It’s Time for a Code of Conduct for Remote Access Tool Vendors

Delighting and Protecting Our Customers: Thoughts From Mark

remote access vendors should adopt a code of conduct

Anyone with a cell phone or an email account is familiar with scam attempts. A voice or emailer pretending to be from some legitimate organization—maybe Social Security, Amazon.com, or a bank—will inform you of a problem with your account, or a refund owed to you, or something else that sounds like it requires your immediate attention.

Ever wonder how those ubiquitous phone or email scams work—and how people could possibly fall for them?

Here’s a video that gives some insight: https://youtu.be/VrKW58MS12g. It’s a bit more than 20 minutes long and involves glitter bombs, package deliveries, undercover surveillance, and lots of other twists and turns. If you don’t feel like watching the whole video, here’s the point that I want you to take from this: One of the keys to these scammers’ success is their use of AnyDesk remote access software.

Similarly, this New York Times Magazine article outlines the role that TeamViewer software played in a 2019 cyber scam on an elderly woman in Tennessee. And scams like this are big business. The NY Times article reports that the FBI’s Internet Crime Complaint Center puts scam victims’ total losses in 2019 at $3.5 billion, up from $1.4 billion in 2017.

These aren’t isolated cases in which remote access software has been implicated in a scam. In 2016, the so-called Surprise ransomware was found to have reached its first victims through TeamViewer remote access software. According to InfoSecurity magazine: “…the Surprise ransomware developer was able to co-opt the credentials of a TeamViewer user, and then used those credentials to gain access to other TeamViewer users and download the malware file via TeamViewer.”

Also from that same InfoSecurity article: “The attack vector is similar to the instances of remote access and control apps, including LogMeIn and JoinMe, being used by hackers to gain access to corporate networks to install the infamous Backoff malware, which steals point-of-sale data.”

Holding Remote Access Providers Accountable

It might be tempting to jump to the conclusion that the process of remote access itself is problematic. But as the CEO of a remote access software provider, I want to make it clear: While there’s no way to put an end to all possible cyber scams, responsible monitoring of remote access software trial users can successfully prevent many of them.

Here’s the problem. Several remote access tool vendors offer freemium products that let people download and start using their software without requiring any information from the users: No email address and no account creation are required to start using their products. Since nothing is ever collected from the downloaders, nothing is validated. As a result, these remote access vendors have become popular tools among scammers. Providing access to the software this way is simply socially irresponsible.

Ironically, these vendors are proudly sharing with investors that their software is being downloaded millions of times per month; however, a lot of these downloads are done by scammers, and their tools are being utilized to attack victims around the world.

Let’s Adopt a Code of Conduct Among Remote Access Vendors

The reason these remote access tools are popular with scammers is that the makers of the software have prioritized attracting as many users as possible to their products by offering instant downloads without asking any questions or validating any information. They have chosen not to take the needed care to protect people from scammers.

At Splashtop, we believe vendors of remote access tools have a social responsibility to do everything reasonable to prevent scammers from using our tools.

Adopting a ‘code of conduct’ for remote access vendors might start with:

  • Validating all users, even for free trials. If you have a house for sale, you don’t hand out house keys to every person who expresses interest in touring the house. So why do some remote access providers hand out free trials of their software based on only an anonymous request—without validating who is making that request? Remote access vendors need to require user registration, as well as validation of users’ email addresses and other credentials, before allowing usage of the tools—for free trials as well as for paid purchases.
  • Monitoring for potential platform abuses. Splashtop has long implemented methodologies for monitoring, identifying, and being alerted about potential scammers using our software products. For example, when our system detects a trial user is behaving abnormally, such as having many sessions connecting to computers across different countries or states, an alert is automatically generated. Behavior monitoring of trial users to help identify scammers should be standard practice in our industry.

Taking these steps requires an investment, but we consider it an important aspect of being a responsible remote access vendor. By building trust with our users, many major brands—including Disney, Marriott, FedEx, UPS, Toyota, the U.S. Centers for Disease Control and Prevention (CDC), Stanford Health Care, Harvard Medical School, Turner Broadcasting, and Tapestry (parent company of the Coach, Kate Spade, and Stuart Weitzman luxury fashion brands)—have adopted Splashtop as their remote access solution.

Find out more about why Splashtop is the most secure remote access solution available. And what do you think: Is it time for remote access software vendors to adopt a code of conduct for responsible use of our products?

Free Trial Banner on the Blog Bottom