computer screens in the gate area. Dispatched the next day from San Diego via a free hotel LAN

During the past 12 months or so I have become increasingly aware of people 'cruising' airport lounges, concourses and trains. They walk up and down the aisles, generally acting strangely in public places where laptop and other personal screens are in use.

In every case they have seemingly been texting on their mobile phone but on closer inspection I think they have been taking photographs and making movies.

As far as I can see this activity is largely the domain of youngish men, and we might suspect they are taking photos of unsuspecting pretty females. But I think the real reason is more sinister. I reckon they are collecting screenshots in the hope of capturing some useful information. I also suspect they are making movies of keystrokes at some distance.

The use of miniature cameras as the tool of the spy is well understood and documented. Now we have a new opportunity to get up close and personal with the silent and effective camera embedded in every mobile phone.

What a way of gleaning strangers' passwords, account numbers and much more. In the security and hacker communities, this is probably recognised and well understood but the general public are oblivious.

There is now only one question to ask: how effective is it? And only one way to find out: try it!

For several weeks I have been opportunistically taking pictures of screens whenever and wherever I can. The objective has been to establish the quality of the pics and what one might be able to read or discern from them.

My first big surprise was the sheer number of unattended screens out there. The second was how easy it was to take shots without being detected or raise suspicion. The third was just how close you can get to people without them even noticing your presence, let alone the fact you have a mobile phone peeking over their shoulder.

The pics below give an idea of what is possible with a modest 2MP mobile phone camera at a short distance under normal lighting conditions - without a flash of course.

Did I get any interesting info? That's a secret. What I can reveal is that a slightly more expensive, 6MP handheld camera results in significantly better results at a slightly longer distance from the target. But of course, you have to go to greater lengths to disguise what you are really up to. Even more interesting are the results using a 10MP camera and a telephoto lens. See below:

Impressive or what? In my view you would have to take an awful lot of pictures, and make a lot of movies, before you got lucky. But if you are a criminal then it's all in a day's work, and if you get a hit or two, what then? Well, your guess is as good as mine.

So it's back to people-watching for me, and an attempt to estimate how many of these snappers there are.

Oh, on a matter of security: All the original pics (and there were an awful lot) taken during this experiment and the material recovered have been deleted and there is no record of location or subject. Also, I am not about to release the technical data and practical experiences that saw an improved data recovery rate with time.

But here's a teaser. Look at the resolution of the (estimated 16 point) text recovered by a good quality camera and lens at quite a distance.

Finally, let me just say that you should cover your fingers when entering a PIN or password in a public place. And if you are going to read sensitive or private information on a screen, look over your shoulder first!