My talk from Facebook's Spam Fighting at Scale 2016 conference.

1. Engineering Director, Cloud Security
Jason Chan
Defending Netflix from Abuse

6. > 86 million members
> 190 countries
> 125 million hours of streaming per day
~35% of US Internet traffic at peak
Netflix Statistics

8. Some Abuse-Related Background

9. Simplifiers
• No user-generated content
• No ads on service
• Limited member-to-member
interactions
• No directly extractable value
Abuse @ Netflix
• Use value of accounts
• Account fungibility
• Device ecosystem
• Language diversity
• Payments complexity
• Usage patterns
Complicators

10. “What is the Netflix password?”

11. • Consumer friendly
• 30 day free trial
• Easy to cancel
• Excellent consumer experience can create potential for abuse
Netflix Service

12. • Who will convert from free trial to paid?
• Financial projections
• How will members behave?
• Content planning
• User experience, product enhancements
Key Questions Driving Anti-Abuse

13. 1. Obtain Netflix accounts
(without paying)
2. Monetize
• Primarily via resale
• Secondarily as bait/lure
Adversary Actions
Goals
• Free trial fraud (fake
accounts)
• Account takeover (ATO)
Methods

14. Free Trial Fraud

15. • Payments is a primary abuse differentiator (vs. free services)
• Payment method is required @ signup
• Global payments infrastructure and operations is complex
• Loopholes and unexpected failure modes occur regularly
• Adversaries search for and exploit these failures
• So, fake account management is largely a payments fraud problem
Free Trial Fraud

16. Free Trial Fraud: Control Approach
Initial Assessment
(Client to Site)
• VPN/proxy analysis
• Device fingerprinting
• Global merchant data
analysis
• Internal threat intel
analysis
Signup
(Payment Validation)
• Method of payment checks
• Business rules (e.g. trial
eligibility)
• Risk-dependent auth
Post-Signup
(Activity Analysis)
• BIN anomalies
• CS contacts
• Account behaviors (e.g.
cross-border streaming)

17. • Detect and disable within 30 days post signup (free trial period)
• Continue to shrink the detect-to-disable period
• Keep data clean
• Reduce adversary opportunity to monetize
Free Trial Fraud – Control Objectives

18. Account Takeover

19. • 3rd party breaches (password reuse)
• Phishing
• Malware
• “Friendly” compromise
ATO – Traditional Causes

20. Obtain
Credentials
Use
Publish
Sell
Change
Unable to
Access
Unusual
Activity
Password
Reset
Compromise Member Impact Resolution
Self
Resolution
Contact
CS
Cancel
Account
Detection, Action, & Measurement
ATO Lifecycle

21. • Account validators and traffic analysis
• Detect “credential stuffing”
• Credential dumps (pastebin, 3rd party)
• Customer service contacts
• Predictive model
Detecting Account Takeover

22. • To better identify ATO population, we began with cred dumps
• Hypothesis – Members in cred dumps who contact CS exhibit
acute signs of compromise
• Built classifier to segregate these accounts, and ranked
features of impacted accounts
• Apply to broader member population
• Additional revisions and models created to fine tune
Modeling ATO

23. Abuse Monetization and Markets

24. General Internet

25. Video

28. Social

32. Auctions and Forums

35. Typical Outcomes for Resale “Customers”

38. Disrupting Monetization

39. • Discovery and takedowns
• scumblr and partners
• Complicated by language
• Collaboration
• e.g. eBay LVIS (Licensing Verification and Information
System) and VeRO (Verified Rights Owner)
• e.g. ThreatExchange (WIP)
Monetization Controls

40. Darkweb

42. • Monitor and analyze
• Cost
• Resellers
• Overall supply
• Controlled purchases
• Analyze origins
• Upstream intel
Darkweb “Controls”

43. Questions?
chan@netflix.com