Streaming services: it’s time for Two-Factor Authentication

Scams, fraud, bots and theft: the ugly side of streaming provides a stark contrast to that beautiful feeling of having the world’s recorded music at your fingertips.

What is Two-Factor Authentication (2FA)

You are already using 2FA. Certain accounts, like Google, Facebook, or Apple, require multiple forms of authentication in order to sign in from a new device. This often works by verifying it’s you from another device, or by entering a code sent to your phone number, email address, or generated in an authenticator app.

It adds a layer of security to accounts that makes it hard to get in with just the username and password.

Why don’t streaming services use 2FA?

Popular streaming services like Spotify and Netflix famously don’t use 2FA, although the latter has recently started running tests with it, presumably to tackle account sharing. The reason for not implementing 2FA? Likely because it doesn’t help growth and in fact may hamper conversion rates.

Jorge Castro on developer community dev.to sums it up well through this fictional conversation:

  • Developers: We want to implement 2FA in our platform.
  • Netflix executes: Ok, and how much will it cost us?
  • Developers: Around two months.
  • Netflix executives: Ok, and it will increase the number of viewers?
  • Developers: Well, not really. It is about security.
  • Netflix executives: So, it will not increase the number of viewers but it could be a burden for some customers and it could decrease the number of viewers.
  • Developers: Yes, but it could be optional.
  • Netflix executives: So optional, an option that it plays against the number of viewers and it will cost us time (and money). Sorry but no.
  • Developers: But the security.
  • Netflix executives: We already invested in our security. If our customers have trouble then we could reset its password. It’s their responsibility, not ours.

However building in a little more friction could be beneficial to all… and tackle certain types of fraud more efficiently than a switch to user-centric streaming payments might.

Black market for streaming service accounts

For years, there has been a thriving market for streaming service accounts, with Spotify accounts selling for under a dollar. Many though not all of these are hacked. It’s so common that people commenting on their hackers’ music tastes has become somewhat of a meme and a quick search on Twitter pulls up countless examples.

Vietnamese blogs speculate that black market accounts are what led to Spotify and Netflix halting their free trial offers in the country last year.

This is not an issue that is exclusive to Spotify and Netflix, but there’s a high availability of examples since they are two of the most popular entertainment services without 2FA.

Fake plays, scams, and fraud

Just like it’s possible to buy ‘fake followers’ on social media, it’s possible to buy fake plays for streaming services. Jacking up the numbers can help to game the recommendation algorithm and build fake legitimacy for those looking closely at big numbers (but perhaps not closely enough).

Who cares if that is what someone wants to do? Well, everyone should, because it eats away at the pool of money distributed to all artists. Hackers have been gaming this system openly since at least 2013 in order to generate revenue.

An article by William Bedell from 2015 explains how he was able to do the same. At the time, not only did Spotify not use 2FA:

“There wasn’t even a CAPTCHA or email verification when creating accounts.”

Image by William Bedell.

The lack of better security leads to these types of fraud having to be traced & fixed retroactively, which often leads to streaming services taking music with fake plays down. That sounds good, but there are two issues: 1) we don’t know what percentage of fraud goes undetected, and 2) this opens up an attack vector (want your competitor’s music taken down? Just boost it with fake streams).

Audius (primer article), a new streaming platform and protocol that awards people tokens (called $AUDIO) based on their participation, is also running into this issue. Bots are used on the platform to game the system and get music into the charts. This messes with the platform’s weekly reward system, as WeirdCityRecords on Reddit points out:

“Curators have been robbed by bot users almost every week since the rewards inception (not only in terms of $audio but engagement being buried below bots), and now with a song being clearly botted to #1, it seems like this week 1 artist or possibly more will be deprived as well.”

The track accused of being ‘botted’ to the top outperforms the #2 by over 14 times, despite the artist and account being new to the platform and seemingly not having a significant presence on other music platforms.

Two-factor authentication would make it a lot harder to create loads of accounts like in the examples above, especially if you limit to 1 account per phone number.

Report fraud

Recently, I became familiar with another scam. Unfortunately that was due to falling victim to it on Spotify, though it may also exist on other platforms.

Botnets get employed to report people’s playlists for inappropriate content. This results in the playlist title and description being taken down. Bada-bing bada-boom: it is now easier to be the #1 search result for those same terms on Spotify.

As soon as I reported the erroneous report to Spotify and had them restore the playlist title and description, the botnet took it down again. This repeated half a dozen times over 2 weeks with my playlist existing without a title or description for the majority of the time.

I’m not alone in this and have found various playlists that also seem to be suffering from this issue (click here for an example if you’re curious about Romanian Manele music and here for GTA’s excellent soundtrack). This thread in Spotify’s support forums has other users reporting the issue.

The attack seems to have ended, but I almost gave up restoring my playlist every time it got taken down (I did consider writing a script that would auto-reply to Spotify’s takedown emails, though).

