
TeamViewer denies hack after PCs hijacked, PayPal accounts drained - TheGuyWhoCodes
http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/
======
xenadu02
Here's the thing: it simply isn't possible that TeamViewer has done a thorough
security audit in such a short amount of time. That means their claims of "no
breach" are knee-jerk reactions, not truthful statements.

A company that has such a reaction is more likely to suffer a breach IMHO
because it demonstrates a lack of knowledge, care, or both. If they were
smarter they'd say they aren't aware of anything but have launched an
investigation and will report back when it is complete.

So I'm going to assume they have been hacked until someone proves otherwise.

~~~
Splines
RIP TeamViewer. Unless they are extremely explicit with what happened and how
it won't happen again, any user who hears about this is going to lose all
trust in TeamViewer.

~~~
nikanj
Except if what happened was password reuse

~~~
thejosh
It wasn't, people even had 2fa.

------
lazzlazzlazz
I got hit by this. I had an incredibly long, TeamViewer-specific password, and
a family member happened to witness (what was likely a bot) incredibly quickly
open Chrome, go to Paypal, login using saved credentials, check the settings
page, and then pay an invoice that had been generated moments after viewing
the settings page.

TeamViewer has definitely been compromised, and reddit.com/r/teamviewer is
replete with reports.

~~~
cpncrunch
Why did you let Chrome save your paypal password? Doesn't that guarantee that
anyone can empty your paypal account if they steal your computer?

~~~
ryanl0l
Why would you care? You can call in and reverse the payment in minutes.

~~~
cpncrunch
Yes, I just had a look at paypal's user agreement, and this does seem to be
the case. That begs the question - why are the hackers even bothering to do
this, if all their transactions will be cancelled? Are they hoping that a
small % of their victims won't notice the fraudulent transactions?

~~~
ryanl0l
Most paypal fraud, like credit card fraud happens at a very small scale. A
fraudster pays $50 for 50 accounts and then spends a day with them and maybe
walks out with $300.

The guy selling the accounts sells hundreds of thousands of them, and
obviously doesn't get involved in the fraud itself.

This is why this whole thing is so strange, there's a bunch of people claiming
that someone hacked teamviewer and is now using that access for petty paypal
fraud instead of targetting the tens (if not hundreds) of thousands of PoS
systems teamviewer is used to manage.

>Are they hoping that a small % of their victims won't notice the fraudulent
transactions?

No, they certainly don't care if the payments get charged back or not. If they
try to send money to their own account, it'll be suspended before they can
actually withdraw it out of PayPal.

Instead in this case they seem to be trying to buy itunes gift cards,
undoubtedly with the intent to sell them (on sites such as g2a.com) before
they get cancelled.

~~~
lsaferite
Perhaps targeting a PoS system involves the Secret Service?

~~~
ryanlol
If you're doing this then you probably aren't too worried about the secret
service.

------
cs702
Shame on TeamViewer for not coming clean. I doubt they will survive the
reputational damage.

The hacking itself should not be surprising. Roughly 99.99% of human beings --
including the vast majority of software developers -- have NO IDEA how to
secure a computing device, let alone one that can be accessed remotely by
regular people. It's kind of incredible that this type of attack doesn't
happen more frequently.

The post-mortem should be quite interesting.

~~~
ProAm
There is still no real proof they got hacked either. Too early to assume this.
Could be just people trying user ID's and passwords from one of the recent
breaches.

~~~
cpncrunch
That wouldn't explain people who used teamviewer-specific passwords (see
comments here, for example).

------
fencepost
I haven't had time to follow this as much today (after spending last night
either uninstalling TeamViewer or remotely disabling the TeamViewer service on
a bunch of systems), but what I was reading yesterday seemed like everyone hit
was using a registered account instead of just direct connections using codes.
That makes me think that perhaps something's compromised some of their account
information (manageable through the website, etc.) rather than the remote
control infrastructure itself.

------
galadran
From looking at the Reddit "master thread", everybody reporting they were
hacked reports 2FA disabled. Everybody reporting no hack reports 2FA enabled.

Sounds like reused passwords!

