Securing Your Streaming: Personal Data in the Age of Digital On Demand
Robert Ramos
September 19, 2019
Awareness regarding the safety and sanctity of one’s personal information – billing/mailing address, birth date, family members, pets, property, online activity, etc. – has been growing recently. Witness the furor over the Cambridge Analytica scandal and its effect on the leading global social media platform. You may also have noticed all those people posting things like, “I do not authorize this social media platform to use my image or posts” appearing from your friends in your timeline.
Despite this, people and organizations remain vulnerable to breaches of their personal information, sometimes from places or directions they never thought they’d be in danger from.
Like, for example, your video streaming account.
In a July 2019 post in Facebook, Pointwest’s Chief Information Security Officer (CISO) Rene Canlas informed his social media network that his bank reported a “fraudulent transaction on my credit card involving a Netflix subscription.” The bank further informed him that such transactions have been going on in “recent” months before the incident with his account.
So, you ask, how can this happen?
Rene did some investigation and found out two things:
The first is that it can be easy to get two important things from your credit card if someone has access to it, even for a little while: your credit card number, and the Card Verification Value (CVV) or Card Security Code (CSC), the three digit set of numbers usually found near the signature strip.
The CVV/CSC is important because it’s what allows you to do what’s called a “card not present” transaction. For those who have experience buying online, this is when you’re asked for those three numbers before completion of your purchase. Along with several other security features, the CVV/CSC facilitates the ease of digital banking and retail transactions.
Normally, just having the credit card account and CVV/CSC numbers aren’t enough even to register a new account in most other services.
But, as Rene found out in his investigation, the format of the subscription for Netflix makes it easy for someone with just those two numbers to make a new account.:
Subscription page requiring the following: First Name, Last Name, Card Number, Expiration Date, Security Code
That’s the subscription page for Netflix. And therein is the problem.
“The problem here is that Netflix only requires the info you see in the picture, all of which are exactly what’s on the front and back of your credit card so that’s all the fraudsters need,” Rene said. “Most e-commerce sites ask for additional details that are not on the card, such as your billing address as a way to verify that the user is the card owner.”
Rene said that he reported the issue to Netflix Customer Support but received a response that did not seem to seriously consider his concerns over private information security (or lack thereof).
People will ask: why is this an issue, then? If Netflix, or any similar online service, thinks it’s not worth the bother to fix it, maybe it isn’t as big a problem as it seems?
Rene points out that such an easy way to make new accounts, coupled with how your personal information was taken, could lead to bigger problems.
First, once your credit card account and CVV/CSC numbers have been lifted through physical access to your card or through other means, your personal information is now in the wild as it gets passed from one person to another looking for a free Netflix subscription.
It might be true that possession of those two pieces of information won’t net scammers more than another free month of Netflix, but there are more sophisticated fraudsters out there who can use that data for bigger kinds of theft.
For example: to get past most online transaction security, additional information would be needed, like your billing address or birthdate. Such information could be easy to procure even for someone who is not an expert in social engineering hacking methods. All one needs to do is try to find your Facebook or Twitter page and see if you’ve left that information in public view, like when your friends greet you happy birthday (because your notice for it is on).
If you still think it’s not a matter for concern that your name, credit card number, and CVV/CSC are out there and being traded around, remember that there are people who were able to commit major actions of fraud or identity theft simply through dumpster diving, particularly for something as supposedly safe as ATM receipts.
And there’s a good chance you won’t know your credit card details have been compromised unless you’re diligent in checking your credit card bill or your bank is consistent in informing its customers of suspicious purchases. In fact, Rene’s bank only detected the fraud because “the fraudster apparently passed my card details to another person who tried to register for another Netflix subscription using my card.”
Additionally, even if the breach is detected early like in the case of Rene’s bank, there are processes you have to go through to fix the problem. Some of these could take time, like going through the suspension period of your account as you wait for a new card to be issued as well as fixing your personal details in all of the services you once used that card on.
On the part of the user, Rene recommends that the simplest solution would be to cover the CVV/CVC number with tape. Memorize the number or write it down somewhere safe (like with a LastPass account), and then either cover it or even erase it.
He adds that people should learn to be more diligent with their digital accounts, especially now that several new players will be coming up to want their own shares of the digital entertainment pie. Hackers and scammers are always trying to find vectors to steal your personal information, and people’s lax attitudes when it comes to accounts like Netflix or even online videogame megastore Steam can leave them vulnerable to identity theft.
Pointwest’s brand of Cybersecurity and Data Protection has always been about training the “human layer” in the security chain to be robust in resisting cyberattacks. Rene always says that no matter how sophisticated your software protection is, hackers and scammers will always find a way to get in if the humans behind that software aren’t as good.
“The human is the weakest link in the cybersecurity loop,” Canlas said. He adds that this is why one of the aims of human-centric cybersecurity development and consultation programs like the one Pointwest offers its clients is to “strengthen security in the human layer.”
But Rene also insists that service providers like Netflix have to up their game when it comes to protecting the personal information of their subscribers. “This choosing convenience over security has to stop,” Rene said, pointing to how subscription methods like the one for Netflix were done so more people could be signed on.
“It may look fine from a short- or even mid-term standpoint but like with cases of a lack of testing or bad UX, the cost is in the long-term and would be even worse than if these providers took those little important steps to help secure their subscribers,” Rene added.
“Data protection and cybersecurity is everyone’s business,” Rene said. “We all have to do our part in ensuring our personal information and that of others is kept safe and secure and not used by the bad guys.”
About Pointwest
Founded in 2003 by pioneers of the Philippine Global Sourcing industry, Pointwest creates value for its list of satisfied clients — including top Fortune 100 and local companies — with world-class digital innovation and IT modernization services backed by international-standard methodologies, and innovative practices.
For Inquiries, contact us:
+632 814 1100 (Trunkline)
+1 (888) 210-9078 (US Toll-Free)
