The use of online streaming services was already burgeoning well before most of the world started spending so much time at home. The current explosion in the demand for video and music streaming services is cause for celebration in the industry, but it has a dark side. Account fraud, sharing and takeover, enabled by password sharing and identity theft, is emerging as a serious business threat to over-the-top (OTT) and pay-TV companies.

According to Parks Associates, $9.1 billion was lost in revenues due to account sharing and data piracy in 2019 alone, with a predicted nearly $12.5 billion to be lost by 2024. That makes quite a case for curtailing both.

IBM Security fraud research shows that few, if any, of the major streaming services are spared, with credentials, credit card numbers and proprietary content widely sold on the darknet. Compromised accounts don’t just hurt profits, they also put service providers at risk of being non-compliant with the terms of their agreement with the content owners.

What if streaming services could protect against account sharing and account takeover fraud by creating real-time risk profiles for user accounts and related devices? What if you could also apply those capabilities to differentiate and change your customer experience, building trust, loyalty and growth through highly secure and frictionless viewing?

Let’s first take a closer look at three problems that need to be overcome.

1. Account Fraud is Part of the Culture

Among consumers, and even streaming service providers themselves, there’s major cognitive dissonance around how much password sharing is even an issue. Park Associates notes that approximately 39% of millennials share their password and don’t think of it as fraud or theft. Hub Entertainment Research found that 80% of 13-24 year olds say they’ve given out an online TV service password to someone who doesn’t live with them, even though most streaming companies limit sharing to a household.

The same research notes that the older crowd isn’t much better: 29% of consumers aged 35-74 admitted to password sharing. Tolerance in the industry until now has been high because it’s widely recognized that today’s account sharing flexibility helps retain existing accounts and create tomorrow’s customers. 

According to Wired, “Unofficially, the big video streaming services appear to take a fairly relaxed attitude to sharing passwords, though they do restrict how many streams you can run simultaneously on multiple devices. Using these logins at a multitude of addresses might get you into trouble.”

Password sharing is attributable to almost 10% of Netflix customers not paying the monthly fee, resulting in over $135 million in missed revenue.

But the problem is much bigger than legitimate users overusing and underpaying for accounts. The simple fact is that once passwords or credentials get shared, control over account access is lost, opening a Pandora’s box to malicious use and content piracy.

2. Account Fraud is Criminal

Money is being made through account sharing — just not legally. Almost every service is a target, even right at launch. Just a week after Disney+ launched in November 2019, thousands of passwords were already being sold or offered for free on the dark web.

Subscribers to one major service complained of discovering strangers in their premium accounts without knowing when the unauthorized use had begun or for how long it had been going on.

3. Account Fraud is Everywhere

IBM fraud researchers proved the existence of this theft. They have been studying the digital fraud landscape and challenging fraudulent behavior in the financial sector for over a decade. IBM teams see the same refined tactics and techniques in the streaming services market as they saw in the banking sector.

IBM Security Trusteer Senior Threat Researcher Tomer Agayev notes, “Wherever there’s a hot market — and video and music streaming are red hot — there’s fraud.”

Agayev described abundant instances of legitimate streaming account subscriptions being sold illicitly, heavily discounted, on the popular, anonymous Telegram channels — for as far out as five years. He noted that darknet vendors shamelessly offer premium streaming accounts alongside credit cards and bank accounts in the same post, a sign that the streaming market is seen as attractive and lucrative.

In the streaming arena, IBM fraud researchers are seeing behavior familiar to digital banking fraud. They include the use of mobile overlays such as the recently resurfaced Ginp Trojan overlay, as well as phishing and bot-based credentials stuffing. The phishing is high-tech, even using ‘domain squatting’ to make a fake URL look like the real one. Adapting attack tactics to new targets is quite an investment.

IBM streaming services clients have shared their own sightings, reinforcing these findings:

  • Fraud is getting more refined; it’s difficult to keep up.
  • It’s hard to know which users and devices are trustworthy.
  • Fraud protection solutions are piecemeal.
  • Going soft on account sharing helps the service provider compete.

But, change is upon us.

Industry Targets Account Fraud

A shift is underway, driven by lower tolerance among industry stakeholders to the revenue loss and potential content abuse. Cable industry executives are warning that a crackdown on password sharing is inevitable, as “streaming providers that welcome extra viewers today may lament the lost revenue those subscribers don’t bring to the table tomorrow.”

“Pricing and lack of security continue to be the main problems contributing to the challenges of paid video growth,” Charter CEO Thomas Rutledge tells Wall Street analysts.

The International Broadcasting Convention, too, is beseeching the industry to safeguard content distribution: “With more media companies shifting to OTT and IP-led services … it [is] more essential than ever to protect content from illegal use and avoid revenue loss … on its journey into the homes of legitimate customers without degrading the levels of service.”

In short, it is incumbent upon a streaming business to protect and prevent account fraud and takeover by spotting unauthorized users and thieves. Merging fraud detection with mechanisms for digital identity trust empowers the streaming service to not just prevent account fraud, but also elevate levels of service — a win-win for both the user and the service provider.

How to Use a Comprehensive Trust Service

So, what’s to be done? The streaming sites can lift the burden from end users by creating a unique customer experience with a digital identity trust solution. A solution like this should feature end-to-end tools for detecting account fraud in real time.

Account protection included in this way will never be seen by trusted users. This includes multiple trusted users on a given account profile, cutting down on or removing password requests, spanning multiple households (if needed) and accepting changed devices without registering or de-registering.

In addition, informing policy through risk and trust scoring lets the business mitigate overuse with actions such as upgrades or other offers. Finally, it also helps keep compliance with studios in regard to content usage and protection.

Removing Account Fraud Can Benefit Customers

Achieving a frictionless customer experience for streaming services involves going far beyond simple geolocation and IP address tracking. While such tools/capabilities might work for basic monitoring, the complexities resulting from allowing multiple users and devices on a given account require a solution that involves far more advanced capabilities. Device, environment and behavior all need to be inspected through the prism of behavior known for that account profile, fraud patterns determined from deep research into identity compromise modus operandi across the internet, darknet and consortium data from known fraud events worldwide.

An effective approach needs to assess multiple types of criteria in concert, including device configuration and behavioral biometrics, such as how the user holds the mouse or moves it across the screen. Building a risk profile of known and unknown users allows the authentication process to range anywhere from frictionless and passwordless for low risk sessions to multi-factor authentication challenges for high-risk connection attempts.

Provided by IBM

An end-to-end, context-based solution gives the streaming company control over account sharing. Adding heuristics, logic and customized policy definition, an organization can tailor a digital identity trust solution to its palate for access, upsell or whatever next step it wishes to take.

Imagine legitimate users entering their streaming services account from any device, location or household — even without a password — and finding a custom, welcoming experience, all while darknet users are kept out.

Learn more about seamless authentication customer experiences

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…