9. Simplifiers
• No user-generated content
• No ads on service
• Limited member-to-member
interactions
• No directly extractable value
Abuse @ Netflix
• Use value of accounts
• Account fungibility
• Device ecosystem
• Language diversity
• Payments complexity
• Usage patterns
Complicators
11. • Consumer friendly
• 30 day free trial
• Easy to cancel
• Excellent consumer experience can create potential for abuse
Netflix Service
12. • Who will convert from free trial to paid?
• Financial projections
• How will members behave?
• Content planning
• User experience, product enhancements
Key Questions Driving Anti-Abuse
15. • Payments is a primary abuse differentiator (vs. free services)
• Payment method is required @ signup
• Global payments infrastructure and operations is complex
• Loopholes and unexpected failure modes occur regularly
• Adversaries search for and exploit these failures
• So, fake account management is largely a payments fraud problem
Free Trial Fraud
16. Free Trial Fraud: Control Approach
Initial Assessment
(Client to Site)
• VPN/proxy analysis
• Device fingerprinting
• Global merchant data
analysis
• Internal threat intel
analysis
Signup
(Payment Validation)
• Method of payment checks
• Business rules (e.g. trial
eligibility)
• Risk-dependent auth
Post-Signup
(Activity Analysis)
• BIN anomalies
• CS contacts
• Account behaviors (e.g.
cross-border streaming)
17. • Detect and disable within 30 days post signup (free trial period)
• Continue to shrink the detect-to-disable period
• Keep data clean
• Reduce adversary opportunity to monetize
Free Trial Fraud – Control Objectives
21. • Account validators and traffic analysis
• Detect “credential stuffing”
• Credential dumps (pastebin, 3rd party)
• Customer service contacts
• Predictive model
Detecting Account Takeover
22. • To better identify ATO population, we began with cred dumps
• Hypothesis – Members in cred dumps who contact CS exhibit
acute signs of compromise
• Built classifier to segregate these accounts, and ranked
features of impacted accounts
• Apply to broader member population
• Additional revisions and models created to fine tune
Modeling ATO
39. • Discovery and takedowns
• scumblr and partners
• Complicated by language
• Collaboration
• e.g. eBay LVIS (Licensing Verification and Information
System) and VeRO (Verified Rights Owner)
• e.g. ThreatExchange (WIP)
Monetization Controls