The use of online streaming services was already burgeoning well before most of the world started spending so much time at home. The current explosion in the demand for video and music streaming services is cause for celebration in the industry, but it has a dark side. Account fraud, sharing and takeover, enabled by password sharing and identity theft, is emerging as a serious business threat to over-the-top (OTT) and pay-TV companies.

According to Parks Associates, $9.1 billion was lost in revenues due to account sharing and data piracy in 2019 alone, with a predicted nearly $12.5 billion to be lost by 2024. That makes quite a case for curtailing both.

IBM Security fraud research shows that few, if any, of the major streaming services are spared, with credentials, credit card numbers and proprietary content widely sold on the darknet. Compromised accounts don’t just hurt profits, they also put service providers at risk of being non-compliant with the terms of their agreement with the content owners.

What if streaming services could protect against account sharing and account takeover fraud by creating real-time risk profiles for user accounts and related devices? What if you could also apply those capabilities to differentiate and change your customer experience, building trust, loyalty and growth through highly secure and frictionless viewing?

Let’s first take a closer look at three problems that need to be overcome.

1. Account Fraud is Part of the Culture

Among consumers, and even streaming service providers themselves, there’s major cognitive dissonance around how much password sharing is even an issue. Park Associates notes that approximately 39% of millennials share their password and don’t think of it as fraud or theft. Hub Entertainment Research found that 80% of 13-24 year olds say they’ve given out an online TV service password to someone who doesn’t live with them, even though most streaming companies limit sharing to a household.

The same research notes that the older crowd isn’t much better: 29% of consumers aged 35-74 admitted to password sharing. Tolerance in the industry until now has been high because it’s widely recognized that today’s account sharing flexibility helps retain existing accounts and create tomorrow’s customers. 

According to Wired, “Unofficially, the big video streaming services appear to take a fairly relaxed attitude to sharing passwords, though they do restrict how many streams you can run simultaneously on multiple devices. Using these logins at a multitude of addresses might get you into trouble.”

Password sharing is attributable to almost 10% of Netflix customers not paying the monthly fee, resulting in over $135 million in missed revenue.

But the problem is much bigger than legitimate users overusing and underpaying for accounts. The simple fact is that once passwords or credentials get shared, control over account access is lost, opening a Pandora’s box to malicious use and content piracy.

2. Account Fraud is Criminal

Money is being made through account sharing — just not legally. Almost every service is a target, even right at launch. Just a week after Disney+ launched in November 2019, thousands of passwords were already being sold or offered for free on the dark web.

Subscribers to one major service complained of discovering strangers in their premium accounts without knowing when the unauthorized use had begun or for how long it had been going on.

3. Account Fraud is Everywhere

IBM fraud researchers proved the existence of this theft. They have been studying the digital fraud landscape and challenging fraudulent behavior in the financial sector for over a decade. IBM teams see the same refined tactics and techniques in the streaming services market as they saw in the banking sector.

IBM Security Trusteer Senior Threat Researcher Tomer Agayev notes, “Wherever there’s a hot market — and video and music streaming are red hot — there’s fraud.”

Agayev described abundant instances of legitimate streaming account subscriptions being sold illicitly, heavily discounted, on the popular, anonymous Telegram channels — for as far out as five years. He noted that darknet vendors shamelessly offer premium streaming accounts alongside credit cards and bank accounts in the same post, a sign that the streaming market is seen as attractive and lucrative.

In the streaming arena, IBM fraud researchers are seeing behavior familiar to digital banking fraud. They include the use of mobile overlays such as the recently resurfaced Ginp Trojan overlay, as well as phishing and bot-based credentials stuffing. The phishing is high-tech, even using ‘domain squatting’ to make a fake URL look like the real one. Adapting attack tactics to new targets is quite an investment.

IBM streaming services clients have shared their own sightings, reinforcing these findings:

  • Fraud is getting more refined; it’s difficult to keep up.
  • It’s hard to know which users and devices are trustworthy.
  • Fraud protection solutions are piecemeal.
  • Going soft on account sharing helps the service provider compete.

But, change is upon us.

Industry Targets Account Fraud

A shift is underway, driven by lower tolerance among industry stakeholders to the revenue loss and potential content abuse. Cable industry executives are warning that a crackdown on password sharing is inevitable, as “streaming providers that welcome extra viewers today may lament the lost revenue those subscribers don’t bring to the table tomorrow.”

“Pricing and lack of security continue to be the main problems contributing to the challenges of paid video growth,” Charter CEO Thomas Rutledge tells Wall Street analysts.

The International Broadcasting Convention, too, is beseeching the industry to safeguard content distribution: “With more media companies shifting to OTT and IP-led services … it [is] more essential than ever to protect content from illegal use and avoid revenue loss … on its journey into the homes of legitimate customers without degrading the levels of service.”

In short, it is incumbent upon a streaming business to protect and prevent account fraud and takeover by spotting unauthorized users and thieves. Merging fraud detection with mechanisms for digital identity trust empowers the streaming service to not just prevent account fraud, but also elevate levels of service — a win-win for both the user and the service provider.

How to Use a Comprehensive Trust Service

So, what’s to be done? The streaming sites can lift the burden from end users by creating a unique customer experience with a digital identity trust solution. A solution like this should feature end-to-end tools for detecting account fraud in real time.

Account protection included in this way will never be seen by trusted users. This includes multiple trusted users on a given account profile, cutting down on or removing password requests, spanning multiple households (if needed) and accepting changed devices without registering or de-registering.

In addition, informing policy through risk and trust scoring lets the business mitigate overuse with actions such as upgrades or other offers. Finally, it also helps keep compliance with studios in regard to content usage and protection.

Removing Account Fraud Can Benefit Customers

Achieving a frictionless customer experience for streaming services involves going far beyond simple geolocation and IP address tracking. While such tools/capabilities might work for basic monitoring, the complexities resulting from allowing multiple users and devices on a given account require a solution that involves far more advanced capabilities. Device, environment and behavior all need to be inspected through the prism of behavior known for that account profile, fraud patterns determined from deep research into identity compromise modus operandi across the internet, darknet and consortium data from known fraud events worldwide.

An effective approach needs to assess multiple types of criteria in concert, including device configuration and behavioral biometrics, such as how the user holds the mouse or moves it across the screen. Building a risk profile of known and unknown users allows the authentication process to range anywhere from frictionless and passwordless for low risk sessions to multi-factor authentication challenges for high-risk connection attempts.

Provided by IBM

An end-to-end, context-based solution gives the streaming company control over account sharing. Adding heuristics, logic and customized policy definition, an organization can tailor a digital identity trust solution to its palate for access, upsell or whatever next step it wishes to take.

Imagine legitimate users entering their streaming services account from any device, location or household — even without a password — and finding a custom, welcoming experience, all while darknet users are kept out.

Learn more about seamless authentication customer experiences

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today