The use of online streaming services was already burgeoning well before most of the world started spending so much time at home. The current explosion in the demand for video and music streaming services is cause for celebration in the industry, but it has a dark side. Account fraud, sharing and takeover, enabled by password sharing and identity theft, is emerging as a serious business threat to over-the-top (OTT) and pay-TV companies.

According to Parks Associates, $9.1 billion was lost in revenues due to account sharing and data piracy in 2019 alone, with a predicted nearly $12.5 billion to be lost by 2024. That makes quite a case for curtailing both.

IBM Security fraud research shows that few, if any, of the major streaming services are spared, with credentials, credit card numbers and proprietary content widely sold on the darknet. Compromised accounts don’t just hurt profits, they also put service providers at risk of being non-compliant with the terms of their agreement with the content owners.

What if streaming services could protect against account sharing and account takeover fraud by creating real-time risk profiles for user accounts and related devices? What if you could also apply those capabilities to differentiate and change your customer experience, building trust, loyalty and growth through highly secure and frictionless viewing?

Let’s first take a closer look at three problems that need to be overcome.

1. Account Fraud is Part of the Culture

Among consumers, and even streaming service providers themselves, there’s major cognitive dissonance around how much password sharing is even an issue. Park Associates notes that approximately 39% of millennials share their password and don’t think of it as fraud or theft. Hub Entertainment Research found that 80% of 13-24 year olds say they’ve given out an online TV service password to someone who doesn’t live with them, even though most streaming companies limit sharing to a household.

The same research notes that the older crowd isn’t much better: 29% of consumers aged 35-74 admitted to password sharing. Tolerance in the industry until now has been high because it’s widely recognized that today’s account sharing flexibility helps retain existing accounts and create tomorrow’s customers. 

According to Wired, “Unofficially, the big video streaming services appear to take a fairly relaxed attitude to sharing passwords, though they do restrict how many streams you can run simultaneously on multiple devices. Using these logins at a multitude of addresses might get you into trouble.”

Password sharing is attributable to almost 10% of Netflix customers not paying the monthly fee, resulting in over $135 million in missed revenue.

But the problem is much bigger than legitimate users overusing and underpaying for accounts. The simple fact is that once passwords or credentials get shared, control over account access is lost, opening a Pandora’s box to malicious use and content piracy.

2. Account Fraud is Criminal

Money is being made through account sharing — just not legally. Almost every service is a target, even right at launch. Just a week after Disney+ launched in November 2019, thousands of passwords were already being sold or offered for free on the dark web.

Subscribers to one major service complained of discovering strangers in their premium accounts without knowing when the unauthorized use had begun or for how long it had been going on.

3. Account Fraud is Everywhere

IBM fraud researchers proved the existence of this theft. They have been studying the digital fraud landscape and challenging fraudulent behavior in the financial sector for over a decade. IBM teams see the same refined tactics and techniques in the streaming services market as they saw in the banking sector.

IBM Security Trusteer Senior Threat Researcher Tomer Agayev notes, “Wherever there’s a hot market — and video and music streaming are red hot — there’s fraud.”

Agayev described abundant instances of legitimate streaming account subscriptions being sold illicitly, heavily discounted, on the popular, anonymous Telegram channels — for as far out as five years. He noted that darknet vendors shamelessly offer premium streaming accounts alongside credit cards and bank accounts in the same post, a sign that the streaming market is seen as attractive and lucrative.

In the streaming arena, IBM fraud researchers are seeing behavior familiar to digital banking fraud. They include the use of mobile overlays such as the recently resurfaced Ginp Trojan overlay, as well as phishing and bot-based credentials stuffing. The phishing is high-tech, even using ‘domain squatting’ to make a fake URL look like the real one. Adapting attack tactics to new targets is quite an investment.

IBM streaming services clients have shared their own sightings, reinforcing these findings:

  • Fraud is getting more refined; it’s difficult to keep up.
  • It’s hard to know which users and devices are trustworthy.
  • Fraud protection solutions are piecemeal.
  • Going soft on account sharing helps the service provider compete.

But, change is upon us.

Industry Targets Account Fraud

A shift is underway, driven by lower tolerance among industry stakeholders to the revenue loss and potential content abuse. Cable industry executives are warning that a crackdown on password sharing is inevitable, as “streaming providers that welcome extra viewers today may lament the lost revenue those subscribers don’t bring to the table tomorrow.”

“Pricing and lack of security continue to be the main problems contributing to the challenges of paid video growth,” Charter CEO Thomas Rutledge tells Wall Street analysts.

The International Broadcasting Convention, too, is beseeching the industry to safeguard content distribution: “With more media companies shifting to OTT and IP-led services … it [is] more essential than ever to protect content from illegal use and avoid revenue loss … on its journey into the homes of legitimate customers without degrading the levels of service.”

In short, it is incumbent upon a streaming business to protect and prevent account fraud and takeover by spotting unauthorized users and thieves. Merging fraud detection with mechanisms for digital identity trust empowers the streaming service to not just prevent account fraud, but also elevate levels of service — a win-win for both the user and the service provider.

How to Use a Comprehensive Trust Service

So, what’s to be done? The streaming sites can lift the burden from end users by creating a unique customer experience with a digital identity trust solution. A solution like this should feature end-to-end tools for detecting account fraud in real time.

Account protection included in this way will never be seen by trusted users. This includes multiple trusted users on a given account profile, cutting down on or removing password requests, spanning multiple households (if needed) and accepting changed devices without registering or de-registering.

In addition, informing policy through risk and trust scoring lets the business mitigate overuse with actions such as upgrades or other offers. Finally, it also helps keep compliance with studios in regard to content usage and protection.

Removing Account Fraud Can Benefit Customers

Achieving a frictionless customer experience for streaming services involves going far beyond simple geolocation and IP address tracking. While such tools/capabilities might work for basic monitoring, the complexities resulting from allowing multiple users and devices on a given account require a solution that involves far more advanced capabilities. Device, environment and behavior all need to be inspected through the prism of behavior known for that account profile, fraud patterns determined from deep research into identity compromise modus operandi across the internet, darknet and consortium data from known fraud events worldwide.

An effective approach needs to assess multiple types of criteria in concert, including device configuration and behavioral biometrics, such as how the user holds the mouse or moves it across the screen. Building a risk profile of known and unknown users allows the authentication process to range anywhere from frictionless and passwordless for low risk sessions to multi-factor authentication challenges for high-risk connection attempts.

Provided by IBM

An end-to-end, context-based solution gives the streaming company control over account sharing. Adding heuristics, logic and customized policy definition, an organization can tailor a digital identity trust solution to its palate for access, upsell or whatever next step it wishes to take.

Imagine legitimate users entering their streaming services account from any device, location or household — even without a password — and finding a custom, welcoming experience, all while darknet users are kept out.

Learn more about seamless authentication customer experiences

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today