Using Zoom During Covid-19 Lockdown Exposes Users To New Data and Privacy Cyberattacks
Even with social distancing restrictions loosening in many countries, people across the world continue to find themselves under lockdown as governments manage Covid-19 outbreaks. While most of us are still reeling from the implications to the global economy and job security, it would seem hackers are making the most of the turbulence.
Phishing attempts, coronavirus-themed fraud, and cyberattacks are increasing exponentially as fraudsters pummel organizations of all sizes in their attempts to gain access to sensitive information. They know just where to find that sensitive information, thanks to the inexperienced remote workforce that has been forced to work from home at this time.
In light of the pandemic, the usage of applications that enable virtual meetings has skyrocketed. One of the worst-hit platforms has been Zoom. Relatively unknown up until a few months ago, its use has soared in ways that the developers did not foresee before the pandemic struck.
Millions of people created user accounts in a very short space of time in order to keep up with their work activities and to maintain contact with their colleagues. The drastic rise in user numbers led to intense scrutiny of the platform’s privacy and security measures by both security experts and cybercriminals alike, and the attacks started rolling in.
It might be cliché to say, but with great power comes great responsibility. The Zoom platform’s user base grew from 10 million active users to over 300 million active users between December 2019 and April.
It is important to note that the cloud-based Zoom wasn’t originally designed to be used by consumers, but that is exactly what happened. With large-scale data breaches becoming more common every day, Zoom was bound to be breached sooner or later.
Unfortunately, it turned out to be sooner. The massive influx of new users forced the company to consistently evaluate its platform but in particular to make significant changes to its default privacy settings. A variety of problems with the Zoom platform have drawn media attention, leading to glaring holes in the company’s reputation while they have scrambled to pick up the pieces. The most notable of these is called hijacking or “zoom-bombing.”
Calls that are not set up to be private or include password-protection are accessible to anyone who inserts the nine- to 11-digit meeting code, and studies have shown how legitimate meeting codes can be easily detected. This has now been addressed. Recently, Zoom also had to make improvements to its iOS and iPad applications to stop Facebook from gathering user data, one of many Facebook-related privacy issues that has arisen. They were also forced to fix an issue that allowed websites to turn on the cameras of Mac users without authorization.
Another concern is that Zoom says its calls can be encrypted but does not use the same kind of end-to-end zero-knowledge encryption that is accepted as the industry standard for cloud-based communications services.
Messages or calls that make use of end-to-end encryption are essentially encrypted with the public key of the receiving user that is open to everyone but can only be opened by the user’s private key. Messaging applications such as WhatsApp use this mechanism to ensure that only the recipient of a message can read it – not even the provider of the app has access.
Furthermore, researchers have noticed encryption keys on China-based Zoom servers (in which the corporation has development locations) even though there were no Chinese participants in the call. This opens up the possibility that conversations could be eavesdropped on by the Chinese government, which is well-known for its regulation of internet communications in the region.
Zoom has now begun giving paying customers the option to bypass their servers based in China or other regions. Hackers are quite adept at avoiding detection and can sometimes come in the guise of a seemingly trustworthy website.
There has been a significant increase in new domain registration names that include references to “Zoom.” Over 1,700 new register domains have been registered since January 2020, of which 25% were registered during April 2020.
Researchers emphasize that in this selective targeting, Zoom is not alone. New phishing websites have been uncovered for every major communication platform, including Skype, WhatsApp, Google Hangouts, and Google Classroom. Zoom has introduced steps or options to at least partially fix all of the problems identified — and said it would freeze the development of any new features for three months so that it can concentrate on improving its security measures.
Reducing your chances of falling victim
The coronavirus pandemic has increased our reliance on smartphones, laptops, and other connected devices to stay in contact with our loved ones and colleagues.
Although cyber surveillance is a long-standing threat, this new trend means significantly decreased options for applying physical security alternatives (like sharing confidential information in person rather than online). It also raises human rights issues. Everyone is more vulnerable to cyber attacks while scammers are trying to exploit the outbreak.
Fortunately, there are several things we can do to keep ourselves secure.
1. Put your privacy first
Whether you are at home or connected on public or open networks, spending a lot of time online will mean increasing exposure to your personally identifiable information. This might be the ideal time to look at your privacy settings across your social media platforms and on each of your connected devices. By disabling your search history and location tracking on your Google account, you can already put a dent in the data gathered about you.
2. Stay safe when connecting to video chats
Video conferencing has blown up during the pandemic as colleagues, friends, and family have turned to apps that provide group calls. But concerns have been raised about their safety, and Zoom had to withdraw the claim that their platform was encrypted on an end-to-end basis. Taiwan has since forbidden government agencies from using it on safety and security grounds.
It is worth exploring lesser-known alternatives that do not require users to install software or even create an account. It is safer to use end-to-end encryption services like Signal, WhatsApp, or Wire for chats with a smaller group of people.
3. Invest in a digital spring cleaning
Deleting accounts that you are no longer using reduces overall access to your data. Be sure to delete any old or unused accounts in their totality to ensure nothing remains on public servers. Part of your spring cleaning should also involve downloading a password manager that can store all your passwords in encrypted form and create new unique, hard-to-guess passwords.
4. Don’t click on suspicious links
Phishing scams aim to trigger confusion and fear, and Covid-19-related scams are no different. Emails or SMS messages promising new cures or developing stories and new information on the virus may contain malware within the supplied links and attachments — this is a common social manipulation technique used by scammers to persuade people to give away their personal or other sensitive information.
If you don’t know the person or the organization that sent the email or letter, don’t click on the connection or open the attachment. Look for inconsistencies in the way the text or email is written — sometimes typos or the language used is a dead give-away. You can also use unique identification codes to detect phishing scams as well, which can be assigned to you with web analytics software to track your activity as you move through legitimate sites.
5. Update the software on your connected devices
Your computers and any programs that connect to the internet should always be updated to minimize the risk of a cyberattack. Most browsers update automatically, so look at the applications you use to read documents or view images and videos online.
If you use outdated versions of software, any known patches for vulnerabilities will not have been applied, leaving you open to cybercriminals. It’s just as important to be aware of the known vulnerabilities on your websites or apps and the pages that you most frequently visit.
Above everything else, among the most fundamental things that we can do to remain secure in today’s data privacy landscape is to stand up for digital rights — now and in the future. In reaction to the pandemic, governments and organizations around the world are rushing to develop more invasive surveillance devices.
Some of these might save lives, but others might undermine our online privacy and other human rights in ways that would change our lives for years to come. Now is the time to come together to ensure that the pandemic does not harm not only our health but also our online rights.
Gary Stevens is a front-end developer and copywriter who specializes in writing about cybersecurity, blockchain, and tech trends.