In today’s world, we know it’s not uncommon to share a password for a Netflix account or use that same password across other OTT Services like Hulu or Amazon Prime Video. After all, it’s important to save time and effort to get a head start on binge-watching, right?

While there is an illusion of benefits to keeping a uniformity of passwords across users and services, there are growing security risks in doing so, as we’ve seen with frequent breaches of other high-risk platforms such as financial services. With the boom in streaming video, OTT services are quickly becoming troves for private information, including credit card data, personally identifiable information, and insights into personal interests, all of which can be sold to nefarious actors in underground marketplaces. Fraudsters can easily monetize OTT content that they are able to take over, selling access in criminal marketplaces.

Specifically, hackers are capitalizing on credential stuffing attacks in which they tap automated tools to use stolen login information and gain access to accounts. These types of attacks, which often follow large breaches in which credentials are exposed, are on the rise. A recent Akamai report recorded nearly 30 billion credential stuffing attacks in 2018. In fact, the media industry is one of the most-targeted industries, the report found.

So how can both consumers and service providers fight back? Certainly, unique passwords go a long way, but the services themselves can help by targeting automation, learning to detect bots, and using low-friction authentication solutions beyond just passwords.

Using Unique Passwords

When we talk about platforms like online banking, the importance of setting unique passwords and taking precautions around security is more prioritized. After all, protecting the information in these platforms is crucial.

However, when it comes to entertainment-based offerings, security precautions often come as an afterthought. From a consumer’s perspective, keeping a Netflix account secure might not seem like that big a deal, but the fact is that the information included in account profiles can be just as attractive to a fraudster as financial account data.

In many ways, this is an awareness problem. Users need to be informed about the risks of credential stuffing attacks and the threats they face. This education can come from a number of sources, but OTT services should take the lead. Brands need to better emphasize the importance of creating unique and strong passwords. While doing so may be a tedious task, education is half of the battle in keeping online information secure.

Targeting Automation and Bots

A vast majority of the 30 billion credential stuffing attacks recorded in 2018 were performed by botnets or all-in-one (AIO) applications. These botnets can be programmed to target accounts that are considered vulnerable in coordinated account takeover (ATO) attacks, and AIO applications allow hackers to automate this process.

In the case of ATO and AIO scripts, using password managers and relying on multi-factor authentication, where users are granted access only after confirming their identity across at least two platforms (like via text message or a token generated by a third-party authenticator) is an important way to reduce risks. While signing in with multi-factor authentication is cumbersome, without access to the second form factor criminals can often be stopped dead in their tracks. Multi-factor authentication does not provide perfect protection, but it provides a significant increase to the level of effort required for an attacker to compromise an account.

Outside of multi-factor authentication, perhaps the most important step to mitigating AIO-based ATOs is being able to distinguish bot activity from human activity. Bots, in general, are a growing problem for all organizations conducting business online. For credential stuffing specifically, bots can be even more difficult to identify, thereby requiring advanced detection technologies.

To confirm human use of a web browser, platforms can integrate Javascript micro-challenges, which create tasks that verify that the device trying to authenticate is capable of performing functions that a real browser could do. Device fingerprinting can also help identify bots by analyzing the device to verify that it appears to be a legitimate browser rather than a bot. This approach takes into account a number of device attributes like the web browser in use, plugins, and even screen size to then block a device that is determined to be compromised by a bot.

Finally, other biometric behavior-based detection systems are available that can assist in identifying bots that try to emulate both a web browser and human user. For example, the movement of a mouse or clicking patterns can help tell the difference between a bot and a human.

Thinking Ahead to Low-Friction Solutions

Since the root of this issue is a password problem, the industry can and should explore ways to confirm a person’s identity without passwords.

We already see early elements of this, such as smartphones or apps that unlock using facial recognition technology. Although most of these solutions are still technically connected with some sort of base password, it’s a hint at what the industry could migrate to as technology improves and platforms are able to confirm a person’s identity in new, more efficient, and more secure ways.

Regardless of the technology, the key here is offering low-friction solutions that make an easier, quicker and all-around better user experience. The main reason many people dislike multi-factor authentication or creating unique passwords is that it takes additional effort (not to mention a really great memory). We, as users, want our data to remain safe, but we don’t want to be inconvenienced in the process. Having the best of both worlds is important and it’s where the industry is headed.

Keeping Streaming Safe

Keeping customer data safe is a high priority across the entire digital landscape and this is no different for OTT services. As the industry continues to grow and more people sign up for these services, the security risks will rise.

In an age where user experience means everything, security and privacy now fall under this category, and a brand that fails to successfully prioritize this can take a major hit to its reputation. Conversely, those that invest in the right solutions now will gain a crucial edge in the competitive streaming wars.