Happiness After My Netflix Account Was Hacked

My Netflix account was hacked! But this this is not a sad story, rather it exemplifies how a good cybersecurity strategy can simultaneously mitigate risks and make customers happy.    

I was recently notified via email that my request to change my Netflix account email-address was completed. Well, as I never asked for any change, I immediately knew what was going on. My account was compromised.   

Digital Media Account Insecurity 

Netflix and other digital media accounts are not inherently all that secure. Millions of account holders with many less-than-secure devices and a propensity to give out credentials to guests, equates to many accounts being inevitably compromised. The odds are not in favor of security.    

There is also a direct relationship between the number of devices with your login credentials and the risk of compromise. It could have been a data breach on the corporate side, but given how many devices I have connected to my Netflix account, I expect it is most likely to be due to an endpoint hack. Just in my home, I have over ten different devices that connect with my Netflix credentials. It is probably overkill, but I have several Roku boxes, PC’s, phones, tablets, and smart TV’s all tied to my account. In hindsight, it might be a bit overkill, but I like my devices connected. Who knows how each of those devices manages and protects such login data.   

Many successful hackers want full control of compromised accounts. They change the email address to one they own and now they can reset the login password. This gives them the rights to use the account, purchase additional content, and even sell the login to others.   

Most security professionals focus solely on preventing such attacks. Noble and cost effective where possible, but it is not a comprehensive strategy. Hacks will occur; therefore, a proper safety net must also be in place. In the case of Netflix, account compromises will occur often. To deal with these unavoidable situations, it is important to have rapid detection and response capabilities in place.   

No Fear, Just Preparation 

Just because security is complex, does not mean it must be difficult to manage. Case in point: Netflix has a simple feature when someone requests an email address change. They send a notification to the old address with instructions how to respond if this is in error. This simple act engaging the end user to help detect compromises.   

As a customer I saw the email and responded as instructed. I reached out first via chat on their website. An agent immediately responded and was able to assist. Per the security policy, I needed to verify my identity by providing the last few digits of my credit card on record. This makes perfect sense as Netflix already has this information and only the customer is likely to be able to provide the proper data. Being more paranoid than most, I opted to not type it into the chat window. The service representative understood my concerns and with no fuss provided an alternate option of calling the toll-free number.    

One quick call and only a single menu selection (for English) connected me to a local-language helpdesk person who was able to verify me and reset my account. No waiting. No endless tiers of call options. No obscure PIN or password that I needed to remember. Just a few digits from my billing account and quick service. Even the post-service survey was only ONE QUESTION!!!    

The whole process was so fast!   

Oh, the likes of AT&T, Comcast, and just about every other digital service provider should take notes.  Dealing with the customer service team at Netflix was a pleasure.   

Significance of this Situation? 

It is not that my Netflix account was hacked. That is to be expected (even secretly desired a little-bit by the likes of security people). No, the real lesson here is that attacks will happen. Prevention is very important, but not a complete strategy. Putting in place the necessary compensating measures to address unfortunate events is crucial for businesses.   

Netflix won in three areas: 

1. Security notifications for account changes, which are timely, succinct, and provide clear instructions on what to do. This is simple and cost effective, yet something not every company does, but should. 
2. Fully supported and in-place resources to engage with customers to resolve account issues. Time is off the essence when it comes to fraud and compromised accounts. Chat, email, and a toll-free phone number are readily available from Netflix. These communication paths are monitored and in my experience the response was very fast. No extensive call trees or unnecessary user validations. Local language support was also appreciated. 
3. It is obvious that Netflix has taken the time to think strategically and gain insights in understanding the threats posed by attackers, weaknesses of how their customers will be compromised, and where to apply resources for maximum detection and response capabilities. This predictive capability blends well with the normal preventative controls also employed.    

Netflix has successfully woven together prediction, prevention, detection, and response measures to form an outstanding cybersecurity process capability that will continually adapt to the needs of users’ expectations and maneuvers of adversaries. Additionally, these mutually supporting functions maintain the ability to dynamically dial expenses to acceptable levels as warranted.  

Netflix has done a great job in finding an optimal balance of risk mitigation, cost effectiveness, and user experience to manage their cybersecurity. Their solution is simple, straightforward, and effective. As a security professional, I am impressed. As a customer I am happy. That is the best kind of sustainable security!   

Well done!     

Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Steemit to hear insights and what is going on in cybersecurity.