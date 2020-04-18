Zoom Video Communications saw a boom in its user base, ever since lockdowns across the world due to the COVID-19 pandemic forced people to switch to video calling for work.

The video calling service initially shot to popularity with its option of customised backgrounds - users could choose a wide range of virtual backgrounds of their choice in meetings to hide their original backgrounds. However, with cybercrimes on the rise, Zoom users have faced breach in the login credentials, risking the leak of confidential information.

Recently the Cyber Coordination Centre (CyCord), under the Union Ministry of Home Affairs issued an advisory to highlight the security issues with the video calling app. The advisory stated that the app was not to be used by government officers for official purposes, and provided a security guideline for private users.

Also Read: Aarogya Setu App Crosses 50 Mn Downloads: All You Need To Know

However, the advisory came weeks after images of Union Minister of Defence Rajnath Singh using Zoom to talk to Chief of Defence Staff Bipin Rawat, went viral on social media. Aaditya Thackeray, Cabinet Minister of Tourism and Environment Government of Maharashtra, also tweeted out recently on how he used Zoom to conduct meetings with Brihanmumbai Municipal Corporation (BMC) officers.



Zoom claims it offers end-to-end encryption. But a probe finds that Zoom meetings are potentially compromised when keys for encrypting and decrypting are transmitted to servers in China: https://t.co/HiJyr0Q9fG. The last thing the Indian defense minister should be doing is this! pic.twitter.com/zQ9VErzxxy — Brahma Chellaney (@Chellaney) April 6, 2020

This afternoon, I took a zoom video meeting of @mybmc 's officers, along with Municipal Commissioner Pravin Pardeshi ji, for the preparations of the onset of the monsoon and to complete the essential pre monsoon works in time, along with our fight against Covid (1/n) — Aaditya Thackeray (@AUThackeray) April 17, 2020

Zoom was founded by Eric Yuan, an American of Chinese origin, in 2011. Yuan's Chinese origins have drawn criticism from people, with increasing number of fingers being pointed at China for being the country of origin for the ongoing COVID-19 outbreak. Earlier, the encryption and decryption keys for Zoom meetings were transmitted to servers in China, which has also raised security concerns.



In a recent report, tech blog Bleeping Computer was able to purchase credentials of over 500,000 Zoom accounts on the darknet using credential stuffing.

Credential Stuffing Of Zoom Accounts



Credential stuffing is a commonly used method to compromise user accounts online, and Zoom is hardly the only company to face such an issue.

Also Read: WhatsApp Limits Frequently Shared Messages, New Search Option Soon

What is credential stuffing? Hackers collect huge troves of usernames and passwords through various breaches and attempt to stuff them into the login page of other online services. The idea is simple - people are likely to use the same username and password across several sites. If you find the username and password for someone's Facebook profile, chances are you might be able to enter their Gmail using the same credentials.

The best way to get around credential stuffing is to have a unique password for every digital service you use.

Zoom acknowledged this issue and said that they were "building systems to detect whether people are trying out username and password pairings and block them from trying again".

"We have also hired multiple intelligence firms to find these password dumps and the tools used to create them, as well as a firm that has shut down websites attempting to trick users into downloading malware or giving up their credential," the company said in its progress report.

BOOM reached out to Zoom for a comment on this matter, and the article will be updated upon receiving a response.

Following this breach, Zoom has tightened its security features which has been the focus of the weekly webinar hosted by CEO Eric Yuan.

Here are the new security features of the widely popular video calling app:

1. Enhancing Password Complexity For Meetings

According to Bleeping Computer's report, many Zoom users faced the risk of credential stuffing attacks, where leaked credentials from other websites were compiled and tried on Zoom to see if there is a match. "The successful logins are then compiled into lists that are sold to other hackers," they reported. If a potential attacker has access to someone's credentials, they could potentially snoop into private meetings.

In order to improve upon this potential risk, Zoom has now enhanced the minimum requirements for passwords to include "numbers, letters, and special characters, or allow only numeric passwords".

During the first weekly webinar, named "Ask Eric Anything", Yuan stated that a new and unique password should be set for every meeting.

"For business meetings, I normally use a password, and after everyone has joined, I lock the meeting. And for very sensitive meetings, I will only allow authenticated users from the same domain as mine to join the meeting," Yuan said.

2. Are Calls Encrypted?

In the first webinar, Yuan mentioned that Zoom currently uses AES-256 ECB encryption, which is currently being upgraded to AES-256 GCM - which is considered more secure. In a progress report released on April 15, the company stated that its "long-term focus will involve a totally new cryptographic design that greatly reduces risk to Zoom's system".

3. File Sharing Disabled For Now

Yuan also mentioned that a potential security vulnerability was found with the file sharing feature, which was than disabled. The company is yet to announce when the feature will be available again.

"If there is any conflict between our features and our user's privacy and security, privacy and security come first," he said.

4. Default Settings Upgraded

Zoom's progress report stated that meeting passwords and Waiting Rooms will be enabled by default for Basic users and single Pro users. Those part of Zoom's K-12 education program will need a password to join meetings, while Waiting Rooms are also activated by default for such users.

5. Data Centre Routing - Increased Control

In one of the most recently released features, account admins for paid Zoom accounts will now have the ability to choose the data centre regions their account can use for real-time meeting traffic. They will be able to do so by either opting out of specific data centre regions, or opt in on a data centre region of their choice.

Cybercrimes On The Rise

The recent spate of lockdowns around the world has pushed people to depend on internet for most activities, including work. This has drawn the attention of cyber criminals, who are looking to exploit this dependency to extract sensitive information. The attack on Zoom accounts is only one of the many instances of such crimes taking place, as the world comes to term with data security issues.



