Credential sharing, the practice of using someone else’s digital identity to gain access to a platform or product, has become commonplace, particularly when it comes to video streaming services. While credential sharing brings with it obvious user-end security issues for organizations of all sizes in all verticals, it also poses a serious problem for organizations that depend on the revenue generated from paid user accounts.
When most of us think of credential sharing, we likely think of people sharing a Netflix account with friends or family members as a favor or in order to split the cost of one account between two or more people. However, credential sharing can also take a more transactional form, such as sharing credentials in exchange for payment or sharing credentials with third-party resellers in exchange for a fee.
At its core, credential sharing is a form of theft. When two or more users share access to a paid account designed for single-user use, businesses lose out on the revenue they would have earned if each actual user paid for their own account.
Security Issues & Threats to Bottom Lines: Credential Sharing is Problematic from Both Perspectives
Credential sharing poses issues both for the companies creating the product that is being illegally shared between users and for organizations whose employees are sharing internal login credentials among themselves. In this article, we will discuss the problems credential sharing poses from both of these perspectives and discuss strategies organizations can use to discourage this problematic issue.
How Common is Credential Sharing?
Credential sharing is incredibly common, particularly when it comes to video streaming platforms. A survey found that 22% of US residents (46 million people) are using credentials borrowed, purchased, or stolen from someone outside their household to access video content without paying for it.
The Security Implications of Credential Sharing
Obviously, credential sharing is a serious problem for organizations like Netflix and Hulu, which rely on paid user accounts to generate revenue. However, credential sharing also poses a serious security risk for individuals and organizations that engage in this risky behavior. A recent survey of 1507 American adults found that 34% said they shared passwords or accounts with their coworkers, allowing us to extrapolate that as many as 30 million of the 95 million American knowledge workers may be engaged in credential sharing. Considering 81% of cyber incidents used stolen or weak passwords to gain unauthorized access to systems, this high rate of credential sharing is alarming.
This security issue is further compounded by the fact that the same study of 1507 Americans revealed that 22% of surveyed individuals admitted to reusing passwords across multiple accounts, while only 12% used password managers to safely store and manage their passwords. Reusing passwords is a serious security risk, essentially providing cybercriminals with access to multiple accounts on different platforms if they are able to guess or steal a user’s password from a single, less secure platform.
Credential Sharing Leaves Your Organization Vulnerable to Credential Stuffing Attacks
Re-using passwords also makes users vulnerable to credential stuffing attacks: when cybercriminals use username and password combinations obtained during a previous breach to attempt to login to a targeted account. This means that if one of your accounts (say, your email) is compromised, any other account that uses that same username and password combination is now vulnerable.
Steps Organizations Can Take to Prevent Credential Sharing
Fortunately, there are steps organizations can take to prevent credential sharing, whether they are concerned about employees sharing accounts amongst themselves or paying users sharing their credentials with unauthorized, non-paying, third parties.
Preventing Credential Sharing Amongst Employees
Credential sharing among employees poses a serious security risk and should be heavily discouraged. Employee education, consequences for credential sharing, and making credential sharing less enticing are all critical for curtailing this risky behavior.
Ensure Employees Understand the Risks
The first step to stymying credential sharing between employees is to explain why credential sharing, which many view as “harmless”, is a serious issue. When employees understand the reasoning behind rules, they are much more likely to see why those rules are necessary, improving adherence. It helps to include specific examples where credential sharing caused cybersecurity incidents and discuss the fallout of those incidents. By highlighting the serious consequences of credential sharing, you can help employees better weigh the temporary convenience of credential sharing against the serious potential cost.
The risks of credential sharing should be discussed as part of your employee onboarding process and during regular cybersecurity refresher training. Regular reminders, such as a message that reminds users about the risks of credential sharing whenever they log in, can also help ensure this message sticks.
Implement Consequences for Credential Sharing
Rules are only effective if there are consequences for breaking them. Many businesses continue to foster a culture where password sharing and other “harmless” rule-breaking earns employees a gentle reprimand at best. Credential sharing is not a victimless crime; Instead, it is a serious threat to your IT security and your business.
Ensure you have a clear disciplinary procedure for dealing with employees who engage in credential sharing and ensure that this procedure is clearly communicated to all employees. You should also include consequences for employees who witness credential sharing and do not report it, as well as a clear, easy-to-navigate procedure for reporting instances of credential sharing.
Improve Your Access Processes
Most employees don’t share credentials because they want to harm your organization; they do it because it is convenient. The most effective way you can reduce credential sharing within your organization is by identifying why employees are sharing credentials, adjusting your processes to address those root causes, and making it easier for employees to follow the rules without compromising efficiency.
