The Reflection in the Window
Why “looking over your shoulder” is the oldest hack in the book and the reason why it still works on everyone.
THE COUNTERMEASURE
Dispatch #018
You’re at an airport lounge, or maybe a crowded coffee shop. You’re working on a presentation, or perhaps you’re just checking into your flight on your phone. You feel productive. You’ve got your VPN on. Your password is a complex string of characters. You think you’re digitally invisible.
But a hacker like Niko Webb isn’t staring at his laptop. He’s sitting two tables away, sipping a black coffee, and he’s not looking at your screen. He’s looking at the reflection in the large glass window behind you.
In the world of tradecraft, this is Visual Hacking (or “Shoulder Surfing”). It requires zero technical skill, no malware, and no expensive equipment. It just requires a lack of awareness from the target.
The Tradecraft: The “Telephoto” Glance
Most people assume that to steal information from a screen, you have to be standing directly behind them. Niko knows better.
The High-Res Snapshot: Modern smartphone cameras are powerful enough to capture clear text on a laptop screen from 15 feet away. Niko can pretend to take a selfie or a photo of his latte while actually zooming in on your open email.
The Reflection Trick: Glass windows, polished marble walls, and even the “mirror” of an elevator door provide a perfect, reversed view of your screen.
The Pattern Capture: Niko doesn’t even need to see your password. By watching the movement of your fingers on a keyboard or phone screen (the “swiping” or “tapping” rhythm), a pro can reconstruct your PIN or password with 80% accuracy in just one try.
So What?
This is where people get it wrong. They think, “Who cares if someone sees my flight details or a boring work email?”
To a hacker, that “boring” info is a Skeleton Key.
Let’s take that Flight Confirmation Number (PNR) you just pulled up. Most people think it’s just a random string of 6 letters. But with just your PNR and your last name (both of which are on your boarding pass), Niko can:
Cancel or Change Your Flight: He can literally log into the airline’s site and move your flight to next Tuesday, just to get you out of the way.
Steal Your Identity: Many airline “Manage Booking” pages show your Passport Number, date of birth, and Known Traveler Number (KTN) once you’ve logged in with that PNR.
The Travel Hijack: He can see where you’re staying, who you’re traveling with, and when your house will be empty.
The Countermeasure: Hardening Your View
The Corner Strategy: In public, never sit with your back to an open room. Always choose a “corner” seat or a seat with a wall behind you. Niko can’t see what he can’t get behind.
Privacy Filters: Invest in a physical Privacy Screen for your laptop and phone. These use “micro-louver” technology that makes the screen look completely black to anyone not sitting directly in front of it.
Lower Your Brightness: Most people have their screens at 100% brightness. In a public space, drop it to 30%. It makes it significantly harder for a camera or a reflection to capture clear text.
The Boarding Pass Rule: Never, ever post a photo of your boarding pass on social media (even if you “blur” the name). Those barcodes contain your PNR and all your personal travel data. One scan and your trip is compromised.
Note to readers: my book featuring white hat hacker Niko Webb is out now on Amazon! Read the first chapter for free on Substack.
The Sign-off
Your screen is a billboard. In a public place, treat it like one. If you wouldn’t want it printed on a flyer and handed out to strangers, don’t open it at a coffee shop.
Next week, we’re going back to the physical world to look at The Padlock Shim. I’ll show you why that “Heavy Duty” lock on your gym locker or garden gate can be defeated by a piece of a soda can.
Stay dangerous,
Alex Holt