Credit unions know Zoom isn’t secure. They’re using it anyway.
Videoconferencing tools may help bridge the communication gap credit unions are currently facing during the coronavirus, but at what cost?
Business continuity has been strained as credit union employees work remotely. To help with that, many management teams have turned to videoconferencing to keep their institutions running and employees informed.
However, the last few weeks have unveiled a host of cybersecurity concerns with the popular video messaging platform Zoom. There have been problems with end-to-end encryption, and hackers have been able to access the webcams of users. As a result, thousands of personal photos and email addresses of users have been exposed. And that's just the tip of the iceberg for Zoom's cyber vulnerabilities.
Despite this, credit unions are still using the software.
“I know that Zoom has had some issues, but I believe these issues are more related to people not using some of the advanced features, like meeting passwords and other security tools,” said Jaime Vasquez, vice president of information technology at Water and Power Community Credit Union in Los Angeles.
Zoom's usage has skyrocketed in the midst of the coronavirus pandemic as businesses have employees work remotely in an effort to slow the spread of the outbreak. More than 200 million users were on Zoom each day in March, up from roughly 10 million in December.
While working remotely, it's important to communicate more often so employees feel connected and don’t feel isolated, Vasquez said. The $747 million-asset Water and Power Community Credit Union has used Zoom to help with that and to conduct its annual member meeting and board meetings.
Vasquez advises his staff to exercise caution when using the system, such as setting a meeting password. He also encourages workers to utilize the waiting room option, which requires users to wait until they’re granted access to a meeting, ensuring that unauthorized guests don’t join the call.
"So far, we haven't had any issues with Zoom,” he said. “We've been OK so far."
Zoom's sudden popularity in part is due to the software’s ease of use. Users don’t need logins to access meetings and aren’t required to download any plugins or software to use the platform.
In fact, Zoom is one of the easiest videoconferencing tools for consumers to use on the market, according to Kurtis Minder, co-founder and CEO of the cybersecurity firm GroupSense. But the easiest option isn’t always the best choice, especially for an industry that deals with highly sensitive information such as credit unions.
“Any developer or product manager will tell you about the difficult balancing act that is ease of use versus security,” Minder said. “In the case of Zoom, they had many of the security features available to users prior to the publicized exploits, but those features were just not enabled by default.”
Much of Zoom’s appeal also rests on its price. The platform offers 40-minute conference calls with up to 100 attendees free of charge.
But that can also create vulnerabilities. For example, the free version of a video messaging system will send a user a link to a meeting that’s not password protected, while the paid version of the same software will prompt the host to set a password. Those differences can go a long way in deterring a cybercriminal from trying to breach a video meeting.
“Some of the problems with some of the software packages and platforms is that they’re being used because they’re free, but those free versions are not as secure,” said Jason Bernstein, a partner at Barnes & Thornburg.
In the wake of these issues, some organizations, such as the New York City Department of Education, have urged employees to stop using Zoom.
Zoom has frozen feature updates so it can focus on fixing some of these security risks within the next 90 days, Eric Yuan, the company’s founder, wrote in a blog post to users on April 1. The company shared an update on its progress last week, outlining new privacy and security enhancements to the platform. This includes a new security icon, which allows hosts to report users, and setting the waiting room as a default.
“Zoom takes user privacy, security and trust extremely seriously," a Zoom spokesperson said via email. "Zoom was originally developed for enterprise use, and has been confidently selected for complete deployment by a large number of institutions globally, following security reviews of our user, network and data center layers."
Peach State Federal Credit Union in Lawrenceville, Ga., was “mildly concerned” when management first heard about Zoom’s vulnerabilities since it uses the platform, said Stephanie Jackson, executive director of information technology. But Jackson said that the $516 million-asset CU still uses Zoom to communicate from its corporate office with its network of 26 branches.
Jackson admitted that there were security features that Peach State was not initially using, but it quickly enabled them, and the institution now takes precautions for Zoom meetings. For example, Peach State makes sure to password protect meetings, frequently changes passwords and uses automatically generated codes for each call.
Like Water and Power Community Credit Union, Peach State utilizes Zoom’s waiting room. It does not use Zoom to discuss sensitive member data.
Still, when it comes to discussing sensitive member information, Zoom is probably not the best choice for a credit union. Instead, a regular phone — rather than a videoconference — may still be the way to go for these discussions.
“A good old-fashioned phone call is pretty safe,” said Lance Noggle, senior counsel for payments and cybersecurity at the Credit Union National Association. “If security is your utmost concern, don’t use something that might not be as secure or might be trickier to set up properly if you don’t have to.”