Subscription services generate monthly or yearly recurring revenue by selling a product or service and web-based applications utilize this business model to access thousands of consumers globally.
Yes, online subscription services such as your Apple Music, Spotify and Netflix accounts are vulnerable targets that can be used to clean out your entire online wallet while you are completely oblivious to it. It may be a thrifty process that requires time and effort but extremely effective, nevertheless. And here’s how.
The question is how much initial information an individual needs to kick start his attempt to steal your information. In an exclusive interview, Murdock revealed that, while 60% of the US adult population has at least one subscription in their name, 30% of the remaining 40% are using the login credentials of the 60%.
This alarming statistic goes to prove exactly how much more available our login information is than we choose to assume. Besides, you don’t need to go far into your social media feed to see a couple or more people who’ve recently posted, ‘Hey, I just got a new Netflix subscription’.
In her presentation “Black Mirror: You Are Your Own Privacy Nightmare – The Hidden Threat of Paying for Subscription Services”, Murdock used the case study of Netflix to explain her case.
Most financial firms follow policies when users forget their account numbers and these very policies have loopholes that can be exploited. By taking several phone calls to the same institution asking for different pieces of information every time, the attacker gradually builds up all the details he needs to access your financials.
And all the attacker needs to start with is ‘Hey, I’m traveling and I’m having problems with my utilities payment – could you please confirm the account number because I don’t have it memorized’ to offer your Netflix subscription information as valid proof of identity and anyone who researches the vendor can figure out the characteristic fixed rate of the subscribed service.
Attacks of this nature, where sensitive information can be divulged and used for fraud through deceiving and manipulating individuals, are categorized as ‘social engineering’ and have become increasingly more prevalent considering the vast amount of personal information available online.
Admittedly, Murdock insists that attacks of this level are usually carried out by entire organisations and not individuals. But with people becoming more and more public about their personal lives under the influence of social media, attackers have enough and more material to effectively choose their targets.
Figure 1: Social engineering involves using tactics that are more difficult to predict compared to conventional hacking and theft.