Secure remote access—previously confined to select IT personnel—has become a must-have for businesses of various sizes as workplaces go hybrid or off-site. Flex Index’s Flex Report Q2 2024 reveals that the percentage of US-based companies that have adopted this business setup has gone up to 37% in 2024 from 20% the year before. Moreover, employees who travel, supply chain vendors, and third-party service providers often require remote access.
The growth in the number of users accessing sensitive network resources on more devices from more locations increases the threat of security risks. IBM’s latest report pegged the global average data breach cost at $4.88 million. Furthermore, the research shows that recovery from such breaches can take over 100 days.
In light of these trends, employers—from small businesses to global enterprises—must select the most reliable remote access software to protect business data. These solutions grant exclusive access to authorized users, barring web-based threats, such as ransomware and malware.
In this article, we’ll look into one of the most popular and veteran names in the market—GoToMyPC. Let’s evaluate its features to determine if it’s a viable tool for your remote support needs.
Overview of GoToMyPC's Security Features
GoToMyPC software—launched in 2003—is a product of LogMeIn, a SaaS provider of connectivity and support solutions. GoToMyPC offers individual/personal use plans and enterprise-level (Pro and Corporate) packages.
Ensuring Authorized Access
Two elements aim to guarantee secure GoToMyPC usage:
Two-factor authentication (2FA)
GoToMyPC uses 2FA for an extra layer of identity verification. It asks users to enter a password or code sent via text message before gaining access to the platform. Moreover, the software limits the number of login attempts to avert hacker attacks.
Access code and passwords
GoToMyPC requires passwords (at least eight alpha-numeric characters) and access codes to prevent your account from being compromised. The platform also asks you to enter a password before using it on a device where it’s installed. Then you must enter another password or access code for the device you will view or control remotely.
Preventing Unauthorized Attempts
GoToMyPC prevents malicious actors from entering user accounts through these features:
Encryption protocols
The software uses the banking-grade 256-advanced encryption standard (AES) to ensure the privacy of user activity (chats, keyboard strokes, or mouse input) and data (file transfers or screenshots) exchanged between connected devices—whether they be mobile devices or desktop units.
Other privacy features
Other security features of GoToMyPC include “screen blanking,” which turns an unattended host device’s screen black or green to prevent others from viewing your remote operations. The software can only blank out PC hosts. For added visual security, admins can enable remote computer locking to automatically lock access to the host computer after disconnecting from a remote session. They can also activate the “lock keyboard and mouse” feature while remote sessions are ongoing.
Examining GoToMyPC's Security Vulnerabilities
Despite its security infrastructure, GoToMyPC users may have to guard against the repeat of these cyber threats, which the platform experienced in recent years:
Unauthorized access
In separate cases, the company notified users to reset their passwords due to these incidents:
Password attacks
They include “re-use attacks,” wherein cybercriminals used usernames and passwords maliciously obtained from other websites to access GoToMyPC accounts.
Man-in-the-middle (MITM) attacks
These incidents involve hackers stealing sensitive information by eavesdropping on or intercepting communications between two parties, typically the user and the network. GoToMyPC uses “AES in cipher feedback mode” (CFB) to counter such moves. CFB prevents threat actors from generating counterfeit keys to get access remotely and interfere with communications.
Software update delays
GoToMyPC users have also experienced slowdowns during software updates or when other programs or operating systems like Windows run their updates and affect its platform.
Risks of delayed updates
Feedback following GoToMyPC updates primarily shows a slowdown in business operations. Besides inconvenience and productivity loss, late updates can make users susceptible to cyberattacks, which result in financial loss and reputation damage. Unpatched security flaws make systems vulnerable to attackers looking for entry points in the remote connection.
History of GoToMyPC Security Breaches and Vulnerabilities
GoToMyPC users had suffered from two major breaches with six years between them. Read on to learn more about these incidents and how the company took action.
Past incidents
June 2016
GoToMyPC admitted being hit by a “very sophisticated password attack.” Citrix—which owned the platform then before being acquired by LogMeIn in 2017—said it was a case of a “password reuse attack.” In such circumstances, hackers who manage to secure a password for one account try using it to log into the person’s other accounts (email, social media, and banking). Weeks before the incident, Facebook, Twitter, Netflix, Reddit, GitHub, and TeamViewer also suffered from the same attack.
