Banks grow wary of Zoom meetings
By pushing business meetings out of conference rooms and into the virtual world, the coronavirus pandemic has given bank security teams one more thing to worry about: the threat of so-called Zoombombings and other types of online intrusions.
The videoconferencing service Zoom has surged in popularity amid the public health crisis. The company said Thursday that it has 300 million users, up from 10 million in December. And the rate of Zoom installations on Windows devices in financial services grew 92.94% over the past four weeks, according to Forescout Research Labs.
Yet Standard Chartered Bank has reportedly banned employees from using Zoom videoconferencing because of security concerns, and survey data suggests other banks are starting to scale back or stop using the service.
“When in-person meetings are virtually impossible, video calls are the only channel for meetings, interviews and companywide announcements within organizations,” said Kyum Kim, co-founder of Blind, an online community of 3.5 million technology and financial services professionals. “Security vulnerabilities in conference calls raise concerns because often, if not always, confidential and private information about the company, employees and candidates are shared through these meetings.”
In a recent poll conducted by Blind, 28% of financial employees said they were worried their information may have been compromised through a videoconferencing tool. About 12% said they have stopped using the popular Zoom tool, and 10% said they have decreased use of it over hacking concerns.
Card company employees seem to be especially worried: 56.6% of Visa employees said they have completely stopped using Zoom, as did 55.6% of American Express staff.
More than a third of Goldman Sachs employees who took the survey said they fear data compromise with the use of Zoom, as did 27.8% of JPMorgan Chase staff and 20.7% of Capital One workers.
Several banks have experienced Zoombombings in which hackers have broken into a meeting and shown porn or flashed themselves.
“That has happened quite a few times, and we're collecting lots of stories on that,” said Steve Hunt, senior analyst at Aite Group.
There is no profit motive — they do it “to get their jollies,” he said.
These kinds of Zoombombings are not necessarily targeting banks. Sometimes people just type a random string of numbers into a zoom.us URL and get into an active meeting, Hunt said.
A Google search for URLs that include "Zoom.us" can turn up the unprotected links of meetings that anyone can jump into.
“It's hit or miss, but if you stumble into a meeting, you might not have any idea of whose the meeting is, but you can still have a little fun,” Hunt said.
Another way hackers could break into meetings is by buying Zoom account credentials on the dark web. Security researchers have found about 500,000 sets of Zoom usernames and passwords. Some belong to users in financial services and are for sale, with some of those priced at less than 1 cent each.
What are the risks?
Cybercriminals who find their way into an executive or board meeting could obtain sensitive information, which could be a serious threat to banks.
“I can imagine some bad guys targeting that,” Hunt said. “But it takes some luck and skill to pull that off.”
The cybercriminals would have to obtain some knowledge of scheduled meetings, perhaps by breaking through with a spearphishing campaign first.
In late March, security researchers reported vulnerabilities in Zoom that hackers could use to take over a Mac user’s camera and microphone. However, Zoom quickly issued patches for this problem, and Macs are not commonly used in financial services.
Zoom also routes traffic through Chinese servers to maintain resilience, according to Forescout, a practice antithetical to banks' risk management policies. According to a Zoom spokesperson, mainland China datacenters no longer function as secondary backup bridges for users outside of China.
Another issue with videoconferencing tools is they tend to use weak encryption, according to David Gurle, founder of Symphony, a provider of videoconferencing software that according to the company has stronger encryption and is used by 123 banks, mostly on Wall Street. Symphony’s main technology, instant messaging, is used by more than 300 banks.
Zoom did not respond to a request for an interview. In a press release on Wednesday, the company said it is upgrading to a stronger, 256-bit encryption standard to protect meeting data in transit and provide resistance against tampering. This will be enabled on May 30.
A spokesperson said the company is issuing product updates, providing resources to educate users on how to secure their meetings and conducting a review with third-party experts and users. Zoom says it is also shifting all engineering resources to focus on trust, safety and privacy as well as launching a council of chief information security officers to discuss best practices.
“Major financial institutions around the globe are continuing to use Zoom to keep their trading operations running and to continue their important work with their clients and colleagues on a daily basis,” the spokesperson said.
Are the fears overblown?
Hunt says the concerns around videoconferencing security have been overblown.
“Companies are blacklisting Zoom, but not for the right reasons,” Hunt said. “I think it's paranoia.”
Zoom meeting security can easily be improved by using the software’s basic security settings, for instance by setting passwords for meetings and blocking people who have been kicked out of a meeting from coming back in, Hunt said.
One way to keep uninvited guests from joining Zoom (or Cisco Webex or BlueJeans) meetings is to authenticate users.
“Putting strong authentication on an online meeting is not rocket science,” Hunt said. “I imagine Zoom will soon offer an app for two-factor authentication.”
The company may have made a few missteps in the early days of the pandemic, but this is understandable, he said.
“Zoom was a niche application just a few months ago,” Hunt said. “It was something kind of cute and nice that we use to make our lives a little better. It was never designed for 200 million concurrent users. And to see a company go through a huge spike in popularity is generally a good thing. The fact that while doing so, it has a little trouble catching up from a security and privacy point of view is completely normal."