Balancing security and usability in the pay-media world

December 16, 2015 bengidley

Let’s face it; if consumers don’t get what they want, they look elsewhere. Gone are the days of loyalty due to limited choice. For pay-media operators this can be like walking a tightrope: protecting their content investment without the security negatively impacting the consumer experience. What can be done to make this easier?

To find out, let’s check in again with Bob. Unsurprisingly, after being identified as the cause of the corporate disaster Bob is now unemployed. He spends most of his day catching up on the movies and TV series he missed. The ‘SuperBroadcast’ family subscription includes an online service for their live and on-demand TV channels with an introductory offer for up to 2 devices. Two will be enough right? Why pay for the additional multi-room fee to get more.

The frustrated consumer
This works well during the day but the trouble comes in the evenings and at weekends when the whole family wants to watch TV. Sick of the constant arguments, Bob decides there must be a way round this restriction. He successfully uses a developer tool in the browser to block the messages going back and forth to ‘SuperBroadcast’. This solves the device limitation issues; without this concurrency control mechanism his operator doesn’t know he is watching.

Spurred on by this success Bob uses his computer know-how to write a browser extension to do the same thing. Pleased with the result, he shares this online for free!

The opportunistic cybercriminal
Unlike Bob who only wanted to increase the number of devices on his legitimate subscription, Adam’s motivations are very different.

As a cybercriminal, he is delighted to find Bob’s free browser extension. Adam knows that there is profit to be made by selling compromised account credentials. Such an illegal scheme means that the purchaser can use the username/password of a single ‘SuperBroadcast’ account without having a legitimate subscription of their own. As there is no concurrency control, Adam can sell these account details several times over.

The pay-media operator 
From a cyber-services assessment, ‘SuperBroadcast’ realizes they have an issue with compromised account credentials. One option available to them is to use DRM device locking. This requires consumers to register each specific device they are using. However, it is un-intuitive and very restrictive from a user’s perspective which will certainly result in high subscriber churn. Is this really a viable option? An alternative would be to make the system harder to beat without impacting the viewing experience.

In an earlier post, I described how it is possible to secure the browser. In this pay-media example the advantage would be to make the concurrency logic self-defending and aware of tampering from the extension or software on the consumer’s device. On top of that, an extra layer of encryption can be added to the traffic between the browser and operator.

It is possible for pay-media operators to balance the security they need with the usability their consumers demand.

Previous Article
Cyber-attacks: it’s no longer if but when
Cyber-attacks: it’s no longer if but when

The Internet has transformed how businesses operate today. Never before has so much been done online. The d...

Next Article
When hacking turns bad
When hacking turns bad

What if I told you the Internet was built by hackers or that Facebook’s Mark Zuckerberg has been called a h...