As the COVID-19 pandemic has necessitated that more people work, attend classes, and even connect with family and friends online, video conferencing solutions have exploded in popularity, with Zoom leading the pack. According to the BBC, Zoom is currently the number one app in the U.S., and number two in the UK.
However, suddenly becoming the most popular kid on the block has resulted in the platform coming under increased scrutiny regarding its privacy protocols and cybersecurity posture. Gizmodo reports that in the U.S., the New York Attorney General’s office has launched an investigation into Zoom’s cybersecurity and privacy practices, and the F.B.I. has issued a warning about the risks of Zoom meetings being hijacked, a practice so ubiquitous it has already spawned a new phrase: “Zoombombing.”
The Cybersecurity and Privacy Risks of Using Zoom
As both the BBC and Gizmodo point out, Zoom had come under fire for security and privacy problems long before the COVID-19 pandemic made it a household name; the New York Attorney General’s office has expressed concern that the company did not address these prior issues expediently.
The current problems Zoom is facing include:
- The company’s claims that its meetings were secured by end-to-end encryption turned out to be false. As The Intercept reports, Zoom meetings are secured using TLS, also known as transport encryption. This is quite different from end-to-end encryption because it means that while someone who hijacks an attendee or presenter’s Wi-Fi cannot access meeting video and audio content, Zoom itself can.
- All Zoom meetings are public by default; anyone with a link can join and share their screen. If presenters do not configure the settings to disable these features, the meeting is vulnerable to Zoombombing. Unwanted guests can disrupt meetings by sharing offensive content; they can also sit quietly and use the opportunity to steal confidential information shared in the meeting.
- Various privacy issues, including a “Company Directory” feature that groups together users who share the same email domain. Motherboard reports that thousands of users had their emails and photos exposed because they registered for the service using their personal email accounts, and the Zoom system flagged them as co-workers instead of total strangers.
The company is also being vexed by a problem that isn’t its fault; because the service has become so popular, cybercriminals are busily registering domains containing the word “Zoom” and using them to launch phishing campaigns.
How to Protect Yourself When Using Zoom
- If you’re using Zoom for work or school, register for the service using your employer or school’s email address, not your personal account, and secure your Zoom account using Multi-Factor Authentication (MFA).
- If you’re a presenter, prevent Zoombombing by configuring the meeting settings to allow only invited guests, enabling the waiting room feature to screen early birds and latecomers, and disabling guests’ ability to share their screens or transfer files.
- Never share meeting links on public channels, such as Twitter or Facebook.
- Never share your Personal Meeting ID (PMI) or use it to host public events. Anyone who has your PMI can tell if you’re currently hosting a meeting.
- Take the same anti-phishing precautions you should already be taking. Keep an eye out for lookalike domains, unfamiliar email senders, spelling and grammar errors in emails and on websites, and unknown links and email attachments.
- Use a password manager such as Keeper. In addition to securing your Zoom login credentials, the KeeperFill feature will protect you against lookalike domains by ensuring that you’re only logging into sites that are registered and protected in your vault.
- Sign up for a dark web monitoring solution such as Keeper BreachWatch, which will continuously scan the dark web and alert you if it finds your Zoom credentials or any of your other login credentials.