Password sharers, please take note

Beneath the surface of the internet lies a shady online world where people traffic in stolen or on-sold login details to popular online content services. 

But a growing industry is fighting back and the efforts to crackdown on the practice will make sharing your password with your mates a lot more difficult.

Companies like the UK-based Synamedia have developed a suite of AI-powered tools to help video streaming services monitor and map the login activity of customers to crack down on any funny business.

If they have one message, it’s that your password-sharing days are numbered.

“Really what we do, the core business is about secure distribution of premium content,” the company’s CEO Yves Padrines told news.com.au.

It started with preventing piracy with digital pay TV in the ’90s but in the era of cord cutting, the company has moved to become a gun for hire to help internet-delivered content providers stop rampant password sharing.

“You can collect data on the whole journey. On the device, on usage, on how people browse the application, the content that people watch. And then you can start processing this data and identify patterns that you can then use,” Mr Padrines explained.

The data can be used to improve the product or service but also “to detect fraud and piracy”.

When it comes to fraud there is a scale that ranges from casual sharing to organised enterprises where people are deriving revenue by selling heavily discounted login credentials online.

Casual password sharing, like letting your mum watch The Crown on your Netflix account isn’t the major concern of most providers. “But of course if millions of people are doing that it does impact the service provider,” Mr Padrines said.

When hired by a company, Synamedia takes about three months to build a baseline understanding of its user base before it can start to sniff out problem accounts with the help of machine learning software.

A few months ago it announced a new service it has developed called Credentials Sharing Insight to pick up on unusual or extreme patterns of password sharing, which quickly garnered plenty of online attention.

The company pitches it as a way for service providers to “turn casual password sharing into incremental revenue”.

“It picked up a lot of interest, so obviously there is something there,” Mr Padrines said.

A BLACK MARKET OF PASSWORDS

Netflix is not a client of Synamedia and is said to be grappling with this problem internally. While CEO Reed Hastings has publicly said he doesn’t mind people sharing Netflix, surveys suggest as many as half its users share accounts with a secondary household. Research in the US suggests that number is even higher for other services such as sports streaming platforms.

Of course this sort of thing has been going on for years but it’s the underground business of selling account details for profit that is increasingly the target of content providers looking to crackdown.

On online forums, gaming chatrooms and social media sites like reddit and 4Chan people post offers to sell Netflix accounts for as little as $1.50.

In 2016, cyber security firm Symantec published research about e-mail phishing scams designed to steal Netflix login details so an attacker could piggyback on a user’s subscription without their knowledge. This sort of thing feeds into a thriving underground economy for cheap login details, the company found.

In December 2017, prominent cyber security analyst Brian Krebs wrote that business was booming for online criminals who use botnets (collections of hacked PCs) powered by malware to sniff out people’s passwords.

“It has never been easier for a botmaster to earn a handsome living based solely on the sale of stolen usernames and passwords alone,” he wrote, referring to a whole range of private and entertainment sites.

‘MECHANISMS WILL BE ATTACKED ONE WAY OR ANOTHER’

Despite controls typically placed on streaming accounts to limit the number of users at a time, dedicated fraudsters will look for ways around them, according to Mr Padrines.

“The whole geo-blocking, concurrency sessions so you can’t watch more than two streams at a time, the geographic limitation of watching content, all of these mechanisms will be attacked one way or another,” he said.

A premium subscription to Netflix allows for four concurrent streams at any given time but if sold to people in different time zones they can theoretically be reliably sold to more people. Other services like Spotify, for example, offer family accounts for six users and have no geo restrictions.

“If you buy 10 accounts and sell each login to 10 different people around the world, you can make a lot of money,” a Synamedia executive said.

The company was exhibiting at Mobile World Congress last week and showed news.com.au a visual example of how it detected one set of credentials being used at more than 20 residential locations spread across a broad geographic location. Given that these weren’t mobile device log-ins, this user was flagged as highly suspicious.

Synamedia helps companies shore up the security of their platform and, if needed, improve the encryption of its content. It then looks to analyse customer behaviour.

“There are a number of things that we look at but it starts with where you are consuming content, what kind of content you are watching and out of this analysis you can identify the probability that you are sharing your password,” Mr Padrines said.

From there, the company segments the user base according to their risk profile based on a score of how likely each user is to share their login credentials.

For a long time, executives at streaming companies didn’t seem too bothered by modest password sharing. Perhaps because they were more interested in getting eyeballs on their product by any means and saw it as an easy way to market to new users, but also because it was almost impossible to stop. But that is beginning to change.

“There is definitely a demand today to understand the magnitude of the problem,” Mr Padrines said.

According to him, the company is often hired to help a provider gain some insight into the scale of the behaviour on their service.

“There are countries where there are more illegal users of content than people legitimately paying for the content,” Mr Padrines said.

“We want to make sure the sharing doesn’t get out of control.”