Streaming services: it’s time for Two-Factor Authentication

Scams, fraud, bots and theft: the ugly side of streaming provides a stark contrast to that beautiful feeling of having the world’s recorded music at your fingertips.

What is Two-Factor Authentication (2FA)

You are already using 2FA. Certain accounts, like Google, Facebook, or Apple, require multiple forms of authentication in order to sign in from a new device. This often works by verifying it’s you from another device, or by entering a code sent to your phone number, email address, or generated in an authenticator app.

It adds a layer of security to accounts that makes it hard to get in with just the username and password.

Why don’t streaming services use 2FA?

Popular streaming services like Spotify and Netflix famously don’t use 2FA, although the latter has recently started running tests with it, presumably to tackle account sharing. The reason for not implementing 2FA? Likely because it doesn’t help growth and in fact may hamper conversion rates.

Jorge Castro on developer community dev.to sums it up well through this fictional conversation:

  • Developers: We want to implement 2FA in our platform.
  • Netflix executes: Ok, and how much will it cost us?
  • Developers: Around two months.
  • Netflix executives: Ok, and it will increase the number of viewers?
  • Developers: Well, not really. It is about security.
  • Netflix executives: So, it will not increase the number of viewers but it could be a burden for some customers and it could decrease the number of viewers.
  • Developers: Yes, but it could be optional.
  • Netflix executives: So optional, an option that it plays against the number of viewers and it will cost us time (and money). Sorry but no.
  • Developers: But the security.
  • Netflix executives: We already invested in our security. If our customers have trouble then we could reset its password. It’s their responsibility, not ours.

However building in a little more friction could be beneficial to all… and tackle certain types of fraud more efficiently than a switch to user-centric streaming payments might.

Black market for streaming service accounts

For years, there has been a thriving market for streaming service accounts, with Spotify accounts selling for under a dollar. Many though not all of these are hacked. It’s so common that people commenting on their hackers’ music tastes has become somewhat of a meme and a quick search on Twitter pulls up countless examples.

Vietnamese blogs speculate that black market accounts are what led to Spotify and Netflix halting their free trial offers in the country last year.

This is not an issue that is exclusive to Spotify and Netflix, but there’s a high availability of examples since they are two of the most popular entertainment services without 2FA.

Fake plays, scams, and fraud

Just like it’s possible to buy ‘fake followers’ on social media, it’s possible to buy fake plays for streaming services. Jacking up the numbers can help to game the recommendation algorithm and build fake legitimacy for those looking closely at big numbers (but perhaps not closely enough).

Who cares if that is what someone wants to do? Well, everyone should, because it eats away at the pool of money distributed to all artists. Hackers have been gaming this system openly since at least 2013 in order to generate revenue.

An article by William Bedell from 2015 explains how he was able to do the same. At the time, not only did Spotify not use 2FA:

“There wasn’t even a CAPTCHA or email verification when creating accounts.”

Image by William Bedell.

The lack of better security leads to these types of fraud having to be traced & fixed retroactively, which often leads to streaming services taking music with fake plays down. That sounds good, but there are two issues: 1) we don’t know what percentage of fraud goes undetected, and 2) this opens up an attack vector (want your competitor’s music taken down? Just boost it with fake streams).

Audius (primer article), a new streaming platform and protocol that awards people tokens (called $AUDIO) based on their participation, is also running into this issue. Bots are used on the platform to game the system and get music into the charts. This messes with the platform’s weekly reward system, as WeirdCityRecords on Reddit points out:

“Curators have been robbed by bot users almost every week since the rewards inception (not only in terms of $audio but engagement being buried below bots), and now with a song being clearly botted to #1, it seems like this week 1 artist or possibly more will be deprived as well.”

The track accused of being ‘botted’ to the top outperforms the #2 by over 14 times, despite the artist and account being new to the platform and seemingly not having a significant presence on other music platforms.

Two-factor authentication would make it a lot harder to create loads of accounts like in the examples above, especially if you limit to 1 account per phone number.

Report fraud

Recently, I became familiar with another scam. Unfortunately that was due to falling victim to it on Spotify, though it may also exist on other platforms.

