Secure Your Remote Work: Don't Let Web Conferencing Steal Your Passwords

Measures against the rampant global spread of COVID-19 include "masks," "handwashing," and "disinfection." Yet, with the ongoing risk of infection, people are refraining from going out, and work is being done remotely as much as possible.

With the spread of remote work, the need for smooth communication tools arose, leading many companies to adopt convenient web conferencing and chat tools.

However, are you maintaining the same security level even after introducing new tools? Are you taking measures against threats in remote work?

If your company is still relying on "password-only" authentication for threat protection, it's unlikely to be sufficient.

What are the Threats Exploiting the Expansion of Remote Work?

The threat is "phishing scams."

According to the Anti-Phishing Council, in April 2020, there were 11,645 reports, an increase of 1,974 from January before the expansion of phishing scams. It seems there are criminal activities targeting popular online shopping services, whose usage increased due to COVID-19, using phishing emails and SMS to trick users into visiting fraudulent sites and steal account information like user IDs and passwords, as well as sensitive personal information like credit card numbers.

Similarly, phishing scams are occurring with services whose usage has also increased due to remote work. The most widely adopted IT tool since the start of work-from-home is Skype.

A new phishing scam targeting Skype users has been discovered. When opening an email designed to look exactly like a legitimate notification, it states "You have pending notifications." Clicking the "Reference" button redirects to a phishing site disguised as a Skype login page, prompting the user to enter their password.

The problematic email, at first glance, appears to be sent from a legitimate address. Furthermore, the login screen displays the recipient's company logo, and the bottom of the screen even includes a seemingly plausible warning disclaimer.

Even if thorough employee training is in place, such as not opening suspicious sites or emails, do individual employees possess the skills to detect such sophisticated schemes?
Your employees' "passwords" might be stolen without their knowledge.

Why Are Passwords a Threat?

"Password-only" authentication is nothing short of a threat.

A password is fundamentally "something only that person knows," used to verify if the accessing individual is indeed the legitimate user and to protect information. However, if that "verifying" password is hacked through a phishing scam, it becomes a dangerous keyword that anyone can use to impersonate another.

And another crucial point that makes passwords a threat is their reuse due to inconvenience.

When IT administrators try to make passwords more complex due to security concerns, employees, as they use more services, will rely on notes or memory, making their passwords even weaker and feeling them as a bothersome nuisance. In such a scenario, it's easy to imagine that everyone will reuse the same password.

Indeed, in cybercrimes targeting Zoom, which became the second most adopted IT tool after Skype, over 500,000 passwords were leaked due to password reuse. The likely cause is that users reused passwords that had already been leaked from other sites for their newly introduced Zoom accounts.

Employees who "have their passwords stolen through phishing scams" or "are unknowingly reusing stolen passwords for new services" might already be present in your company.
Passwords were originally something only the individual should know. However, as passwords turn into a threat, it will be a daunting task for IT administrators to keep track of every employee's activities, especially with the sudden surge of remote work already causing chaos.

What Measures Can Be Taken?

"Make passwords complex and strong," "Change passwords regularly."
No, that's not it.
You just need to stop using "passwords" for authentication.

For example, two-step verification. As a way to protect against the aforementioned Skype phishing scam, you can perform 2-step verification for Microsoft accounts. Since two types of authentication methods—a password and a chosen contact method—are used, it becomes harder for other users to sign in, thereby strengthening security.

However, this 2-step verification carries two risks:
It doesn't reduce the burden on IT administrators who perform password resets due to forgotten or incorrect passwords. Moreover, if the second authentication factor used was an authentication app or a phone number, and the mobile phone breaks down, replacement can be difficult, leading to considerable time spent on setting changes and delaying access to services.

This adds significant burden to both IT administrators, who are already overwhelmed with remote work tasks, and employees who are stressed by unfamiliar remote work conditions.

One solution that can address this problem is "passwordless" authentication.
This authentication method uses an ID and Windows Hello or a security key, among other options.

While offering the convenience of accessing various services with a single authentication, simply by touching or looking at the device, it also addresses hacking risks because it utilizes the FIDO2 mechanism, which doesn't share secrets with the server.

In fact, we at ISR were able to smoothly implement remote work and build an environment that balances security and convenience through passwordless authentication. And now, not a single one of us wishes to revert to password-based authentication.

Leveraging this experience, we are currently receiving inquiries from customers across various industries and scales, and we are proceeding with support for each company to achieve both security and convenience.

Conclusion

This article discussed the problems with password-only authentication in web conferencing tools and presented solutions.
Remote work rapidly became widespread due to the COVID-19 pandemic.

We are able to conduct remote work thanks to various excellent services like web conferencing and chat tools. However, threats exploiting the expansion of these services are also becoming a reality. Convenience always has a lurking threat next to it.

It is said that COVID-19 will continue for at least another year, and with the demand for work-style reforms enacted last year, remote work will become the new normal. Therefore, instead of temporary measures, why not seize this opportunity to review basic rules and traditional authentication methods and thoroughly implement countermeasures?