Since playlists are user-generated content, Spotify needs some type of system to deal with reports and make sure content that goes against the terms & conditions is taken down. After the 5th time my playlist got taken down and I asked if they could protect my playlist from the next auto-takedown, I got this answer:

“All user-created content can be reported, and while it may be possible that a report is invalid, all such reports need to go through our official report channel so we can handle them properly.”

So that’s a no. This means that anyone building playlists on Spotify with an unverified account can fall victim to this. Sure, the reporting account may get banned, but if it’s a botnet targeting you that doesn’t matter. That’s problematic, because unlike my hobbyist playlist with 100 followers, there are curation brands and artists with playlists that depend heavily on Spotify. They’re all exposed to this type of attack that seems to rely on either hacked accounts or easily-created free accounts.

Investment without security

People around the world are putting hours of effort into their streaming accounts: building playlists, followings, brands and in some cases companies using their presence. They’re exposed to insecurity.

Even accounts on platforms with better security get hacked, e.g. to misuse the trust someone has built up and run a cryptocurrency scam on followers (as fellow music-tech writer Cherie Hu recently became a victim of on Twitter, which besides Audius and the report fraud above was my third prompt for writing this piece).

Even if a streaming service can reinstate an account after a hack: the hack can damage your brand, e.g. if the hacker changes playlist titles and imagery to something offensive or scams, or just makes it impossible for you to keep running your playlist brand due to repeated reporting. If you enjoy services’ algorithmic recommendations, a hacker’s temporary account takeover can mess that up for you also.

Two-factor authentication is a basic standard for security. Maybe it’s time for streaming services to give it some priority and prevent fraud, scams, and theft.

Music’s TV opportunity: connected TVs and advertising revenues

TV is having a breakout moment, or perhaps we should call it a revival. For years, traditional TV, delivered via cable or satellite, has mostly seen their subscriber numbers dropping. This is mainly an issue in North America, followed by Europe and Latin America, while Asia and Africa still see growth in this department. However, TV is making a comeback over the internet, mainly through connected, or smart, TVs. When you buy a new TV from SamsungLGPhilips, etc. you get access to a whole line-up of TV channels for free, but supported by ads. Data shows that viewing via these channels is growing fast and that streaming video now mainly takes place via connected TV devices.

For now, it’s the usual suspects of news, sports, and classic shows that attract people to watch those ads and pay with their eyeballs (and data). Now, music is primed to take a chunk out of this new revenue pie.

It’s Vevo time

Looking at what makes for popular viewing on what’s called FAST (free ad-supported streaming television) services, shows that it’s mostly a lean-back experience. It seems to be the kind of TV people put on in the background as opposed to sitting down and watching their favourite show on NetflixDisney+Amazon Prime, etc. Music’s, somewhat problematicplaylist culture, offers a way to tap into that market as it’s very well suited to a leanback experience. As such, there’s been a rush to release music-related channels on FAST services. From jazz to EDM and from karaoke to audio, the most obvious candidate to benefit from the leanback viewing experience is perhaps Vevo. First, they partnered with interactive music video TV channel Xite, and they’ve recently pushed into the world of FASTs launching on various services. Of course, Vevo was founded by major labels, helping it get access to both content and the artists who create it.

Reach and advertising

Since people who tune into a channel on a FAST service watch ads, it’s important to maximize the time they spend on your channel. A leanback listening experience is great for this, because it allows people to tune in do something else and have the TV on in the background. Of course, music will never beat the reach of sports, but it’s got something else. In the words of Bill Durrant, quoted in a recent DigiDay article:

“We are an industry that seeks out consolidation because it makes our lives easier and reaching a large number of people easier. But when we’re not doing that, we need [media companies] that aren’t microscopically small and still reach people around a specific passion point in consumers’ minds. That’s still relevant in driving involvement and consideration for brands.”

That’s where music comes is. A company like Vevo is not small and there’s hardly a better passion point than music. Moreover, a lot of brands are already familiar with putting their money against musicians and artists (I know you’re thinking of Travis Scott right now).

The music video format is also suited for advertising breaks with the added bonus for advertisers of utilising their brand partnership to combine their ad-buy with a deeper connection and product placement.

The future is on TV

Even YouTube shows that viewers are migrating from mobile to the TV. With the added bonus that on TV those viewers watch around twice as long as on mobile. Furthermore, eMarketer is expecting ad spending on connected TVs to grow by 52.9% in 2021. So while many of us will focus on TikTokSnapchat, and other social media there’s a strong argument that a large part of what will happen for music in the near future will happen on the big screen. Various services, from TV makers’ owned and operated platforms to, for example, PlutoTV, are drawing viewers into their TV screens again. Brands will always be attracted to music and the dedicated audiences that come with it. Equally interesting are the laidback listeners who are willing to engage their eyes and ears to advertising while they enjoy a music video.