It's been a year since many of us said goodbye to our offices and started working from home, and for a lot of us, this was our first experience of working remotely, so it took some time to get used to this new normal.
During this time, Zoom has become more than a descriptive word, it has become integral to the way we work and stay connected. I am of course referring to Zoom, the video communication software - at some point or another, we have used Zoom to host or join a meeting with a colleague, client, friend, or family member.
Thanks to the pandemic, Zoom added more users in the first quarter of 2020 than they did during the whole of 2019. Zoom took off over other platforms like Microsoft Teams and Google Meet due to its easy setup, useability, free meetings for up to 100 people. However, its rapid and unexpected growth led to an increased focus on the company’s security practices and privacy promises. So, one year on, is Zoom finally safe to use? Read on to find out.
What are our main security concerns regarding Zoom?
Before we come to a conclusion on whether Zoom is safe or not, let’s take a look at some of the biggest security and privacy concerns around the platform.
Zoom phishing scams
At the end of last year, the Better Business Bureau warned Zoom users that scammers were trying to steal their usernames and passwords via phishing emails and text messages.
The messages, designed to cause panic, warned that "your Zoom account has been suspended" or that "you missed a meeting," and offer a helpful link to log back in. By clicking the link you would be taken to a fake login page designed to capture your Zoom user credentials, allowing hackers to use or steal your Zoom account. While we’re seeing fewer zoom phishing campaigns like this, as long as Zoom remains popular, we won’t be free from these scams - so stay alert and think twice before clicking on any links.
At the start of the pandemic when Zoom’s popularity grew, Zoom-bombing became the newest threat to anyone using the platform. In a move to combat these intruders, Zoom released two features:
- Suspend Participant Activities: lets the meeting host pause the meeting, kick out disruptive participants, and then resume the meeting.
- Report by Participants: extends to meeting participants the ability to report disruptive participants, a solution that previously had been given only to meeting hosts.
While these features don’t stop the zoom bombs from happening, it does enable hosts to swiftly get rid of unwanted meeting attendees.
False end-to-end encryption claim
Zoom landed themselves in hot water last Spring when it was discovered that their end-to-end encrypted (E2EE) wasn’t what it said on the tin. Instead of calls being E2EE between participants, the data was only encrypted between each meeting participant and Zoom’s servers – meaning it wasn’t truly end-to-end encrypted.
In May last year, Zoom finally announced their plans to build an actual E2EE meeting option into their platform, during 4 phases. The first phase was rolled out in October, however, enabling E2EE in your meetings disabled certain features, including join before host, cloud recording, streaming, live transcription, Breakout Rooms, polling, 1:1 private chat*, and meeting reactions*.
*Note: As of version 5.5.0 for desktop, mobile and Zoom Rooms, these features are supported in E2EE meetings.
So, while Zoom has begun to roll out their E2EE service, it's not in full swing just yet. There is no public roadmap for Zoom’s E2EE journey, however, they have stated that they “plan to roll out better identity management and E2EE SSO integration as part of Phase 2, which is tentatively road mapped for 2021.” You can read more about Zoom’s plans here.
Endless security flaws
Zoom has a long list of security flaws. Many of them have now been fixed, but it raises the question of how many more undiscovered vulnerabilities are still available for hackers to exploit.
Can Zoom be trusted?
Zoom is far from being the only video conferencing app with security issues. Services such as Google Meet, Microsoft Teams, and Webex have all received flak from security experts over privacy concerns. However, Zoom has been involved in multiple lawsuits over the last year. In 2018, Zoom secretly installed a web server on Macs that let websites spy on users and re-installed the Zoom meeting software even after the user had deleted the program. And it told customers that recorded meetings stored on Zoom servers would immediately be encrypted, which wasn't always true.
Most recently, the Federal Trade Commission announced that Zoom "misled users" and "engaged in a series of deceptive and unfair practices" regarding its own security.
The decision, issued by U.S. District Court Judge Lucy Koh in San Jose, comes in a potential class-action lawsuit that includes claims related to “zoombombing,” encryption practices and data-sharing with Facebook and other outside companies.
It was agreed that Zoom would have yearly internal security reviews and external security reviews every other year and must implement a vulnerability management program. Another stipulation was that Zoom offers customers multi-factor authentication, which it has already implemented. "Zoom is also prohibited from making misrepresentations about its privacy and security practices," the FTC said. Certainly, a big step in the right direction.
Is Zoom safe to use yet?
Despite Zoom’s checkered past, it boils down to what you are using the platform for and how you use it. For example, Zoom isn’t the place to discuss confidential government, corporate, or patient information.
But for social get-togethers and workplace meetings (that stick to routine business), Zoom is safe enough. Of course, there are a few security best practices to follow when using the platform to keep you extra secure.
Zoom security best practices
Back in April last year, I wrote an article about how to stay safe on Zoom that included tips on how to set up your account and how to schedule, share and host your meetings safely. Since then, Zoom has faced more criticism over its security, so what else can you do to keep your business safe?
Safeguard your account
Treat Zoom like any other account and apply the basics to protect your account. Never use the same password twice, if Zoom were to suffer a breach that password could be used to try and access other corporate accounts. Be sure to use a strong and unique password, if you have a password manager, they should generate one for you. Add another layer of protection with two-factor authentication – this requires you to enter a special code sent via text, email or app when logging in, to prove it’s you.
After you register, you’ll get a Personal Meeting ID, it’s best to avoid making it public. And because Zoom offers an option to create public meetings with your Personal Meeting ID, it’s quite easy to leak that ID. If you do, anyone who knows your PMI can join any meeting you host, so share this information wisely.
Learn to identify fake emails
As mentioned above, Zoom phishing campaigns are a popular way for bad actors to steal your account details.
There are some common red flags to look out for when it comes to phishing emails such as bad grammar, misspelt words, urgent calls to action, discounts, fonts, logos, colours that don’t match the brand. Check out our blog on “How to Spot a Phishing email” for more details.
Another scam to be on the lookout for is unexpected Zoom meeting links - whether it’s from someone you know, or an account you’re not familiar with – don’t’ click on the link. Use the tips above to determine whether the email is legit. If in doubt, get in touch with your IT department for advice.
Protect your meetings with a password
Setting a unique and strong password for each meeting remains the best way of ensuring that only the people you want in your meeting can attend. Last year, Zoom made the sensible move to turn password protection on by default. But just to be clear, your zoom account password and meeting password are not the same – they are two different passwords.
Remember, we’re trying to keep the baddies out - never share your meeting links, meeting ID, or your meeting passwords via social media or any other public channels. You should also avoid reusing meeting passwords.
Join Zoom meetings through your web browser
While you may find that the quality of your video call is better on the app, the web browser version gets security enhancements much faster.
And aside from the updates, the web version is still more secure. That's because it lives in a browser's sandbox, meaning it has far fewer permissions and a reduced ability to cause issues across your entire operating system.
When you click a link to join a meeting, your browser will open a new tab and prompt you to use or install the Zoom desktop software. But in the fine print, there's a link to "join from your browser." Click that instead.
So, there you have it; providing you take the right preventative measures and only use Zoom where it is appropriate, you should be okay.
Netitude has been delivering secure, reliable and productive IT for business growth, since 2001. If your business needs advice, additional IT support or business technology solutions, get in touch with one of our experts today, we're always happy to help!