The Financial Burden of Bots on Streaming Services
Business leaders often see security as an insurance policy – a box that CISOs need to tick just in case the organization comes under attack. This make it difficult for InfoSec decision makers to justify the cost of upgrading defenses. After all, we already ticked that box – right?
But when it comes to automated attacks, it’s not a matter of “if” bots will target your business. It’s not even a question of “when”. If you have anything of value on your site, for example user accounts – as all streaming services do – bots are trying to access them.
Their success means your business loses out on both customers and profits. But to build a business case for better bot protection, you need to understand how your business makes and loses money and how your defensive strategy against automated attacks can make a huge difference in this.
How Do Streamers Make (and Lose) Money?
The clearest revenue flow into an SVOD (subscription video on demand) streaming business is subscriptions. Namely:
- How much do you charge for a subscription?
- What upsells (e.g. ad free, HD/4K quality, simultaneous screens) do you offer and at what cost?
- How many subscribers do you have?
- How long does each subscription last on average?
That final point refers to the LTV (lifetime value) of each customer. This is the golden number you need to maintain – retaining customers for as long as possible is far more cost effective than acquiring new customers.
What Influences New Subscribers, Customer Churn and LTV?
There are lots of factors, but some key ways to acquire new customers and keep them subscribed include:
- Adding content people are interested in, namely exclusive movies, TV series and events.
- Being easily accessible across devices so your service is widely compatible with screens people want to watch on.
- Delivering good customer service. This doesn’t just mean offering a slick UX, it also means staying on top of incidents and protecting customer accounts – in the background, without impeding their day-to-day usage, of course.
How do Bots Affect Streaming Revenue?
Bots damage the revenue of streaming services through damaging the value of accounts, and by harming the experience of existing customers.
Account Takeover and Credential Stuffing Attacks
One of the most common use for bots against streaming services is the theft and resale of user accounts. This is done in huge volumes using credential stuffing bots to test millions of leaked credential pairs from other sites, in the hopes customers have reused passwords elsewhere.
Defending against bot attacks is especially troublesome for streaming services. More device compatibility means more routes in for bots as well as consumers, and devices like smart TVs and games consoles are difficult to protect using traditional agent-based bot defenses.
With attackers reselling accounts for as much as 80% less than their retail price, the value of each account drops dramatically. Each account resold is a potential paying customer lost – why pay full price when you can access content at a fraction of the cost?
Then there’s the effect on the rightful owners of the accounts. With many services now enforcing limited simultaneous logins or streaming sessions, the rightful owner can easily be locked out when others have unwanted access.
This creates friction as users must manually recover their accounts or call customer support for help. The frustration this causes, especially if it happens while a live event is airing (not to mention the risk of having personal information stolen from their account) increases churn and lowers LTV.
Increased Customer Service Costs
The results of bot attacks, if not caught early, need customer support agents to step in and fix. This is more expensive to the business than blocking a bot at the earliest stage. For example, if an account is stolen, the affected customer might call in to recover the account. After a large scale attack, these calls quickly pile up to create significant operational cost.
Attempts to Block Bots Can Harm Customers
Over-aggressive or inaccurate bot mitigation attempts can also create false positives, blocking genuine customers from accessing services. Again, this is complex to resolve and requires customer support effort.
Alternatively streaming services could enforce multifactor authentication or CAPTCHA challenges to keep bots out, but these also add friction to user journeys. Customers value ease of use and convenience, so adding extra steps to login could harm churn and LTV.
Inflated Infrastructure Costs
At the peak of automated attacks, up to 90% of requests to streaming login pages are malicious. This high volume of bot traffic adds costs to infrastructure, and risks harming the stability of the service – not only adding to hosting and operational costs, but also increasing the likelihood of customer churn.
How Can Streaming Services Protect Revenue Against Bot Attacks?
The most effective defense against bot attacks is to monitor the full attack lifecycle, and understand the tactics, techniques, and procedures (TTPs) of attackers. A great place to start on this journey of understanding is by using the BLADE Framework to map attacks against your own business logic.
It’s also important to know who is attacking you, how, and for what purpose. The Netacea threat research team specializes in infiltrating attacker discussions and tracking their activities. We have access to and collect data from over 3,000 communities. This gives us insider knowledge who is selling which accounts and the tools they’re using to launch their attacks.
Protecting every login endpoint, not just web and mobile apps, is also key for SVOD streaming. Netacea uses server-side technology to ensure there are no gaps in protection, with APIs monitored alongside websites and mobile apps in a single integration.
This proved vital for a customer for whom we detected over a million malicious login requests made via Xbox console endpoints during a major event.
Find out how Netacea’s unique approach to bot protection safeguards all login and registration attempts using defensive AI, accurately distinguishing and blocking bots without causing friction to customers or false positives. Sign up for a demo.
