Over-the-top (OTT) providers take a huge financial hit from password sharing – Netflix and Hulu alone have been estimated to lose almost $4 billion a year from it. Yet despite such significant losses, many providers are reluctant to address the issue. Often, they’re held back by uncertainty over how to identify and block suspicious users without accidentally alienating good customers.

A comprehensive, data-driven solution can allow you to identify password violations and recapture revenue without losing subscribers. But to implement this successfully there are three essential elements you should be aware of. As a first step, all data needs to indicate a physical location and other connection parameters for every login, while secondly, a means to track this data and identify suspicious logins
should be established. Thirdly, deploying a customer-friendly communications and outreach programme is key for acting on the insights gleaned from the data.

Here are some useful tips for how you can leverage each element into an effective solution to curb password sharing.


Identifying login locations

The simplest and surest way to identify password sharing is to pinpoint accounts with regular logins from multiple, geographically separate locations. IP geolocation data, which associates a user’s IP address with a physical location, can provide that information for every login.

It’s important to note that not all IP geolocation data is created equal. In most cases, there is no obvious link between an IP address and a physical location. IP addresses can be re-allocated at the discretion of internet service providers, and frequently are. Accurate IP geolocation data, therefore, requires network geography experts to regularly apply their experience and judgment in order to resolve ambiguities. It must also be constantly updated using the most current data from multiple sources.

Beyond being accurate, reliabile, and up to date, the most important characteristics for useful IP geolocation data include:

 Granularity: The more precisely you can determine a location, the better you can detect password sharing. A single account with logins from different continents is easy to flag, but sharing is just as likely to occur between friends in the same city. Ideally, geolocation attributes will include not only country and state, but also city, DMA, and postal or ZIP code.

 Support for IPv6 as well as IPv4: While most addresses still use the older v4 Internet Protocol, use of IPv6 is growing, particularly for mobile devices. You’ll get an incomplete picture without data from both protocols, and it will only get worse in the future.

 Ability to detect logins from anonymous proxy servers and VPNs: Proxy and VPN usage masks a user’s actual IP address and allows them to log in anonymously. It may be completely innocent, or a deliberate attempt to utilise someone else’s password. Either way, it’s helpful to identify these logins.

 Compliance with consumer privacy regulations and standards: To avoid the possibility of heavy fines and negative publicity, IP geolocation data must comply with privacy regulations such as Europe’s GDPR, and must not comprise personally identifiable information (PII).

Some providers also offer risk insight data that flags suspicious IP addresses and non-human (bot or server) traffic. This kind of intelligence can help identify more s eriouspassword threats, such as dictionary attacks, in addition to individual password sharing. It also ensures that geolocation-based initiatives to prevent password sharing are focused on actual humans.


Tracking subscriber login data
Next, providers need to incorporate geolocation information for logins into their user data set. The data structure should accommodate a time-stamped record of every login for each subscriber, as well as the type of connection, including VPN and proxy servers. This record enables the creation of a baseline geo-footprint of normal logins for each user.

The baseline for most users will be a single location, or two nearby locations –representing a home and an office, for example. Some users, however, may travel extensively and regularly, logging in from Boston one day, Houston the next, and São Paulo the following week. The file structure must be flexible enough to accommodate the profiles of these frequent travelers.

Any departure from a baseline pattern could indicate password sharing for an account - but it could also just be the result of travel. To more accurately identify actual password sharing, providers should take these additional factors into account:

 Velocity checking for logins from multiple locations: A login from a new location eight hours after a baseline location could be the result of legitimate travel; a login that occurs five minutes later from a different state or country is probably not.

 Change in type of connection: When a customer who regularly connects via a conventional ISP logs in via a proxy server, it may indicate password sharing.

 Logins from suspicious IP addresses: Even a first-time login from an IP address that is associated with risky activity is cause for concern.

As this discussion suggests, developing rules that identify password sharing with a high degree of accuracy is complex. Some IP geolocation data providers also offer consultative services that can help your team gain the benefit of direct experience in using login data to identify suspicious logins effectively and accurately.


Customer-friendly communications and outreach
Since the goal is to limit password sharing while retaining legitimate customers, providers should act on the insights they obtain with the presumption that customers are innocent. No one wants to be accused of wrongdoing, or blocked from seeing a much-anticipated movie, programme or sports event. Conversely, customers are generally supportive of efforts to protect the security of their accounts.

Providers should adopt a “soft enforcement” approach that reaches out to flagged users with friendly messages that engage them and ask for their help, rather than scold or accuse them. Your initial communication might include:

 Messaging that assumes legitimate behavior and indicates concern: “We saw you logged in from a new location, and want to ensure that your account has not been compromised”.

 A request for verification and a convenient way to provide it: “Please confirm your user ID and password at this link, or by calling our confirmation hotline toll-free at 1-800-XXX-XXXX”.

A comprehensive outreach programme will include calibrated escalations for unanswered requests, while continuing to assume innocent behaviour. For example, a second message might start by noting that “we haven’t heard from you regarding a new login location”, and request a response by a specific day to “ensure the safety and security of your account”.

Continued non-response might result in a notification that the account will be blocked unless the customer verifies their identity to ensure account security. Only a failure to respond to this third request would result in a block on the account, accompanied by a message that “your account has been blocked to ensure your security” and inviting the customer to get in touch to provide verification.

This three-step approach, powered by reliable IP geolocation and risk insight data, enables OTT andstreaming media providers to increase revenue by limiting password sharing –  with low-risk of alienating innocent customers. There is no longer any reason to leave these lost revenues behind.


Written by Jackie Wadhwa, IP geolocation specialist and senior manager for customer success, Neustar

PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.
For more information on upcoming events, visit the website.

comments powered by Disqus