Experts warn against vulnerabilities of apps, videoconferencing platforms

Experts warn against vulnerabilities of apps, videoconferencing platforms
Users of the platform can invite multiple people to a single call, making the app popular. (Reuters)
Short Url
Updated 12 April 2020

Experts warn against vulnerabilities of apps, videoconferencing platforms

Experts warn against vulnerabilities of apps, videoconferencing platforms
  • “Over 300 compromised Zoom accounts are available on the dark web, which include each account’s connected email address, password, meeting ID, host key, and hostname”
  • “Zoom has been found using a nonstandard type of encryption to encrypt video, audio and text during online conferencing sessions”

RIYADH: Cyber experts are warning of the potential threats that come with online applications and video conferencing platforms as their use skyrockets during the coronavirus disease (COVID-19) lockdown.
Videoconference platform Zoom has gained much fame in recent weeks. Users of the platform can invite multiple people to a single call, making the app popular among families, workers and celebrities alike. In a blog posted to the application’s website on April 1, the company announced that it had reached 200 million users in March, compared to just 10 million in December 2019.
A string of targeted attacks by hackers and trolls, however, revealed that the application was not end-to-end encrypted, leaving users vulnerable to a phenomenon called “Zoom-bombing” while on video calls. Zoom-bombing involves a perpetrator or unsolicited participant abusing Zoom’s default screen-sharing settings to take over meetings and post racist or pornographic material or otherwise harass users during a video conferencing session.
Zoom has published guidelines to protect against this by setting up password-protected meetings and enabling waiting room options, he said.
On April 8, Zoom CEO Eric Yuan apologized to users in a YouTube livestream for a string of security lapses that have hit the app in recent weeks, pledging to take the breaches seriously.
The Information Security Department of the Saudi Arabian Monetary Authority has warned against the app, saying: “The use of a remote meeting application known as Zoom has spread recently, and there are several associated security vulnerabilities that could lead to meetings being spied on and sensitive information, such as passwords, being leaked. We warn against using this application.”
Muhammad Khurram Khan, professor of cybersecurity at the King Saud University told Arab News: “In the current lockdown, working, learning and socializing from home has led to a significant spike in the use of online applications and video conferencing platforms including Zoom, WebEx, Skype, Google Hangouts and Microsoft Teams.
“Some popular videoconferencing and distance learning applications have added millions of users overnight, causing their share price in the stock market to soar.”
Khan, who is also founder and CEO of the Washington-based Global Foundation for Cyber Studies and Research, believes the reason behind Zoom’s popularity is due to its user-friendly features.
Khan further said: “Cybercriminals have exploited this increased popularity, registering over 3,300 Zoom-related website domains to hack or phish users. These websites contain malicious and impersonated Zoom applications, which could harm smartphones and computing devices by stealing sensitive data and conducting ransomware attacks.
“Over 300 compromised Zoom accounts are available on the dark web, which include each account’s connected email address, password, meeting ID, host key, and hostname.”
Zoom also has its inherent security and privacy vulnerabilities, which have sparked a vigorous debate in the cybersecurity community and global media.  
“Zoom has been found using a nonstandard type of encryption to encrypt video, audio and text during online conferencing sessions,” Khan said.
“It is highly recommended for government agencies, journalists, businessmen, ministers, and officials working on sensitive projects to consider only those applications that have strong security and privacy features for video conferencing sessions,” Khan said.

Khan also recommended that normal users wishing to communicate with family, friends or colleagues likewise take precautionary measures in choosing video conferencing applications.
The National Cybersecurity Authority has issued recommendations on how to protect remote meetings using Zoom, such as not using personal meeting IDs for public meetings, using strong passwords for all organized meetings, and locking meeting sessions once all participants are logged on.


Fraudsters up their game, posing as bank officials on the phone in Saudi Arabia

Fraudsters up their game, posing as bank officials on the phone in Saudi Arabia
Vishing that occurs during a telephone call aims to provoke fear in the victim so that customers will be more susceptible to giving out personal, financial, or security details. (shutterstock)
Updated 18 January 2021

Fraudsters up their game, posing as bank officials on the phone in Saudi Arabia

Fraudsters up their game, posing as bank officials on the phone in Saudi Arabia
  • The Saudi Central Bank has warned bank customers, both citizens and expatriates, not to fall victim to financial frauds being perpetrated by scammers

JEDDAH: Fraudsters have developed a new scam, contacting residents in Saudi Arabia and pretending to be bank staffers requesting customer details.
A number of Arab News staff have received such calls in recent weeks. One caller spoke Urdu while two other callers posing as senior officials from the headquarters of the bank spoke in English and Arabic with a local accent.
They used phone numbers that appeared to be local numbers but upon calling back, the lines failed to connect.
The racketeers collect phone numbers of customers and ring them up, saying that their bank account or ATM card requires immediate updating. The scammers use the information provided to gain access to their bank accounts.
Speaking to Arab News, Talat Zaki Hafiz, secretary-general of the Media and Banking Awareness Committee of Saudi banks, said: “Saudi banks represented by the Media and Banking Awareness Committee have repeatedly warned bank customers not to react to stray phone calls of any kind coming from unknown sources that ask to update their banking record or personal information.” He further confirmed that banks do not request such information through phone calls or SMS messages.
Mohammed Khurram Khan, a professor of cybersecurity at the King Saud University in Riyadh, told Arab News: “Phishing, an online scam which targets users through emails where individuals are encouraged to click on a link that takes them to fraudulent sites, was troubling people. Now it’s a different kind of scam known as ‘vishing,’ over-the-phone phishing, where scammers persuade users to share their banking information by impersonating a bank official.”

HIGHLIGHT

The racketeers collect phone numbers of customers and ring them up, saying that their bank account or ATM card requires immediate updating. The scammers use the information provided to gain access to their bank accounts.

Vishing that occurs during a telephone call aims to provoke fear in the victim so that customers will be more susceptible to giving out personal, financial, or security details.
Sharing his experience Zafar Hasan, an e-learning consultant in Riyadh, said: “I received a call from someone on an unknown mobile number who introduced himself as a bank employee and told me that my ATM card was going to be blocked. It required an immediate update so I should give my Iqama number (residence permit number) and sixteen-digit ATM card number. I felt something was fishy, so I told him that I would go personally to the bank to update the card.”
The Saudi Central Bank (SAMA) has warned bank customers, both citizens and expatriates, not to fall victim to financial frauds being perpetrated by scammers.
SAMA called on bank customers to take information only from the official channels of the bodies regulating the Kingdom’s financial and investment sectors and inform the competent security authorities about such fraudulent attempts.