Streaming services: it’s time for Two-Factor Authentication

Scams, fraud, bots and theft: the ugly side of streaming provides a stark contrast to that beautiful feeling of having the world’s recorded music at your fingertips.

What is Two-Factor Authentication (2FA)

You are already using 2FA. Certain accounts, like Google, Facebook, or Apple, require multiple forms of authentication in order to sign in from a new device. This often works by verifying it’s you from another device, or by entering a code sent to your phone number, email address, or generated in an authenticator app.

It adds a layer of security to accounts that makes it hard to get in with just the username and password.

Why don’t streaming services use 2FA?

Popular streaming services like Spotify and Netflix famously don’t use 2FA, although the latter has recently started running tests with it, presumably to tackle account sharing. The reason for not implementing 2FA? Likely because it doesn’t help growth and in fact may hamper conversion rates.

Jorge Castro on developer community dev.to sums it up well through this fictional conversation:

  • Developers: We want to implement 2FA in our platform.
  • Netflix executes: Ok, and how much will it cost us?
  • Developers: Around two months.
  • Netflix executives: Ok, and it will increase the number of viewers?
  • Developers: Well, not really. It is about security.
  • Netflix executives: So, it will not increase the number of viewers but it could be a burden for some customers and it could decrease the number of viewers.
  • Developers: Yes, but it could be optional.
  • Netflix executives: So optional, an option that it plays against the number of viewers and it will cost us time (and money). Sorry but no.
  • Developers: But the security.
  • Netflix executives: We already invested in our security. If our customers have trouble then we could reset its password. It’s their responsibility, not ours.

However building in a little more friction could be beneficial to all… and tackle certain types of fraud more efficiently than a switch to user-centric streaming payments might.

Black market for streaming service accounts

For years, there has been a thriving market for streaming service accounts, with Spotify accounts selling for under a dollar. Many though not all of these are hacked. It’s so common that people commenting on their hackers’ music tastes has become somewhat of a meme and a quick search on Twitter pulls up countless examples.

Vietnamese blogs speculate that black market accounts are what led to Spotify and Netflix halting their free trial offers in the country last year.

This is not an issue that is exclusive to Spotify and Netflix, but there’s a high availability of examples since they are two of the most popular entertainment services without 2FA.

Fake plays, scams, and fraud

Just like it’s possible to buy ‘fake followers’ on social media, it’s possible to buy fake plays for streaming services. Jacking up the numbers can help to game the recommendation algorithm and build fake legitimacy for those looking closely at big numbers (but perhaps not closely enough).

Who cares if that is what someone wants to do? Well, everyone should, because it eats away at the pool of money distributed to all artists. Hackers have been gaming this system openly since at least 2013 in order to generate revenue.

An article by William Bedell from 2015 explains how he was able to do the same. At the time, not only did Spotify not use 2FA:

“There wasn’t even a CAPTCHA or email verification when creating accounts.”

Image by William Bedell.

The lack of better security leads to these types of fraud having to be traced & fixed retroactively, which often leads to streaming services taking music with fake plays down. That sounds good, but there are two issues: 1) we don’t know what percentage of fraud goes undetected, and 2) this opens up an attack vector (want your competitor’s music taken down? Just boost it with fake streams).

Audius (primer article), a new streaming platform and protocol that awards people tokens (called $AUDIO) based on their participation, is also running into this issue. Bots are used on the platform to game the system and get music into the charts. This messes with the platform’s weekly reward system, as WeirdCityRecords on Reddit points out:

“Curators have been robbed by bot users almost every week since the rewards inception (not only in terms of $audio but engagement being buried below bots), and now with a song being clearly botted to #1, it seems like this week 1 artist or possibly more will be deprived as well.”

The track accused of being ‘botted’ to the top outperforms the #2 by over 14 times, despite the artist and account being new to the platform and seemingly not having a significant presence on other music platforms.

Two-factor authentication would make it a lot harder to create loads of accounts like in the examples above, especially if you limit to 1 account per phone number.