Botnets get employed to report people’s playlists for inappropriate content. This results in the playlist title and description being taken down. Bada-bing bada-boom: it is now easier to be the #1 search result for those same terms on Spotify.

As soon as I reported the erroneous report to Spotify and had them restore the playlist title and description, the botnet took it down again. This repeated half a dozen times over 2 weeks with my playlist existing without a title or description for the majority of the time.

I’m not alone in this and have found various playlists that also seem to be suffering from this issue (click here for an example if you’re curious about Romanian Manele music and here for GTA’s excellent soundtrack). This thread in Spotify’s support forums has other users reporting the issue.

The attack seems to have ended, but I almost gave up restoring my playlist every time it got taken down (I did consider writing a script that would auto-reply to Spotify’s takedown emails, though).

Since playlists are user-generated content, Spotify needs some type of system to deal with reports and make sure content that goes against the terms & conditions is taken down. After the 5th time my playlist got taken down and I asked if they could protect my playlist from the next auto-takedown, I got this answer:

“All user-created content can be reported, and while it may be possible that a report is invalid, all such reports need to go through our official report channel so we can handle them properly.”

So that’s a no. This means that anyone building playlists on Spotify with an unverified account can fall victim to this. Sure, the reporting account may get banned, but if it’s a botnet targeting you that doesn’t matter. That’s problematic, because unlike my hobbyist playlist with 100 followers, there are curation brands and artists with playlists that depend heavily on Spotify. They’re all exposed to this type of attack that seems to rely on either hacked accounts or easily-created free accounts.

Investment without security

People around the world are putting hours of effort into their streaming accounts: building playlists, followings, brands and in some cases companies using their presence. They’re exposed to insecurity.

Even accounts on platforms with better security get hacked, e.g. to misuse the trust someone has built up and run a cryptocurrency scam on followers (as fellow music-tech writer Cherie Hu recently became a victim of on Twitter, which besides Audius and the report fraud above was my third prompt for writing this piece).

Even if a streaming service can reinstate an account after a hack: the hack can damage your brand, e.g. if the hacker changes playlist titles and imagery to something offensive or scams, or just makes it impossible for you to keep running your playlist brand due to repeated reporting. If you enjoy services’ algorithmic recommendations, a hacker’s temporary account takeover can mess that up for you also.

Two-factor authentication is a basic standard for security. Maybe it’s time for streaming services to give it some priority and prevent fraud, scams, and theft.

Is killing privacy the best we can do against secondary ticketing?

In its push to become a data-driven business, event organisers smell opportunity by connecting ticketing to real identities.

It’s estimated that the market for secondary ticketing is worth $1bn in the UK alone. It’s a problem for fans and artists, since tickets are often bought in bulk by resellers and sold at a much higher rate to fans. None of that added margin goes to the artists (although there are some allegations…).

Recently, Iron Maiden opted to go ‘paperless’ for their UK arena tour in order to curb ticket touting. With success:

“In 2010, 6,294 tickets appeared overnight on three of the major resale platforms — Viagogo, Seatwave and Get Me In! — on the day of sale. In 2016 this had dropped to 207, all on Viagogo, as Live Nation/Ticketmaster had agreed delist the tour at Iron Maiden’s request.”

The tour didn’t go fully paperless, and paper tickets were available, but came with strict requirements towards the fans:

  1. Tickets must carry the name of the purchaser;
  2. Ticketholder must present ID and credit card at the door.

While effective, this is worrying and certainly not a “victory for concertgoers” as Iron Maiden manager Rob Smallwood called it.

It’s not just ticketing: privacy is under attack from all fronts. Many events have decided to go ‘cashless’, requiring people to top up chips in special event wristbands. This way, you know exactly who is ordering what, where, how much, and at what time of the night. If you’re a large organisation like Live Nation, you can build up an extensive profile of users over time.

Valuable data, which may help secure sponsors for alcoholic beverages and helps you to target fans with specific offers, but that data comes with a great responsibility.