~~~
jessaustin
TFA has 2FA hacks:

 _" They remote connected in at 5AM MT, went into my Chrome and used my PayPal
to buy about $3k worth of gift cards. And yes, I had two-factor
authentication."_

~~~
colemickens
How could that even be possible? Short of PayPal having a hole in their 2FA
implementation, it's very difficult for me to imagine how this could happen.

I mean, unless the hackers logged in, left the 2FA prompt up and then a user
completed the 2FA exchange, but that would be a foolish thing to do anyway...

edit: thanks for the answers; makes sense!

~~~
hackuser
> thanks for the answers; makes sense!

How is it easier to break Teamviewer's 2FA implementation than PayPals?

~~~
colemickens
Yeah, sorry, that was confusing. I don't really agree with the comments saying
that the comment was referring to TV's 2FA. I agree with fapjacks/ryanlol's
comments.

I (think I) now understand why "and my PayPal has 2FA enabled" points to TV
being compromised -- If the PayPal account has 2FA active, and they were still
"hacked", then it points to an existing session being hijacked. And a probable
cause of that would be a compromised TV session.

So it's not necessarily an indication that TV's 2FA was compromised, but
rather that TV was compromised in general, allowing the hacker to hijack TV
sessions. (I'm imagining that the TV 2FA happens on their central server, and
not on the actual server daemon running on the target remote machine... so if
the central server was compromised...)

edit: Obviously this is entirely speculative, I don't know any of what's going
down, but it resolves my initial curiosity.

------
Elrac
A couple of years ago I was looking for a remote control app to remote-
multibox a couple of PCs for some online game.

I found it a bit odd that every search (including for competing products)
brought me to TeamViewer, that all the formerly available alternatives (like
*VNC) were defunct or pay-only, and that TeamViewer was not just free but
rather aggressively offered. Call me paranoid, but I thought "someone wants to
make sure there's a TeamViewer on every box in the world, and is willing to
pay for slick, aggressive marketing and to eat the costs of product
development and marketing to see to it."

My (otherwise completely unfounded) guess was that a major intelligence
agency, maybe the NSA, was behind all that. I used TV for a few days but
ditched it at my earliest opportunity. It just felt too creepy for me to trust
it.

So now, maybe, I was right for the wrong reasons. Or not. (shrug)

~~~
nikanj
"someone wants to make sure there's a TeamViewer on every box in the world,
and is willing to pay for slick, aggressive marketing and to eat the costs of
product development and marketing to see to it."

That would be the teamviewer company. Surprisingly often companies want their
product on every desktop, and are willing to eat the marketing and development
costs to make it happen.

------
tlrobinson
It seems kind of insane to me to trust any 3rd party with full access to your
machine.

~~~
ocdtrekkie
Really, everyone with any software with administrative rights that has an
auto-update feature does it. These days, that's... Windows, Chrome, dozens of
other applications with a huge market share.

At least with TeamViewer, it is manual update only, and remote users only have
the same permissions and visibility as a desktop user. When you access a
locked Windows PC over TeamViewer, you get the Windows login screen. You only
have the level of permissions your computer is allowing the user you log in
as.

If you lock your PC when you aren't at it, and your password is decent, you
haven't a huge security problem with TeamViewer. Arguably, less of one than
many other pieces of software that can make administrative-level changes to
your PC without your knowledge or permission.

------
LeoPanthera
Alternatives to TeamViewer?

~~~
nonane
Check out Jump Desktop: [https://jumpdesktop.com](https://jumpdesktop.com). It
has a zero setup client that you can install - no need to port forward etc,
works across firewalls and easy enough for your parents to install. It's
secure - we use WebRTC underneath the covers (connections are encrypted end-
to-end). It has iOS, Android, Mac and PC clients. We're also beta testing a
free PC to PC+Mac version here:
[https://support.jumpdesktop.com/entries/109741706-Jump-
Deskt...](https://support.jumpdesktop.com/entries/109741706-Jump-Desktop-
Connect-5-0-Beta-with-support-for-Mac-Fluid)

If you have any questions about security feel free to ask.

~~~
hackuser
How do I know that you can't access the host or client computers?

~~~
nonane
We've tried to make sure the host and clients don't completely trust our cloud
servers. For example the "Jump Desktop Connect" app on the host always
requires credentials for a valid local account on the computer before it
allows incoming connections through. It won't let accounts with blank
passwords through. Also the credential transfer always happens over an end-to-
end encrypted connection between the two devices - which means our cloud
servers don't get to see or have access to your local computer's creds. This
way, if someone gets a hold of your Jump Desktop account, they won't be able
to get through unless they also know your local computer's creds.