Report fraud

Recently, I became familiar with another scam. Unfortunately that was due to falling victim to it on Spotify, though it may also exist on other platforms.

Botnets get employed to report people’s playlists for inappropriate content. This results in the playlist title and description being taken down. Bada-bing bada-boom: it is now easier to be the #1 search result for those same terms on Spotify.

As soon as I reported the erroneous report to Spotify and had them restore the playlist title and description, the botnet took it down again. This repeated half a dozen times over 2 weeks with my playlist existing without a title or description for the majority of the time.

I’m not alone in this and have found various playlists that also seem to be suffering from this issue (click here for an example if you’re curious about Romanian Manele music and here for GTA’s excellent soundtrack). This thread in Spotify’s support forums has other users reporting the issue.

The attack seems to have ended, but I almost gave up restoring my playlist every time it got taken down (I did consider writing a script that would auto-reply to Spotify’s takedown emails, though).

Since playlists are user-generated content, Spotify needs some type of system to deal with reports and make sure content that goes against the terms & conditions is taken down. After the 5th time my playlist got taken down and I asked if they could protect my playlist from the next auto-takedown, I got this answer:

“All user-created content can be reported, and while it may be possible that a report is invalid, all such reports need to go through our official report channel so we can handle them properly.”

So that’s a no. This means that anyone building playlists on Spotify with an unverified account can fall victim to this. Sure, the reporting account may get banned, but if it’s a botnet targeting you that doesn’t matter. That’s problematic, because unlike my hobbyist playlist with 100 followers, there are curation brands and artists with playlists that depend heavily on Spotify. They’re all exposed to this type of attack that seems to rely on either hacked accounts or easily-created free accounts.

Investment without security

People around the world are putting hours of effort into their streaming accounts: building playlists, followings, brands and in some cases companies using their presence. They’re exposed to insecurity.

Even accounts on platforms with better security get hacked, e.g. to misuse the trust someone has built up and run a cryptocurrency scam on followers (as fellow music-tech writer Cherie Hu recently became a victim of on Twitter, which besides Audius and the report fraud above was my third prompt for writing this piece).

Even if a streaming service can reinstate an account after a hack: the hack can damage your brand, e.g. if the hacker changes playlist titles and imagery to something offensive or scams, or just makes it impossible for you to keep running your playlist brand due to repeated reporting. If you enjoy services’ algorithmic recommendations, a hacker’s temporary account takeover can mess that up for you also.

Two-factor authentication is a basic standard for security. Maybe it’s time for streaming services to give it some priority and prevent fraud, scams, and theft.

My Midem wrap-up: Chatbots + marketing Run The Jewels panels

What a week. I spent it at Midem – one of the most well-known music business conferences organised every year in Cannes. Before I’m off to Sonár+D this week, I thought I’d type up a little update.

About 10 months ago, Midem‘s conference manager got in touch with me to see if we could put a panel together. We landed on the topic of chatbots and Messenger apps, because I think the trend signifies an important shift to a new generation of user interfaces (especially considering voice-activated UI, which will quickly be permeating our daily lives).

It was so great to finally be able to have all these people in the same room, and talk about what they’re doing, get their thoughts out, get them discussing with each other. And the line-up was awesome.

Panel: Messaging Apps, Bots, AI & Music: A New Frontier of Fan Engagement

A quick look at the line-up:

  • Ricardo Chamberlain, Digital Marketing Manager, Sony Music Entertainment (USA)
    Runs a very interesting label bot, which includes messages from artists such as Enrique Iglesias. He also worked on the CNCO campaign with Landmrk, which I’m a big fan of.
  • Luke Ferrar, Head of Digital, Polydor (UK)
    Launched the first chatbot with Bastille.
  • Gustavo Goldschmidt, CEO & Co-Founder, SuperPlayer (Brazil)
    Runs Brazil’s biggest streaming service which not only recommends music through a chatbot, but also builds chatbots for artists, which then drives fans to their service when they want to stream something.
  • Syd Lawrence, CEO & Co-Founder, The Bot Platform (UK)
    Launched the Hardwell bot, which is probably the most well-known example of chatbots being used in music.
  • Tim Heineke, Founder, POP (Netherlands)
    Used to run a cool startup named Shuffler.fm which turned blogs into radio stations and became a kind of StumbleUpon for music discovery, and also co-founded FUGA.
  • Nikoo Sadr, Interactive Marketing Manager, The Orchard (UK)
    One of the most brilliant minds in digital marketing, in general. Previously with Music Ally.

