Netflix’s expansion revealed the need for increased fraud prevention measures.
Netflix is the world’s leading Internet television network with over 75 million members in over 190 countries enjoying more than 125 million hours of TV shows and movies per day. However, as Netflix has expanded into emerging global markets, the risk of fraud has also increased.
Isolated fraudsters as well as organized criminal networks seek to capitalize on free trials, opening new accounts with stolen identities and providing false or stolen payment information. Netflix needed a global, holistic response to this growing fraud trend, while maintaining its trusted reputation and reducing friction for legitimate customers. With ThreatMetrix, Netflix was able to:
- Leverage global shared intelligence from the Digital Identity Network in order to accurately detect fraudulent new account requests in real time.
- Minimize the illegal sale of free trial accounts on the dark web.
- Ensure that legitimate new customers were not unnecessarily turned away.
- Protect future revenue and reduce fraud losses by ensuring that only legitimate customers were registering for new accounts.
Netflix observes forms of new account fraud from cybercriminals attempting to make money selling “free trial” accounts. Netflix one-month free trial accounts allow streaming from up to four devices at any time. A fraudster could theoretically create one free trial and resell that free trial at low prices to up to four buyers.
Despite the relatively low entry point for a legitimate monthly subscription, there was still a market for these fraudulent accounts, either from people who had already taken up the free trial, or for those wishing to access the service on the cheap.
Leveraging Threatmetrix Digital Intelligence To Support Trusted Customer Acquisition
One of the key business requirements for Netflix was to ensure that any fraud and security solution was not overly aggressive and did not deter legitimate customers. The ThreatMetrix solution created no friction in the sign-up procedure because customers were passively authenticated in real time, yet it could still accurately detect high risk behavior indicative of fraud.
The Power Of Shared Intelligence
The ThreatMetrix solution is underpinned by the ThreatMetrix Digital Identity Network which harnesses global shared intelligence from millions of daily consumer interactions including logins, payments and new account applications. Using this information, ThreatMetrix creates a unique digital identity for each user by analyzing the myriad connections between devices, locations and anonymized personal information.
Digital Identities are created by combining the following key intelligence:
- Device profiling – Device identification, device health and application integrity, as well as detection of location cloaking or spoofing, (proxies, VPNs and the TOR browser).
- Threat intelligence – Harnessing point-in-time detection of malware, Remote Access Trojans (RATs), automated bot attacks, session hijacking and phished accounts, then combining with global threat information such as known fraudsters and botnet participation.
- Identity Data – Incorporating anonymized, non-regulated personal information such as user name, email address and more.
- Behavior analytics – Defining a pattern of trusted user behavior by combining identity and transactional metadata with device identifiers, connection and location characteristics. Every transaction can be analyzed in the context of this behavior pattern and historic context globally.
Netflix could authenticate new account requests against this trusted and unique online digital identity, checking whether identity and payment credentials of the connecting user correlated with anonymized information held by The Network.
Using The Threatmetrix Policy Engine To Customize Risk Scores
Netflix took advantage of the flexibility of the ThreatMetrix policy engine to customize risk scores to suit their global business requirements. Additional rules were incorporated to target individual, larger scale fraud attacks in specific geographical locations, without changes to the wider global strategy.
Following successful deployment, Netflix now also uses ThreatMetrix to authenticate specific account change requests. Updates to address information or changes to a payment method can sometimes indicate a fraudulent account breach. The ThreatMetrix solution is able to verify that any new address or credit card is associated with the legitimate user and not stolen or spoofed.