Privacy in the age of artificial intelligence

The first multi-day conference and festival I attended that was nearly completely cashless was Eurosonic Noorderslag, earlier this year. It’s a music business conference and showcase event, and has lots of bands playing every night in nearly every bar and club in its host city, Groningen, in The Netherlands. It presented cashless payments as a convenience (ie. to reduce queues at bars).

I immediately researched ways to opt-out and found no good way. It was possible to ‘anonimize’ your chip, but you still have to charge it with your bank card, which ties your identity to it through the transaction records. I had good reason to opt-out and so do you.

On its own, “Bas entered venue X at 21:03 and drank a beer at bar Y at 21:24” seems like useless information. And it probably is. I’m not from a country or culture that frowns upon alcohol, so I’m unlikely to be blackmailed with such a bit of information. However, it is possible for someone to claim they met me there and try to pull some sort of scam. Or worse, for someone to claim they are me by using anecdotal evidence based on these random bits of data, and then scamming someone else.

Criminals are moving from the higher risk ‘traditional crime’ into ‘cybercrime’ which is perceived as lower risk.

More than how someone might use a specific data point, what we should really be worried about is larger data leaks. There are parties that try to collect all information from big leaks. Some use it for good, like Have I Been Pwned, where you can search your email address to see if your login info of any site has leaked. But some people store it for more malicious purposes.

Over time, patterns can emerge in these data sets. These become easier to identify through machine learning algorithms, which can go through large datasets faster than a person could, and can get better over time at making sense of data. Many great ones are open source, like Google’s TensorFlow.

Now, your attendance of live events and what exactly you do there can be tied to your hacked LinkedIn or Dropbox account. Whoever holds that data has power over you.

Artificial intelligence could be trained to send hypertargeted scam emails, which use all the data available about you to trick you. This could result in ransomware being installed on your computer, which often means your hard drive is encrypted and locked and the key to decrypt your data is only turned over after paying a certain fee (usually done through Bitcoin, which makes it harder to track the perpetrators).

This could happen to your phone, but also to your car, or any other devices which are likely to be connected to the internet in a few years from now.

The important take-away is that the more data someone has about you, the wider their ‘attack vector’ becomes. This means they have more paths to target you. Any data point on its own usually doesn’t have much value, but it’s when large amounts of data get combined that value emerges. Facebook, a data company, has a market cap of nearly $400bn.

Privacy is security

Privacy in music should not be an afterthought

We have learned a lot from events. We’ve learned not to use biker gangs for security. We’ve learned to have first aid staff at festivals that are trained to dealing with the effects of alcohol poisoning and mishaps with drugs. We have come a long way to providing experiences that are exciting and safe at the same time.

Now it’s time to worry about our guests’ safety before they arrive, and after they leave our events. Let me be clear:

  • If you request your guests to sacrifice their privacy for ‘convenience’, and you get hacked, leading to people getting blackmailed or scammed, it is YOUR responsibility;
  • If you request this data from guests, make it clear and easy for them to find out how you’re storing the data, what you’re using it for, and when it will be deleted. Don’t just refer to some boilerplate privacy policy full of legalese;
  • When things go wrong, be honest about it and communicate it immediately, so people can take security measures;
  • Never store data about people for longer than you need it. Not storing data is the best way to prevent it from being leaked.

(small sidenote: if anyone ever sent you a picture or scan of their passport, go delete that file and email now)

What can you do as a fan?

Do whatever best protects your privacy. If it feels like you’re being a pain in the ass by requesting an anonimized wristband, great. You should be a pain in the ass. Pain is a great motivator for change. So by all means, request information about how your data is stored and protected, how long it’s stored, for what purpose, etc.

Perhaps the hardest part is willing to skip concerts that don’t have privacy-friendly options. As a consumer we should understand that solving ticket touting by sacrificing guests’ privacy is not a solution. It just shifts the issue and places an additional cost on the consumer on top of the ticket price.

Event organisers need to find a way to mitigate or at the very least minimize that additional cost. This means ticketing organisations have to take measures to invest in technology which helps protect and secure guests’ privacy. But they need to feel pressure, or pain, in order to that.

Data, for ticketing companies, is the same as it is for malicious hackers: the more data you can get on a person, the more valuable it becomes.