FULL VIDEO:

WRITE UP:

Messaging, bots, and AI’s music evolution by Music Ally’s Eamon Forde

Run The Jewels’ Marketing Panel

A few weeks ago, I was asked if I could also moderated the RTJ marketing panel — which would have been a no-brainer anyway, but having a personal connection to this, made me so excited to do it that I forgot to even introduce myself during the panel.

My first real music business job was with a startup called official.fm. As a student, I listened to a lot of underground and indie hiphop, which made me a big fan of the Definitive Jux label, which put out music by Aesop Rock, Mr. Lif, RJD2, and El-P (also one of the founders). The other founder was Amaechi Uzoigwe, who now manages Run The Jewels. I remember feeling a little starstruck at the time. Now, years later, it was so good to catch up with Amaechi and the inspiring success he’s created for RTJ and himself.

Also on the panel was Zena White, who’s MD of The Other Hand, and does great things for RTJ, Stones Throw, Ghostly, BadBadNotGood, DJ Shadow and more.

FULL VIDEO:

WRITE UP:

How Run The Jewels found fame & fortune: by focusing on fans by Music Ally’s Stuart Dredge

Google Glass

When augmented reality converges with AI and the Internet of Things

The confluence of augmented reality, artificial intelligence, and the Internet of Things is rapidly giving rise to a new digital reality.

Remember when people said mobile was going to take over?

Well, we’re there. Some of the biggest brands in our world are totally mobile: Instagram, Snapchat, Uber. 84% (!) of Facebook’s ad revenue now comes from mobile.

And mobile will, sooner or later, be replaced by augmented reality devices, and it will look nothing like Google Glass.

Google Glass
Not the future of augmented reality.

Why some predictions fail

When viewing trends in technology in isolation, it’s inevitable you end up misunderstanding them. What happens is that we freeze time, take a trend and project the trend’s future into a society that looks almost exactly like today’s society.

Past predictions about the future
Almost.

This drains topics of substance and replaces it with hype. It causes smart people to ignore it, while easily excited entrepreneurs jump on the perceived opportunity with little to no understanding of it. Three of these domains right now are blockchain, messaging bots, and virtual reality, although I count myself lucky to know a lot of brilliant people in these areas, too.

What I’m trying to say is: just because it’s hyped, doesn’t mean it doesn’t deserve your attention. Don’t believe the hype, and dig deeper.

The great convergence

In order to understand the significance of a lot of today’s hype-surrounded topics, you have to link them. Artificial intelligence, smart homes & the ‘Internet of Things’, and augmented reality will all click together seamlessly a decade from now.

And that shift is already well underway.

Artificial intelligence

The first time I heard about AI was as a kid in the 90s. The context: video games. I heard that non-playable characters (NPCs) or ‘bots’ would have scripts that learned from my behaviour, so that they’d get better at defeating me. That seemed amazing, but their behaviour remained predictable.

In recent years, there have been big advances in artificial intelligence. This has a lot to do with the availability of large data sets that can be used to train AI. A connected world is a quantified world and data sets are continuously updated. This is useful for training algorithms that are capable of learning.

This is also what has given rise to the whole chatbot explosion right now. Our user interfaces are changing: instead of doing things ourselves, explicitly, AI can be trained to interpret our requests or even predict and anticipate them.

Conversational interfaces sucked 15 years ago. They came with a booklet. You had to memorize all the voice commands. You had to train the interface to get used to your voice… Why not just use a remote control? Or a mouse & keyboard? But in the future, getting things done by tapping on our screens may look as archaic as it would be to do everything from a command-line interface (think MS-DOS).

