The use of online streaming services was already burgeoning well before most of the world started spending so much time at home. The current explosion in the demand for video and music streaming services is cause for celebration in the industry, but it has a dark side. Account fraud, sharing and takeover, enabled by password sharing and identity theft, is emerging as a serious business threat to over-the-top (OTT) and pay-TV companies.

According to Parks Associates, $9.1 billion was lost in revenues due to account sharing and data piracy in 2019 alone, with a predicted nearly $12.5 billion to be lost by 2024. That makes quite a case for curtailing both.

IBM Security fraud research shows that few, if any, of the major streaming services are spared, with credentials, credit card numbers and proprietary content widely sold on the darknet. Compromised accounts don’t just hurt profits, they also put service providers at risk of being non-compliant with the terms of their agreement with the content owners.

What if streaming services could protect against account sharing and account takeover fraud by creating real-time risk profiles for user accounts and related devices? What if you could also apply those capabilities to differentiate and change your customer experience, building trust, loyalty and growth through highly secure and frictionless viewing?

Let’s first take a closer look at three problems that need to be overcome.

1. Account Fraud is Part of the Culture

Among consumers, and even streaming service providers themselves, there’s major cognitive dissonance around how much password sharing is even an issue. Park Associates notes that approximately 39% of millennials share their password and don’t think of it as fraud or theft. Hub Entertainment Research found that 80% of 13-24 year olds say they’ve given out an online TV service password to someone who doesn’t live with them, even though most streaming companies limit sharing to a household.

The same research notes that the older crowd isn’t much better: 29% of consumers aged 35-74 admitted to password sharing. Tolerance in the industry until now has been high because it’s widely recognized that today’s account sharing flexibility helps retain existing accounts and create tomorrow’s customers. 

According to Wired, “Unofficially, the big video streaming services appear to take a fairly relaxed attitude to sharing passwords, though they do restrict how many streams you can run simultaneously on multiple devices. Using these logins at a multitude of addresses might get you into trouble.”

Password sharing is attributable to almost 10% of Netflix customers not paying the monthly fee, resulting in over $135 million in missed revenue.

But the problem is much bigger than legitimate users overusing and underpaying for accounts. The simple fact is that once passwords or credentials get shared, control over account access is lost, opening a Pandora’s box to malicious use and content piracy.

2. Account Fraud is Criminal

Money is being made through account sharing — just not legally. Almost every service is a target, even right at launch. Just a week after Disney+ launched in November 2019, thousands of passwords were already being sold or offered for free on the dark web.

Subscribers to one major service complained of discovering strangers in their premium accounts without knowing when the unauthorized use had begun or for how long it had been going on.

3. Account Fraud is Everywhere

IBM fraud researchers proved the existence of this theft. They have been studying the digital fraud landscape and challenging fraudulent behavior in the financial sector for over a decade. IBM teams see the same refined tactics and techniques in the streaming services market as they saw in the banking sector.

IBM Security Trusteer Senior Threat Researcher Tomer Agayev notes, “Wherever there’s a hot market — and video and music streaming are red hot — there’s fraud.”

Agayev described abundant instances of legitimate streaming account subscriptions being sold illicitly, heavily discounted, on the popular, anonymous Telegram channels — for as far out as five years. He noted that darknet vendors shamelessly offer premium streaming accounts alongside credit cards and bank accounts in the same post, a sign that the streaming market is seen as attractive and lucrative.

In the streaming arena, IBM fraud researchers are seeing behavior familiar to digital banking fraud. They include the use of mobile overlays such as the recently resurfaced Ginp Trojan overlay, as well as phishing and bot-based credentials stuffing. The phishing is high-tech, even using ‘domain squatting’ to make a fake URL look like the real one. Adapting attack tactics to new targets is quite an investment.

IBM streaming services clients have shared their own sightings, reinforcing these findings:

  • Fraud is getting more refined; it’s difficult to keep up.
  • It’s hard to know which users and devices are trustworthy.
  • Fraud protection solutions are piecemeal.
  • Going soft on account sharing helps the service provider compete.

But, change is upon us.

