The recent security problems at zoom have only continued to spiral out of control. As people all over the world turn to video conferencing software to keep up with social distancing measures, Zoom has become the world’s most used software, keeping people connected and reducing the impact Covid19 has had on the economy. If you aren’t aware of the zoom issues, here’s a quick timeline.
Although many are quick to point fingers at Zoom and call out their lack of security, users should be aware that many of the “zoombombings” are actually exploits built around poor user practices. Zoom has grown to its massive market share on the back of extremely convenient functions, such as the ability to send a link to users that immediately places them into the call without a password and a free-user approach that allows anyone to create calls as long as they are shorter than 10 to 20 minutes.
With the media mainly focused around Zoom, we want to drive the conversation towards bad user practices that actually affect them beyond just Zoom calls.
1. Using quick link-sharing for confidential or private data
A huge reason why Zoom was so easily compromised was its link-sharing functionality. Without a second authentication factor (implemented popularly as “2FA”), anyone who comes across the link on the internet or even through simple brute force strategies is able to get in and tamper with the call.
The media was quick to point out that this was possible due to the lack of 2FA authentication implemented (such as the need to authenticate the joining user through email, password, or manually by the call host). However, the real issue here is that users have traditionally disregarded how links are tracked across the internet.
One example issue is the link-sharing functionality in Google Documents. As outlined in this article, a naked link to a google document easily exposes the document to outsiders — and unlike the zoom issue, this problem would be unnoticeable by the creators of the document. As users continue to rely on unprotected, zero-authentication necessary links to share their private data, we can expect that hackers are gradually building up enough information to break through a user’s privacy.
2. Bad password management
Here’s an interesting report about 500,000 passwords to zoom accounts being leaked. Being released in the middle of the zoom controversy, the majority of users would likely pin the blame on Zoom — however, if you read into the article, the 500,000 passwords are actually obtained through the credential stuffing.
Credential stuffing is the act of using breached information acquired from elsewhere to deduce a user’s account login. A large percentage of users (50%!) around the world use the same passwords across multiple accounts, sometimes even across work / personal accounts. While users might think that this is fine as long as they keep their password secure, the reality is that each time they are creating a new account on the internet, they are trusting that site’s administrator to keep their password safe.
Once that site is breached (maybe even internally by the site’s administrators) and passwords available on the internet, all accounts associated with this password are considered compromised as well. Even if the user is an avid user of services such as haveibeenpwned, it’s likely to be too late by the time they realize their accounts have been breached.
Proper password management involves using unique and difficult-to-guess passwords across every platform or service. While it’s not realistic to expect a user to commit multiple different passwords to memory, a simple solution is to use a password manager such as LastPass — these are software that use highly secure methods to help save passwords in a vault, enabling users to generate and save passwords without the hassle of having to commit them to memory.
Oobit’s takes security very seriously — and we urge you to do so too
Cryptocurrency users all around the world face the threat of being hacked, phished, or becoming the next target for malicious individuals out there. Learning about the basics of protecting yourself in the digital era is necessary to protect you and your coins from being lost. We’re willing to bet that somebody out there saves their private keys in a google document — hopefully reading this gets them to know why they’re doing it wrong!