Unauthorised access to my FreeConferenceCall.com

Someone has been using my FreeConferenceCall.com number without permission.

I know that because I have recordings turned on all the time and I can see recordings he has made.

I first noticed them on 6th February when I got a “FreeConferenceCall Detail Report” email - his previous activities had not generated any detail reports.

I see an unknown UK number calling in on 8th November, then a call from Prakesh (+1 (267) xxx-xxxx) on 22nd December, then 9 calls (either computer audio or video, though there doesn’t seem to be anything of interest recorded on any of them) on 6th February.

I changed my account’s password, access code, and host PIN on 6th February, and logged a support ticket.

I’ve not had any response to the support ticket.

Checking today, I see the same email address has connected again today. Again, I’ve not received a “FreeConferenceCall Detail Report” email for this call.

What’s going on? I would expect that changing my account password, access code, and host PIN would have been enough to stop anyone connecting without permission - I’ve not given any of password, access code, or Host PIN to anyone.

Is anyone else seeing similar issues?

Hello, in order to assist you, we will need you to email us once more with all your account details provided. However, from what you have stated here, it seems that you may need to update your online meeting id. Since the meeting id is all participants are required to enter when joining an online meeting, updating your access code, host pin, and password will not prevent this user from connecting. We recommend you update your meeting settings so that a host must be connected in order for the conference to begin.

Where do you want me to email details to?

OK, I’ve now generated new credentials which has changed the on-line meeting id (which I don’t think I have ever used), the access code and the host PIN.

I’ve also changed the meeting settings: “Wait for host” to “On- 20 minutes” and “Continue without host” to “On - 5 minutes”.

I still don’t understand how the person has got the meeting id (given that I don’t think I have ever used it and I’m certain I’ve not given it to anyone else - I’ve only used telephone conferencing, never on-line meetings) - is it just a lucky guess on his part?

Are people brute forcing meeting ids?

I notice that the new meeting id that has been generated is 9 characters (including letters, digits, and special characters) whereas the previous one was only 5 characters (and only letters and digits).

Hello,

Good news first: your account is not compromised. Ie. nobody was able to login to your account and see your personal info.

Now, lets review what does it take to:

  • login to your account on the web
  • join to your meeting as a participant
  • join to your meeting as a host

Login on the web:
To do this they need to know your login and password. I hope you have a strong password. Our logs indicate that only one IP address accessed your account recently, so I assume it was you

Join to the meeting as a participant:
To call into your meeting as a participant they need to know:

  • dial in phone number and access code
  • -OR - Online meeting id

Your Online Meeting ID is pretty unique and I doubt that somebody could guess it. However the phone number and access code are not that unique. The phone number is shared between many customers and the access code is only 6-7 digits long (you can make it longer).

Specifically, what happened in your case is that “Prakash Salunkh” mistyped the access code on his FCC mobile app and then joined your meeting by mistake several times in the row.

How to mitigate it (choose one or several):

  • change your access code to be 9 digits
  • set Security Code on your meeting

    In this case people will also have to enter the code IN ADDITION to the access code
  • set Wait For Host (so the meeting won’t start without you)

Join to the meeting as a host:
To join as host they need to know:

  • your login/password
  • OR - your dialing number+access code+host pin

All comments from the previous paragraph apply here. I only need to explain the need of the Host PIN.
Imagine a situation when you need to host a meeting but you do not have FCC application with you. The host PIN allows you to authenticate yourself as a host if you dial into the meeting via the telephone. Obviously you want to keep your PIN code in a secret. Although even someone managed to guess your PIN it won’t give him access to your account on the web.

Hope it helps.
Eugene