XKCD Sudo make me a sandwich
There are certain benefits to command-line interfaces… (xkcd)

So, right now we see all the tech giants diving into conversational interfaces (Google Home, Amazon Alexa, Apple Siri, Facebook Messenger, and Microsoft, err… Tay?) and in many cases opening up APIs to let external developers build apps for them. That’s right: chatbots are APPS that live inside or on top of conversational platforms.

So we get new design disciplines: conversational interfaces, and ‘zero UI’ which refers to voice-based interfaces. Besides developing logical conversation structures, integrating AI, and anticipating users’ actions, a lot of design effort also goes into the personality of these interfaces.

But conversational interfaces are awkward, right? It’s one of the things that made people uncomfortable with Google Glass: issuing voice commands in public. Optimists argued it would become normalized, just like talking to a bluetooth headset. Yet currently only 6% of of people who use voice assistants ever do so in public… But where we’re going, we won’t need voice commands. At least not as many.

The Internet of Things

There are still a lot of security concerns around littering our lives with smart devices: from vending machines in our offices, to refrigerators in our homes, to self-driving cars… But it seems to be an unstoppable march, with Amazon (Alexa) and Google (Home) intensifying the battle for the living room last year:

Let’s converge with the trend of artificial intelligence and the advances made in that domain. Instead of having the 2016 version of voice-controlled devices in our homes and work environments, these devices’ software will develop to the point where they get a great feeling of context. Through understanding acoustics, they can gain spacial awareness. If that doesn’t do it, they could use WiFi signals like radar to understand what’s going on. Let’s not forget cameras, too.

Your smart device knows what’s in the fridge before you do, what the weather is before you even wake up, it may even see warning signs about your health before you perceive them yourself (smart toilets are real). And it can use really large data sets to help us with decision-making.

And that’s the big thing: our connected devices are always plugged into the digital layer of our reality, even when we’re not interacting with them. While we may think we’re ‘offline’ when not near our laptops, we have started to look at the world through the lens of our digital realities. We’re acutely aware of the fact that we can photograph things and share them to Instagram or Facebook, even if we haven’t used the apps in the last 24 hours. Similarly, we go places without familiarizing ourselves with the layout of the area, because we know we can just open Google Maps any time. We are online, even when we’re offline.

Your connected home will be excellent at anticipating your desires andbehaviour. It’s in that context that augmented reality will reach maturity.

Google Home

Augmented reality

You’ve probably already been using AR. For a thorough take on the trend, go read my piece on how augmented reality is overtaking mobile. Two current examples of popular augmented reality apps: Snapchat and Pokémon Go. The latter is a great example of how you can design a virtual interaction layer for the physical world.

So the context in which you have to imagine augmented reality reaching maturity is a world in which our environments are smart and understand our intentions… in some cases predicting them before we even become aware of them.

Our smart environments will interact with our AR device to pull up HUDs when we most need them. So we won’t have to do awkward voice commands, because a lot of the time, it will already be taken care of.

Examples of HUDs in video games
Head-up displays (HUDs) have long been a staple of video games.

This means we don’t actually have to wear computers on our heads. Meaning that the future of augmented reality can come through contact lenses, rather than headsets.

But who actually wants to bother with that, right? What’s the point if you can already do everything you need right now? Perhaps you’re too young to remember, but that’s exactly what people said about mobile phones years ago. Even without contact lenses, all of these trends are underway now.

Augmented reality is an audiovisual medium, so if you want to prepare, spend some time learning about video game design, conversational interfaces, and get used to sticking your head in front of a camera.

There will be so many opportunities emerging on the way there, from experts on privacy and security (even political movements), to designing the experiences, to new personalities… because AR will have its own PewDiePie.

