Was TeamViewer Hacked or Were Its Users? It Doesn’t Matter

Stop trusting users

This picture taken on April 22, 2016, shows a general view of the Fort Boyard, off the western coast of France, near La Rochelle. A new access platform to the Fort Boyard was inaugurated on Friday. The Charente-Maritime county council, owner of the site, invested around 2 million euros in this work, routed from the Netherlands where it was built by the Ravestein company. / AFP / XAVIER LEOTY
New fortifications are needed on digital fortresses.

Word came out this weekend that a few of Mark Zuckerberg’s social media accounts were accessed by strangers, so arguably the world’s most successful tech entrepreneur gets lazy about security sometimes. He’s not alone. In SplashData’s fifth annual list of the most frequently used passwords from the year’s cyber security leaks, astoundingly bad passwords like “123456” and “password” continue to top the list.

Passwords provide poor security because people use them wrong, but the tech industry has known that for so long that it’s become irresponsible not to address it directly. Tech companies that get access to extremely sensitive information or resources should take responsibility for their users and require more robust security by default. It’s overdue.

This point was driven home especially well by the recent flap among users of TeamViewer, a service that has offered collaboration services and remote access to PCs since 2005. Its customers have been taking to Reddit to report that their computers have been remotely accessed and then used to make purchases under their accounts. A couple of TeamViewer users shared evidence of such hacks with the Observer directly. TeamViewer blamed its users for the breaches.

On the company’s blog last week, it posted the following in a statement:

Some online media outlets falsely linked the incident with past claims by users that their accounts have been hacked and theories about would-be security breaches at TeamViewer. …

Careless use of account credentials remains to be a key problem for all internet services. This particularly includes the use of the same password across multiple user accounts with various internet services.

In other words, the company has argued TeamViewer itself wasn’t hacked. It was the users that got hacked because malicious actors got hold of their passwords (probably from other companies that did get hacked). Yet, on Friday, TeamViewer implemented more robust security practices, including a forced password reset if a user’s account exhibits unusual behavior (such as a log-in from a strange location) and a system to verify new devices accessing the TeamViewer service.

SEE ALSO: Privacy Conscious Jennifer Lawrence

Here’s a plausible explanation of how a TeamViewer exploit could have worked (prior to the new features):

In the last year, millions and millions of passwords from prominent sites like LinkedIn have gone up for sale on the dark web (check to see if your your account has been exposed). Most likely, malicious hackers guessed correctly that many of those users used the same password on TeamViewer as it did on a hacked service. If the hacker finds an account that used one of the released email and password combinations on TeamViewer, he or she could remotely take control of the user’s computer and start looking to see what else they could get access to.

Because many browsers, such as Chrome, store passwords for websites locally, a malicious actor could then go to sites with access to the user’s bank accounts, such as Amazon and PayPal, and see if the page auto-fills with the password. If it does, the pilfering can begin.

One TeamViewer user shared with the Observer screenshots showing a purchase of $200 in digital iTunes gift cards, for example (fortunately, in this case, the charges were reversed). It doesn’t really matter whether the user was careless at this point.

Currently owned by a private equity firm called Permira, TeamViewer launched three years before Chrome was first released, when Facebook was only a year old and MySpace was still the dominant social network.

In those days, asking users to take security seriously created undue friction and services weren’t so interconnected. It’s time for companies to start thinking about their users’ overall experience differently. Two-factor authentication is a widespread security solution where, after a user enters a password, they have to enter a second code that changes all the time (often it’s delivered via a text message).

There are so many breaches today that security design has become as important as security systems. It’s not enough to make increased security features available. Companies should drive users to them. At the very least, services like TeamViewer should enable two-factor authentication by default, requiring users to turn it off rather than tucking the option to turn it on somewhere in settings that few users ever look at.

TeamViewer’s new “Trusted Device” feature works like a lighter form of two-factor authentication. If a new piece of hardware is used to access the service, the user has to verify their identity by entering a code sent to their email on that first use. Of course, this may not help if it turns out the customer has a hacked password on their email account.

We know that passwords are not enough to keep important services safe anymore. If Mark Zuckerberg uses the same password across multiple services, it’s really not fair to blame users for unsafe security practices because we know that most people won’t be safe if a company leaves it up to them. Companies should make it harder to be lazy about security. If users trust a service like TeamViewer enough to give it access to all their personal files and documents stored on a personal computer, the company should do its customers the favor of not trusting them back.

It’s customary in a conversation like this one to open a chorus of victim blaming. If people get hacked for being stupid, then that’s their problem, right? The world is too interconnected for that attitude, though. Remember how the user above was able to reverse the charges after getting breached? That’s good for the individual, but doing so cost someone money. Multiply that by thousands, and the costs get passed on to all of us.

Internet users will keep using the same lousy passwords across multiple sites, and that’s why the TeamViewer case illustrates the need for companies to enable two-factor authentication by default on sensitive services. Posts like this one only get read by security enthusiasts, so services need to start shoving security features in users’ faces, because until they do most people won’t even know the features are there.

Was TeamViewer Hacked or Were Its Users? It Doesn’t Matter