Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Defending Netflix from Abuse

1,731 views

Published on

My talk from Facebook's Spam Fighting at Scale 2016 conference.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Defending Netflix from Abuse

  1. 1. Engineering Director, Cloud Security Jason Chan Defending Netflix from Abuse
  2. 2. > 86 million members > 190 countries > 125 million hours of streaming per day ~35% of US Internet traffic at peak Netflix Statistics
  3. 3. Some Abuse-Related Background
  4. 4. Simplifiers • No user-generated content • No ads on service • Limited member-to-member interactions • No directly extractable value Abuse @ Netflix • Use value of accounts • Account fungibility • Device ecosystem • Language diversity • Payments complexity • Usage patterns Complicators
  5. 5. “What is the Netflix password?”
  6. 6. • Consumer friendly • 30 day free trial • Easy to cancel • Excellent consumer experience can create potential for abuse Netflix Service
  7. 7. • Who will convert from free trial to paid? • Financial projections • How will members behave? • Content planning • User experience, product enhancements Key Questions Driving Anti-Abuse
  8. 8. 1. Obtain Netflix accounts (without paying) 2. Monetize • Primarily via resale • Secondarily as bait/lure Adversary Actions Goals • Free trial fraud (fake accounts) • Account takeover (ATO) Methods
  9. 9. Free Trial Fraud
  10. 10. • Payments is a primary abuse differentiator (vs. free services) • Payment method is required @ signup • Global payments infrastructure and operations is complex • Loopholes and unexpected failure modes occur regularly • Adversaries search for and exploit these failures • So, fake account management is largely a payments fraud problem Free Trial Fraud
  11. 11. Free Trial Fraud: Control Approach Initial Assessment (Client to Site) • VPN/proxy analysis • Device fingerprinting • Global merchant data analysis • Internal threat intel analysis Signup (Payment Validation) • Method of payment checks • Business rules (e.g. trial eligibility) • Risk-dependent auth Post-Signup (Activity Analysis) • BIN anomalies • CS contacts • Account behaviors (e.g. cross-border streaming)
  12. 12. • Detect and disable within 30 days post signup (free trial period) • Continue to shrink the detect-to-disable period • Keep data clean • Reduce adversary opportunity to monetize Free Trial Fraud – Control Objectives
  13. 13. Account Takeover
  14. 14. • 3rd party breaches (password reuse) • Phishing • Malware • “Friendly” compromise ATO – Traditional Causes
  15. 15. Obtain Credentials Use Publish Sell Change Unable to Access Unusual Activity Password Reset Compromise Member Impact Resolution Self Resolution Contact CS Cancel Account Detection, Action, & Measurement ATO Lifecycle
  16. 16. • Account validators and traffic analysis • Detect “credential stuffing” • Credential dumps (pastebin, 3rd party) • Customer service contacts • Predictive model Detecting Account Takeover
  17. 17. • To better identify ATO population, we began with cred dumps • Hypothesis – Members in cred dumps who contact CS exhibit acute signs of compromise • Built classifier to segregate these accounts, and ranked features of impacted accounts • Apply to broader member population • Additional revisions and models created to fine tune Modeling ATO
  18. 18. Abuse Monetization and Markets
  19. 19. General Internet
  20. 20. Video
  21. 21. Social
  22. 22. Auctions and Forums
  23. 23. Typical Outcomes for Resale “Customers”
  24. 24. Disrupting Monetization
  25. 25. • Discovery and takedowns • scumblr and partners • Complicated by language • Collaboration • e.g. eBay LVIS (Licensing Verification and Information System) and VeRO (Verified Rights Owner) • e.g. ThreatExchange (WIP) Monetization Controls
  26. 26. Darkweb
  27. 27. • Monitor and analyze • Cost • Resellers • Overall supply • Controlled purchases • Analyze origins • Upstream intel Darkweb “Controls”
  28. 28. Questions? chan@netflix.com

×