For Dan Draper, the CEO of data-protection company CipherStash, two-factor authentication is just a start. There’s also his password-manager tool, a handy hardware token, and even a hi-tech biometric keyboard keeping hackers at bay. As a matter of fact, pretty much the only way Draper feels susceptible to a data breach is through his streaming-video services.
Draper told IndieWire that “some properties” of streaming services can make them prime targets for hackers. You know that Netflix account that up until recently you shared with friends and relatives? It was a potential hack waiting to happen. (This is not in any way an indictment on Netflix’s security but merely a widely understandable example.)
“The idea of password-sharing does put things at a higher risk,” Draper said.
After all, passwords are not just “the only way that we protect our access,” they’re “a terrible security mechanism” to start with. And now you’ve shared it with four other households, who may not be as security-conscious as you, the honorable original subscriber.
“The analogy is if you’ve got a big, beautiful steel door on the front of your house with the best, most-expensive lock and biometrics and all the rest of it,” Draper said, “but you’ve left your window wide open.”
The window, in this scenario, is probably your mother-in-law. Draper’s got his windows nailed shut and barred up — but most of us do not.
Should your Netflix password end up on, say, the dark web, it won’t be so some computer-savvy cheapskate can watch “Baby Reindeer” for free. The bigger-picture idea is to either a) collect ancillary data that can serve as one link in the chain of identity theft, or b) to see if you were dumb enough to use the same password where web security actually matters, like banking.
The practice of attempting to use a password stolen from one site on another site is called credential stuffing. That was the intention beyond the latest Roku data breach, in which more than half a million streaming accounts were compromised. Draper says he could have stopped it outright, or at least within the first few thousand. (He also says it wasn’t Roku’s system that failed but the systems of its partners.)
That’s his job. If only your streaming-video services did their jobs as it pertains to data security.
Something as simple as two-factor authentication can greatly reduce the risks of a data breach. Among Draper’s corporate clients, multi-factor authentication is considered “the best bang-for-your buck technique… to protecting access.”
But as far as he can tell, no streaming service actually uses it. Why? They are already “getting a lot of pushback from customers” on the password-sharing crackdowns; adding another step will add to the safety, yes, but also to the grief. Multi-factor authentication creates “friction,” Draper said, which can frustrate streaming subscribers right out of being subscribers. That’s the fear, at least.
Streaming platforms are doing one thing right when it comes to privacy: The password-sharing crackdowns in the streaming industry are “quite possibly” saving identity theft, Draper said. “Certainly the fact that Netflix has taken steps in that direction reduces the risk.”
Max, Disney+, and Hulu are taking the same step toward ending account-sharing — not that we expect anyone to thank them for being so concerned with their data security. The password-sharing crackdowns, of course, are not because the services are so altruistic: Netflix’s “paid sharing” program has become a huge new revenue stream for the king of all streamers. Everyone wants a piece of that; and as per usual, everyone is following Netflix.
Even worse than sharing passwords (and much worse than having weak ones), Draper says, is repeating passwords — especially between a low-risk website and a high-risk one. In other words, definitely do not repeat a password “between your banking and your Netflix,” Draper said.
“That’s probably the worst thing you could do.”