CDSA

How to Fight Streaming Service Fraud While Increasing Customer Loyalty

As streaming services strive to be competitive and customer-friendly by allowing account sharing to a certain number of users and devices, they need to enhance misuse detection far beyond monitoring a limited number of parameters such as IP addresses and device type, according to Diane Benjuya, senior product marketing manager at IBM Security.

Often regarded as “not really stealing anything,” account sharing – beyond what the customer signed off on – is clearly fraud. Meanwhile, account takeover and digital piracy is outright theft.

The numbers “point to a pretty serious problem for the OTT and pay TV business,” Benjuya said Oct. 20 during the online Media & Entertainment Day event, noting it’s estimated that $9.1 billion in revenue was lost from account sharing and data piracy in 2019 and that is expected to soar about 38% to $12.5 billion in 2024.

However, “you can actually do something about it — that’s the good news,” she pointed out, during the Content Security breakout sessionAccount Sharing and Takeover, an Opportunity – from Losses to Loyalty,” adding that “tackling fraud and account sharing can also help out with user loyalty.”

During the session, she and Gregor FrimodtMøller, CEO of cloud service provider any.cloud, explained how a sophisticated and mature fraud detection and digital identity risk solution protecting 225 million accounts globally is being brought to bear on this growing media and entertainment sector challenge. They also shared the latest dark web research.

There are two types of account sharing: Cultural and criminal, according to Benjuya. Most cultural account sharing is casual with no intent to profit from it, such as if you let your daughter use your streaming service account, she said. However, that still hurts profit due to lost revenue from potential users, she pointed out.

There is also a “darker side” to cultural account sharing in that “the more an account holder exposes their account password or credentials, the more they increase the risk of malicious engagement,” she explained. For example, your daughter may share your account with her college roommates and one of them may have a device infected with malware, putting your account at risk.

With criminal account sharing, the bigger risk is from pirates who buy large stolen consumer databases via the dark web and use automation to discover penetrable end user accounts, Benjuya said.

IBM researchers are seeing “ample evidence of the four stages of fraud activity, and they’re seeing it especially in the mobile channel,” she said, noting the digital identity fraud “kill chain” includes:

  1. A compromised account
  2. Fraudulent login
  3. Monitoring
  4. Monetisation

Threat actors are using similar “modus operandi” in the streaming service arena as has been used for years in the financial sector, she said, noting it includes malware, phishing and bots. And there is an “extremely sophisticated” level of phishing being seen that includes “domain squatting” in which a fake URL is made to look like a real URL, she said.

Also being seen is the “heavy use… of mobile overlays” that she explained is kind of like a “skin” over malware that hides its true appearance, including an overlay that mimics a real message such as from Google, or verification requests that look like requests from legitimate companies including ones asking people to verify their accounts. Although they look legitimate, they often tend to have several spelling and other mistakes in them, she pointed out.

Fraud investments are increasingly being made by organisations and “the problem isn’t going to go away soon or by itself,” she said. One reason why is that a lot of money is being made on the dark web with stolen data, she noted.

Many organisations say it is “time to clamp down” on account sharing and there are several ways to do that, including: Managing a device list per account; sending a security notification; offering an upgrade; blocking concurrent logins; and shutting down the account, she said.

Assessing digital identity risk is at the heart of the solution, she said, noting that includes real-time assessment of risk of fraud of every user session, as well as a frictionless experience for low-risk sessions.

There are more than 4.5 billion users online in 2020 and “we are never going to educate everybody” about the issues involved, according to FrimodtMøller, who noted any.cloud started in 1998 and now has customers in more than 29 countries.

His company’s ideology stresses the importance of customer experience, establishing digital trust and fraud prevention with “no friction to the end consumer at all,” he told viewers, noting account profiling can “elevate” the customer experience.

To accomplish that, his company makes use of the “huge fraudulent activity database” maintained by IBM that includes over 50 billion web hits per month and over 300 TB of data, he noted.

He went on to cite the business use case of the Blockbuster-branded streaming platform, noting his firm has been working with them in Nordic countries and the U.K. to “elevate” the customer experience while deploying any.cloud’s solution to identify non-authorised users, simplify the user experience and garner loyalty and growth. Account takeover and password sharing were the two biggest issues that client had been dealing with, he said.

He urged viewers to “think about having a platform where you can take users and secure the journey for them without installing or disturbing” what they are doing on their devices. Solutions such as the one his company uses provide a “win-win scenario” in which identity risk protection meets a differentiating customer experience. Invisible security is “definitely the way forward,” he said.

Click here to access the full presentation.

M&E Day was sponsored by IBM Security, Microsoft Azure, SHIFT, Akamai, Cartesian, Chesapeake Systems, ContentArmor, Convergent Risks, Deluxe, Digital Nirvana, edgescan, EIDR, PK, Richey May Technology Solutions, STEGA, Synamedia and Signiant and was produced by MESA, in cooperation with NAB Show New York, and in association with the Content Delivery & Security Association (CDSA) and the Hollywood IT Society (HITS).