Industry Targets Account Fraud

A shift is underway, driven by lower tolerance among industry stakeholders to the revenue loss and potential content abuse. Cable industry executives are warning that a crackdown on password sharing is inevitable, as “streaming providers that welcome extra viewers today may lament the lost revenue those subscribers don’t bring to the table tomorrow.”

“Pricing and lack of security continue to be the main problems contributing to the challenges of paid video growth,” Charter CEO Thomas Rutledge tells Wall Street analysts.

The International Broadcasting Convention, too, is beseeching the industry to safeguard content distribution: “With more media companies shifting to OTT and IP-led services … it [is] more essential than ever to protect content from illegal use and avoid revenue loss … on its journey into the homes of legitimate customers without degrading the levels of service.”

In short, it is incumbent upon a streaming business to protect and prevent account fraud and takeover by spotting unauthorized users and thieves. Merging fraud detection with mechanisms for digital identity trust empowers the streaming service to not just prevent account fraud, but also elevate levels of service — a win-win for both the user and the service provider.

How to Use a Comprehensive Trust Service

So, what’s to be done? The streaming sites can lift the burden from end users by creating a unique customer experience with a digital identity trust solution. A solution like this should feature end-to-end tools for detecting account fraud in real time.

Account protection included in this way will never be seen by trusted users. This includes multiple trusted users on a given account profile, cutting down on or removing password requests, spanning multiple households (if needed) and accepting changed devices without registering or de-registering.

In addition, informing policy through risk and trust scoring lets the business mitigate overuse with actions such as upgrades or other offers. Finally, it also helps keep compliance with studios in regard to content usage and protection.

Removing Account Fraud Can Benefit Customers

Achieving a frictionless customer experience for streaming services involves going far beyond simple geolocation and IP address tracking. While such tools/capabilities might work for basic monitoring, the complexities resulting from allowing multiple users and devices on a given account require a solution that involves far more advanced capabilities. Device, environment and behavior all need to be inspected through the prism of behavior known for that account profile, fraud patterns determined from deep research into identity compromise modus operandi across the internet, darknet and consortium data from known fraud events worldwide.

An effective approach needs to assess multiple types of criteria in concert, including device configuration and behavioral biometrics, such as how the user holds the mouse or moves it across the screen. Building a risk profile of known and unknown users allows the authentication process to range anywhere from frictionless and passwordless for low risk sessions to multi-factor authentication challenges for high-risk connection attempts.

Provided by IBM

An end-to-end, context-based solution gives the streaming company control over account sharing. Adding heuristics, logic and customized policy definition, an organization can tailor a digital identity trust solution to its palate for access, upsell or whatever next step it wishes to take.

Imagine legitimate users entering their streaming services account from any device, location or household — even without a password — and finding a custom, welcoming experience, all while darknet users are kept out.

Learn more about seamless authentication customer experiences

More from Fraud Protection

Virtual credit card fraud: An old scam reinvented

3 min read - In today's rapidly evolving financial landscape, as banks continue to broaden their range of services and embrace innovative technologies, they find themselves at the forefront of a dual-edged sword. While these advancements promise greater convenience and accessibility for customers, they also inadvertently expose the financial industry to an ever-shifting spectrum of emerging fraud trends. This delicate balance between new offerings and security controls is a key part of the modern banking challenges. In this blog, we explore such an example.…

Remote access detection in 2023: Unmasking invisible fraud

3 min read - In the ever-evolving fraud landscape, fraudsters have shifted their tactics from using third-party devices to on-device fraud. Now, users face the rising threat of fraud involving remote access tools (RATs), while banks and fraud detection vendors struggle with new challenges in detecting this invisible threat. Let’s examine the modus operandi of fraudsters, prevalence rates across different regions, classic detection methods and Trusteer’s innovative approach to RAT detection through behavioral analysis. A rising threat As Fraud detection methods become more and…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

The rise of malicious Chrome extensions targeting Latin America

9 min read - This post was made possible through the research contributions provided by Amir Gendler and Michael  Gal. In its latest research, IBM Security Lab has observed a noticeable increase in campaigns related to malicious Chrome extensions, targeting  Latin America with a focus on financial institutions, booking sites, and instant messaging. This trend is particularly concerning considering Chrome is one of the most widely used web browsers globally, with a market share of over 80% using the Chromium engine. As such, malicious…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today