Another way we protect hosts is by not allowing random hosts and clients to
communicate with each other unless you've given explicit permission to each
host/client. This means that Bob can't load up the Jump Desktop client and try
to randomly brute force Alice's local account password by trying to connect
repeatedly. The cloud server will drop Bob's connection requests to Alice
unless Alice has explicitly given Bob permission to connect.

The above applies to our zero setup app, Jump Desktop Connect. Jump Desktop is
also a full blown RDP and VNC client (with SSH support) - so you don't really
have to use the Jump Desktop Connect app if you don't want to. You can use
traditional RDP / VNC-over-SSH to establish secure connections as well.

~~~
swozey
Do you have a system to block, mitigate or monitor for "strange" IP blocks
accessing systems they've never accessed before? It's a great idea if not. We
have, unfortunately, had to do this in webhosting/billing for a long time due
to the amount of fraud from specific blocks.

Not as dynamic, but for instance LastPass will allow you to blacklist or
whitelist entire country IP blocks. A system that also monitors (on your end,
or maybe alerts the customer) that their machine in Kansas all of a sudden has
multiple IPs from China/whatever accessing it (on your end seeing this
globally through the network as well) would be great to mitigate events like
this. If you go on vacation, you can remove the block.

So far every report I've seen has been Guangzhao/Yangzhao in the access
reports. Could easily, easily nip that in the bud. Obviously other proxies
could be used but something like a remote access system is something people
should be locking down tightly.

------
jason_slack
and of course, nothing on their blog or main website about this.

Instead they want us to focus on a work/life balance:
[http://imgur.com/Ujd8ZwA](http://imgur.com/Ujd8ZwA)

------
tomc1985
"Little pig, little Pig, let me come in."

"No, no, not by the hair on my chinny chin chin."

"Then I'll huff, and I'll puff, and I'll blow your house in."

~~~
tomc1985
Seriously, downvotes?

If one builds their house out of a foundation of sticks, what do they expect
to happen?

------
hackney
Is it that TV got hacked because passwords were compromised and reused? I fail
to see security in an ap that uses uknown servers to connect to a personal
setup. Somehow I think TV did get hacked and they just don't want to be honest
about it. ?? I've used nomachine with good results from my lan but have never
used it outside that.

------
ocdtrekkie
I honestly feel that as much of a fan of TeamViewer I was in the past, it
should be considered harmful and filtered out by ISPs and flagged by AV.

\- TeamViewer has been the primary medium for tech support scams that lock
people out of their own PCs for years now. Despite a usage pattern that should
be easy to detect, they've seemingly done nothing effective to curb this.

\- TeamViewer is blaming insecure configuration, which is probably mostly
true, but TeamViewer has refused to do much to encourage or ensure security
practices are upheld. (Random six character passwords on by default?)

\- TeamViewer has clearly failed to police large scale attempts to test
credentials against their server, if they're using password dumps to find
people using the same password elsewhere, as many people on Reddit confirmed
was likely the case for them.

I strongly suspect the majority of free service TeamViewer usage is currently
malicious. I know very few people who HAVEN'T been reached by a malicious
party which uses TeamViewer as a communication medium.

I've personally called and asked TeamViewer to consider shuttering their free
service to control malicious use. They could introduce an affordable personal
use paid tier instead, which would make them a lot of money, and mitigate most
abuse cases.

~~~
Shivetya
In the Windows world, 10 specifically, is there a way to blacklist the sites
so regardless of browser my parents cannot get to this kind of software?

~~~
ocdtrekkie
Unfortunately, one of TeamViewer's best features is how easily it works
without firewall configuration. Often you can use it in schools and corporate
environments. It is likely at least a little irritating to successfully block.

I found this (older) link, which seems to provide an IP range to block, and of
course, suggests blocking TeamViewer DNS entries. But I'm not sure how good a
block you'll manage on a Windows PC as opposed to a network device of some
flavor.

[http://mediarealm.com.au/articles/2014/10/block-
teamviewer-n...](http://mediarealm.com.au/articles/2014/10/block-teamviewer-
network/)

The easiest way to restrict the damage your parents can do to themselves is to
make a separate admin user, and make them not an admin. Of course, then you
volunteer yourself to install stuff for them too.