It’s why I just bought a mic and am figuring out a way to add audiovisual content to the mix of what I produce for MUSIC x TECH x FUTURE. Not to be the next PewDiePie, but to be able to embrace mediums that will extend into trends that will shape our digital landscapes for the next 20 years. More on that soon.

And if you’re reading this and you’re in music, then you’re in luck:
People already use music to augment their reality.

More on augmented reality by me on the Synchtank blog:
Projecting Trends: Augmented Reality is Overcoming its Hurdles to Overtake Mobile.

Use Facebook Messenger to Access Spotify Discover Weekly and Release Radar – in 4 Steps

A bot for Facebook Messenger lets you access your Spotify Release Radar and Discover Weekly playlists from inside Messenger. Since it currently lacks an interface, here are the steps to follow to get new music recommendations delivered to Messenger.

Discover Messenger

1. Add the bot

You can add the bot by clicking this link.

2. Sign in

Tell it you want to sign in, by typing sign in. Then login to Spotify & give the bot the necessary permissions.

3. Play something

You can now choose to play tracks on Spotify or get 30 second previews.

4. Extra commands

Got lost and want to bring back the playlist? Type current week. You’ll also be able to tell it playlist 1 week ago to get last week’s playlist, but first you’ll need to be using the bot for a while.


At the time of writing, there are still some bugs to iron out. If you run into any difficulties, you can contact the bot’s maker, Daniel Noshkin, on Twitter or on Product Hunt.

If you ever want to revoke the app’s access, you can find all apps that have access to your Spotify account in your settings.

5 Bots You’ll Love

Since launching its chatbot API last April, Facebook’s Messenger platform has already spawned 11,000 bots. Bots are popular, because they allow brands to offer more personalized service to existing and potential customers. Instead of getting people to install an app or visit your website, they can do so from the comfort of their preferred platform, whether that’s WhatsApp, Messenger, Twitter or something else.

Bots, basically automated scripts with varying levels of complexity, are ushering a new wave of user experience design. Here are some of my favourite bots.

AutoTLDR – Reddit

AutoTLDR bot

AutoTLDR is a bot on Reddit that automatically posts summaries of news articles in comment threads. tl;dr is internet slang for “too long, didn’t read” and is often used at the top or bottom of posts to give a one-line summary or conclusion of a longer text. It uses SMMRY‘s API for shortening long texts.

The key to its success is Reddit’s digital darwinism of upvotes and downvotes. Good summaries by AutoTLDR can usually be found within the top 5 comments. If it summarizes poorly, you’re unlikely to come across its contribution.

Explaining the theory behind AutoTLDR bot.

Subreddit Simulator – Reddit

Subreddits on Reddit center around certain topics or types of content. Subreddit Simulator is a collection of bots that source material from other Reddits and, often quite randomly, create new posts and material based on that. Its most popular post is sourced from the “aww” Subreddit and most likely sourced two different posts to create this:

Rescued a stray cat

Check out other top posts here. Again, the reason why it works well is because of human curation. People closely follow Subreddit Simulator and upvote remarkable outcomes, like the above.

wayback_exe – Twitter

Remember the internet when it had an intro tune? wayback_exe takes you back to the days of dial up and provides your Twitter feed with regular screenshots of retro websites. By now, it’s basically art.

It uses the Internet Archive’s Wayback Machine, which has saved historic snapshots of websites.

old site 1

old site 2

pixelsorter – Twitter

If you’re into glitch art, you’ll love pixelsorter. It’s a bot that re-encodes images. You can tweet it an image and get a glitched out version back. Sometimes it talks to other image bots like badpng, cga.graphics, BMPbug, Lowpoly Bot, or Arty Bots. With amazing algorithmic results.

 

Generative bot – Twitter

Generative bot

Generative Bot is one of those bots that makes you realize: algorithms are able to produce art that trumps 90% of all other art. It uses some quite advanced mathematics to create a new piece every 2 hours. Seeding your Twitter feed with occasional computer-generated bits of inspiration.

Want more inspiration? We previously wrote about DJ Hardwell’s bot.

What are your favourite bots? Ping me on Twitter.