Tuesday, 1 July 2014
LogMeIn - Can that let anyone in?
Until recently, I used a service called LogMeIn, which allows me to access other computers I've set up with specific accounts. I used it primarily to enable me to provide technical support to family members. It's an incredibly useful service, and until recently a limited service was available completely free of charge. Recently the free option was withdrawn so I stopped using it.
I used it twice for business purposes, one time setting up a specific email address so that a client could access a remote computer I had set up to configure a specific piece of equipment installed on another continent.
Then I began to receive spam email which had been sent to the login email address I used for business that one time. I knew that the email address had not been published. I knew that only I had access to the server receiving emails to the address used. I knew that I had not used it for any other purpose, and that there was no benefit to it being used by anyone else, since only I could receive emails sent to it. The email address used for spam HAD to have been released by LogMeIn. So I emailed LogMeIn and explained, but I just received a generic denial, and left it at that.
Today I received an invoice for $826, purporting to be from LogMeIn, sent not to the exclusive login account previously sent spam, but to my business email address. The attached invoice contained no data, so I was fairly sure it was a phishing attempt to defraud me. Sure enough, one look at the LogMeIn Facebook page reveals other victims complaining of the same scam. I forwarded the information to LogMeIn, along with my rationale for believing that it was attempted fraud.
Now I think about it, my alarm bells are ringing loudly. LogMeIn has allowed my private data to fall into the hands of criminals, witness the exclusive login email address now used for spam. That's irritating. Now their customers are being targeted with attempted fraud. That's alarming. But how bad could this be?
I used LogMeIn to gain authorised access to computers, with the knowledge and trust of the owners of those computers. But the means to do that, in the form of login credentials to the computers involved, is entrusted to LogMeIn. And I now know that information entrusted to LogMeIn has fallen into the hands of criminals. So how safe are the computers I have used with LogMeIn? If someone with malicious or fraudulent intent can gain unauthorised access to those computers, they may have access to all sorts of information which could be harmful, such as login details to banking services, financial accounts, employee personnel records, medical details, intellectual property, state secrets,... the list is endless.
I have removed LogMeIn from all my computers, and family computers. But this remains a concern. If LogMeIn cannot secure client data, and they hold the keys to millions of computers worldwide, is it wise to entrust LogMeIn with those keys? Think about it... it gets frightening if you do!
LogMeIn also provides services marketed as RemotelyAnywhere, join.me, Xively, Cubby and BoldChat.