Spam, ransomware, phishing, spear phishing and SQL injection are all known attacks which can, and do, breach company and individual security. However QA finds many people do not think about the physical element (what can be physically seen and heard). Firewalls, antimalware, two factor and authentication do not protect against someone over-hearing a conversation, or seeing a screen. It is often said “people are the weakest link”.
Loose lips sink ships
A QA cyber expert was on a flight from a London airport to another location in the United Kingdom, and observed someone unlock their phone, from three rows back on the plane. This was the pattern:
Let’s consider for a second what a criminal actor could do, if it was them who had observed the unlocking, rather than QA’s expert.
Perhaps the phone belonged to a solicitor, who had worked on sensitive cases. The phone is therefore likely to contain much sensitive information that is potentially of interest to one party in the deal. How would a hacker go about gaining access to the target’s phone?
Step 1, Open source intelligence: On the law firm’s website, it talks about the deal and names this man as the solicitor participating in this high profile deal. The website lists his details, a Vcard and LinkedIn profile. Scour social media profiles and see where he lives, and timings.
Step 2, Observation. Put the office under surveillance, find out when he comes in and leaves, and where he goes to drink. One day tail him somewhere, visibly see his smartphone’s swipe pattern (it was, after all, visible from three rows back on a plane) and note it down. Leave him be.
Step 3, Intervention. Another day, stage a mugging and steal his phone.
The phone can be accessed with the swipe pattern, and with no technical wizardry, and the hacker has now broken through all of the other defences without leaving a trace on the law firm’s network.
The same applies to people carrying documents, or reading emails on a laptop or smartphone and entering passwords on a tablet or laptop. Every so often a government document is leaked as carried into a meeting, caught out by the long lens of a photographer outside No.10 Downing Street. Ministers may now be careful and carry documents in an envelope, but QA’s experts have observed multiple examples of people reading sensitive documents on paper or laptops whilst on public transport (including sensitive government documents).
Protecting information responsibly
The defences against such attacks are simple.
First, organisations should work to change norms and behaviours in their teams. Individuals should be aware of their surroundings, and the risks of conversations being overheard, or screens being seen. Raising awareness should be the first priority.
Second, a range of very-simple ‘off-the-shelf’ tools are available to reduce the risk. Most mobile phones now have fingerprint or face recognition, and using this reduces the risk that a passcode is stolen. Ensure all phones and laptops have privacy screens, limiting the angle of vision. Carry documents in envelopes.
These are low cost solutions, to what could be a very expensive problem. Data security doesn’t just mean high-tech; behavioural solutions are required too.

Graeme Batsman
Graeme joined QA in 2017 and has worked in security on and off for 15 years. His last role was as a Senior Technical Security consultant at Capgemini covering the public and private sector.
From the age of 17, he was running investigations into online scams and phishing. Today he teaches and/or has written: CEH, OSINT, CTF (conventional or OSINT), CyberFirst, practical encryption and Security+. Graeme is an avid writer with 130+ articles to his name and a chapter in a published book.
He loves thinking like a hacker to review and tweak settings with a fine-tooth comb.
More articles by Graeme
Shadow IT during Covid-19: Do not let your employees decide which apps and tools to use
If you don't take control, your remote-working teams may be putting your IT infrastructure at risk of hacking or loss of data…
29 May 202011 cybersecurity tips for more secure home-working during the Covid-19 outbreak
Keep your company and personal details safe while working from home. QA Cyber Security Technical Consultant Graeme Batsman of…
23 March 2020Hostile reconnaissance: What is it and how do we stay safe?
Shhh! Cyber attackers often use hostile reconnaissance in the physical world to find a way into an organisation. So what is h…
29 January 2020My partner is a landscape gardener – who would want to hack me?
You may think your small business would not be interesting to global cyber crooks. But you may have a client or supplier who…
29 January 20207 cybersecurity tips for wedding photographers – or anyone, really
QA Cyber Security Technical Consultant Graeme Batsman looks at why cybersecurity is important for photographers, especially t…
29 January 2020Cyber Security for everyone - what we all should know
In May the security of the official Sussex’s wedding photographers was breached, and private photos were released. This highl…
05 September 2019Cyber risks are too often ignored by management
Project Managers and top management need a better security understanding to allocate resources and to sign off technical risk…
14 November 2017Rise and Fall of Bitcoin
With the popularity and value of crypto currencies growing, so do the security and anonymity concerns.
01 February 2018Endpoint and network firewalling needs to change
QA Cyber Security Trainer, Graeme Batsman, discusses how you need to focus on outbound as much as (or more than) inbound rule…
03 April 2018The perils of single-factor authentication
QA Cyber Security Trainer, Graeme Batsman, offers a first-hand opinion on single-factor authentication and the exposure of co…
18 April 2018