Streaming services: it’s time for Two-Factor Authentication

Scams, fraud, bots and theft: the ugly side of streaming provides a stark contrast to that beautiful feeling of having the world’s recorded music at your fingertips.

What is Two-Factor Authentication (2FA)

You are already using 2FA. Certain accounts, like Google, Facebook, or Apple, require multiple forms of authentication in order to sign in from a new device. This often works by verifying it’s you from another device, or by entering a code sent to your phone number, email address, or generated in an authenticator app.

It adds a layer of security to accounts that makes it hard to get in with just the username and password.

Why don’t streaming services use 2FA?

Popular streaming services like Spotify and Netflix famously don’t use 2FA, although the latter has recently started running tests with it, presumably to tackle account sharing. The reason for not implementing 2FA? Likely because it doesn’t help growth and in fact may hamper conversion rates.

Jorge Castro on developer community dev.to sums it up well through this fictional conversation:

  • Developers: We want to implement 2FA in our platform.
  • Netflix executes: Ok, and how much will it cost us?
  • Developers: Around two months.
  • Netflix executives: Ok, and it will increase the number of viewers?
  • Developers: Well, not really. It is about security.
  • Netflix executives: So, it will not increase the number of viewers but it could be a burden for some customers and it could decrease the number of viewers.
  • Developers: Yes, but it could be optional.
  • Netflix executives: So optional, an option that it plays against the number of viewers and it will cost us time (and money). Sorry but no.
  • Developers: But the security.
  • Netflix executives: We already invested in our security. If our customers have trouble then we could reset its password. It’s their responsibility, not ours.

However building in a little more friction could be beneficial to all… and tackle certain types of fraud more efficiently than a switch to user-centric streaming payments might.

Black market for streaming service accounts

For years, there has been a thriving market for streaming service accounts, with Spotify accounts selling for under a dollar. Many though not all of these are hacked. It’s so common that people commenting on their hackers’ music tastes has become somewhat of a meme and a quick search on Twitter pulls up countless examples.

Vietnamese blogs speculate that black market accounts are what led to Spotify and Netflix halting their free trial offers in the country last year.

This is not an issue that is exclusive to Spotify and Netflix, but there’s a high availability of examples since they are two of the most popular entertainment services without 2FA.

Fake plays, scams, and fraud

Just like it’s possible to buy ‘fake followers’ on social media, it’s possible to buy fake plays for streaming services. Jacking up the numbers can help to game the recommendation algorithm and build fake legitimacy for those looking closely at big numbers (but perhaps not closely enough).

Who cares if that is what someone wants to do? Well, everyone should, because it eats away at the pool of money distributed to all artists. Hackers have been gaming this system openly since at least 2013 in order to generate revenue.

An article by William Bedell from 2015 explains how he was able to do the same. At the time, not only did Spotify not use 2FA:

“There wasn’t even a CAPTCHA or email verification when creating accounts.”

Image by William Bedell.

The lack of better security leads to these types of fraud having to be traced & fixed retroactively, which often leads to streaming services taking music with fake plays down. That sounds good, but there are two issues: 1) we don’t know what percentage of fraud goes undetected, and 2) this opens up an attack vector (want your competitor’s music taken down? Just boost it with fake streams).

Audius (primer article), a new streaming platform and protocol that awards people tokens (called $AUDIO) based on their participation, is also running into this issue. Bots are used on the platform to game the system and get music into the charts. This messes with the platform’s weekly reward system, as WeirdCityRecords on Reddit points out:

“Curators have been robbed by bot users almost every week since the rewards inception (not only in terms of $audio but engagement being buried below bots), and now with a song being clearly botted to #1, it seems like this week 1 artist or possibly more will be deprived as well.”

The track accused of being ‘botted’ to the top outperforms the #2 by over 14 times, despite the artist and account being new to the platform and seemingly not having a significant presence on other music platforms.

Two-factor authentication would make it a lot harder to create loads of accounts like in the examples above, especially if you limit to 1 account per phone number.

Report fraud

Recently, I became familiar with another scam. Unfortunately that was due to falling victim to it on Spotify, though it may also exist on other platforms.

Botnets get employed to report people’s playlists for inappropriate content. This results in the playlist title and description being taken down. Bada-bing bada-boom: it is now easier to be the #1 search result for those same terms on Spotify.

As soon as I reported the erroneous report to Spotify and had them restore the playlist title and description, the botnet took it down again. This repeated half a dozen times over 2 weeks with my playlist existing without a title or description for the majority of the time.

I’m not alone in this and have found various playlists that also seem to be suffering from this issue (click here for an example if you’re curious about Romanian Manele music and here for GTA’s excellent soundtrack). This thread in Spotify’s support forums has other users reporting the issue.

The attack seems to have ended, but I almost gave up restoring my playlist every time it got taken down (I did consider writing a script that would auto-reply to Spotify’s takedown emails, though).

Since playlists are user-generated content, Spotify needs some type of system to deal with reports and make sure content that goes against the terms & conditions is taken down. After the 5th time my playlist got taken down and I asked if they could protect my playlist from the next auto-takedown, I got this answer:

“All user-created content can be reported, and while it may be possible that a report is invalid, all such reports need to go through our official report channel so we can handle them properly.”

So that’s a no. This means that anyone building playlists on Spotify with an unverified account can fall victim to this. Sure, the reporting account may get banned, but if it’s a botnet targeting you that doesn’t matter. That’s problematic, because unlike my hobbyist playlist with 100 followers, there are curation brands and artists with playlists that depend heavily on Spotify. They’re all exposed to this type of attack that seems to rely on either hacked accounts or easily-created free accounts.

Investment without security

People around the world are putting hours of effort into their streaming accounts: building playlists, followings, brands and in some cases companies using their presence. They’re exposed to insecurity.

Even accounts on platforms with better security get hacked, e.g. to misuse the trust someone has built up and run a cryptocurrency scam on followers (as fellow music-tech writer Cherie Hu recently became a victim of on Twitter, which besides Audius and the report fraud above was my third prompt for writing this piece).

Even if a streaming service can reinstate an account after a hack: the hack can damage your brand, e.g. if the hacker changes playlist titles and imagery to something offensive or scams, or just makes it impossible for you to keep running your playlist brand due to repeated reporting. If you enjoy services’ algorithmic recommendations, a hacker’s temporary account takeover can mess that up for you also.

Two-factor authentication is a basic standard for security. Maybe it’s time for streaming services to give it some priority and prevent fraud, scams, and theft.