November 2022
GoToMyPC launched an investigation after detecting “unusual activity within our development environment and third-party cloud storage service.” Its findings shared in January 2024 revealed that “a threat actor exfiltrated (stole) encrypted backups” and an encryption key for a portion of these backups.
Addressed vulnerabilities
Response to the 2016 incident
Citrix announced a mandatory password reset for all authorized GoToMyPC users. The company reminded users to create unique and strong passwords—meaning they should’ve not been used for other accounts. Moreover, it encouraged enabling 2FA.
Response to the 2022 incident
The company sent direct communications to affected customers containing actionable steps to “further secure their accounts.” It also authorized resetting multi-factor authentications.
Other security updates
In December 2022, GoToMyPC launched the Security Center, where users can configure their security settings. These include viewer security time-out (amount of inactivity time before the Viewer disconnects), locking the host computer, blanking out the screen while connected, and locking the host computer’s keyboard and mouse.
Assessing Remote Access Security
A robust access control strategy can keep your workforce agile and flexible without sacrificing data security. Implementing such a game plan requires selecting, auditing, and maintaining your remote support software with care.
Checklist for evaluating remote support software
Whether you already have a service partner or you’re still contemplating your options, consider these three key factors to determine the suitability of remote desktop solutions to your current needs:
Security features
The best platforms should offer prompt and automated security patches and updates, multi-level authentication, end-to-end encryption of all connections, logs and session recording, and per-user level permissions management to enforce “least privilege.”
Compliance and certifications
Choose software that complies with local (such as the Service Organization Control Type 2 or SOC2 cybersecurity compliance framework in the US) and international regulations (such as the EU’s General Data Protection Regulation) and adheres to global information security management standards like the ISO 27001.
Vendor reputation
Research and scrutinize your prospects’ track records and customer support. Also, check other customers’ reviews and feedback about their experiences with those vendors.
A Safe Alternative to GoToMyPC: RealVNC Connect
RealVNC built its products to ensure every connection can withstand possible hostile actors through our customizable secure technology. Whether you use RealVNC products via LAN, the VNC cloud, or a mobile device, you benefit from these features:
RealVNC's Security Features
End-to-end encryption
RealVNC uses up to 256-bit AES encryption partnered with the protocol Transport Layer Security (TLS) 1.2, which prevents decryption at any time by anyone, including RealVNC. Subscribers can adjust user permissions to view-only or limit access actions (such as file transfer or copy-pasting text).
Endpoint integrity verification
RealVNC’s 2048-bit RSA keys automatically verify identity on every touchpoint, protecting your and your client’s systems from MITM attacks. We blacklist users unable to authenticate properly to deter brute-force attacks, DoS, and dictionary attacks.
Flexible Deployment Options: On-Premise and Cloud Solutions
Various deployment options are available, including offline licensing if you prefer on-premise usage behind your network’s firewalls instead of connecting through the VNC Cloud.
Commitment to Data Protection: Compliance with Standards
RealVNC is ISO27001-certified and GDPR-compliant. It also adheres to the Health Insurance Portability and Accountability Act (patient data) and Payment Card Industry Data Security Standard (credit card account information).
Conclusion: Is GoToMyPC Safe?
The recent steps taken by GoToMyPC to beef up its security provide current and future users some peace of mind, given the introduction of its Security Center. Nevertheless, as part of due diligence, give yourself time to study the platform’s features more closely to understand requirements—including allowlisting for your firewall—and features your customers can control. This way, you can help your workforce and clients guard against its past threats, including password re-use attacks and encryption key theft.
RealVNC: A More Polished Alternative
As a reliable remote desktop software provider, RealVNC is proactive about security. It goes beyond encryption protocols, 2FA, and screen blanking to assure users with stable and safe remote access through:
- Multi-factor authentication
- Customizable permissions management
- Blacklisting
- Penetration testing
- Regular third-party security risk audits
- Round-the-clock customer service support
RealVNC hosts its cloud service and doesn’t use a broker or third party such as AWS or Azure. Moreover, the company releases vulnerability updates and fixes regularly.
Don’t let security challenges derail your operations and growth or mar your reputation. Check RealVNC for yourself by signing up for a free trial.