How you address this issue will depend on the root cause of credential sharing within your organization. This may include:
- Reviewing your onboarding process: If new hires are waiting too long to be issued credentials, their managers or co-workers may be sharing credentials so that the new hire can actually perform their tasks.
- Improving your approval time rates: If employees are waiting too long to be granted access to files or servers they need to do their jobs, managers may be tempted to share credentials to avoid work delays.
- Are managers sharing passwords because they need their subordinates to tackle some of their workload? If so, you might want to explore officially re-allocating some of your manager’s tasks to appropriate subordinates (and issues login credentials for those subordinates) or adding new members to that team to better even out everyone’s workload.
Disable Concurrent Logins
Disabling simultaneous logins is an easy way to discourage credential sharing since it ensures any user who shares their login information cannot log in while another user is using those credentials. While this strategy alone won’t prevent credential sharing, it does make it a less practical and attractive option, potentially negating any temporary productivity benefits.
Enabling this feature without prior notice is also a great way to pinpoint which employees are currently engaging in credential sharing behavior since users are likely to complain when they discover they cannot log in or are repeatedly booted from the system.
Don’t Forget About Third-Party Users
If you use third-party organizations to supplement your team, you should also be taking steps to limit credential sharing on that front. Though you likely have less oversight over these users and how they act, you need to ensure controls are in place to ensure offsite third-party users aren’t engaged in credential sharing behaviors.
Ideally, this would include time restrictions and tracking on third-party users that alert you to any potential credential sharing behaviors. This is particularly critical from a legal and compliance perspective since you will need to show that any contractors accessing your data are following your internal procedures correctly.
Monitor Your Network for Suspicious Activities
Tracking behavior that may indicate users are engaged in credential sharing can help you determine how widespread this practice is while also hardening your systems against cyberattacks.
Many cybercriminals rely on stolen credentials to gain unauthorized access to sensitive systems. By taking steps to curtail credential sharing, such as disabling concurrent logins or sending users an alert when another user attempts to log in using their credentials, you are also taking steps to improve your cybersecurity posture as a whole. Preventing concurrent logins can help keep cybercriminals out, while alerts can let employees know if their credentials have been stolen or compromised so they can alert your IT and security teams so they can take appropriate action.
Preventing Credential Sharing Between Paying and Non-Paying Users
When it comes to preventing credential sharing among your user base, there are many lessons to learn from streaming services such as Netflix, Hulu, and Spotify.
Make Your Accounts More Personalized & Ownable
While Netflix and Hulu have to deal with rampant credential sharing, Spotify does not. The reason so many people share Netflix accounts is that Netflix allows different users to create different profiles. While this is supposed to ensure your spouse or children aren’t inadvertently messing up your recommendations lists, it also makes it easier for users to engage in credential sharing without consequences.
On the other hand, Spotify does not allow users to create separate profiles within a single account. While different household members can get a discount by purchasing multiple accounts under one payment umbrella, sharing individual accounts messes with users’ personalized recommendations and playlists.
How you go about tailoring your product to individual users depends on the product, but some strategies you may want to consider include:
- Limiting the number of files a user can save (so no one wants to give up precious save slots)
- Limiting the number of times a file can be downloaded
- Personalizing the user’s experience based on previous behaviors (for example, e-learning software that tailors courses based on a user’s past quiz performance, interests, or previously accessed courses).
Implement Single-Sign-On Technology
Single-sign-on technology involves replacing user-generated usernames and passwords in favor of social media account logins from popular platforms such as Facebook, Microsoft, LinkedIn, or Facebook. This makes the login process more convenient for users (who need to remember one less username and password combination) and discourages credential sharing.
People don’t want their friends and co-workers poking around on their personal social media accounts, which are chocked full of sensitive personal information and, in the case of Google, credit card access in the form of Google Pay.
Insist on Two-Factor Authentication
Two-Factor authentication, also called multi-factor authentication or MFA, requires users to enter two different pieces of information to verify their identity. Most systems pair a strong password with a second factor such as a text message sent to a pre-registered phone number or a hardware element. For example, if an employee tries to login to their account on your product, they would need to enter both their username and password, as well as a one-time code sent to their phone.
Mandating two-factor authentication both improves user security and makes it incredibly inconvenient to engage in credential sharing behaviors, since the unauthorized user would either need the account owner’s phone or have the account owner send them the one time code, most of which are only valid for thirty seconds to a minute at most.
Block Simultaneous Logins
Everything we do online is tied to our IP addresses. An IP address is a unique piece of information used to identify a device on the internet or a local network. Since people (and their devices) can’t physically be in two places at once, there is little reason for anyone to log in from two different IP addresses simultaneously.
Using IP addresses, companies can block simultaneous usage on their accounts from two different IP addresses. So if one user logs in on computer A, then computer B (which is using the same credentials) is automatically logged out so that only one device using a single set of credentials can access the product at a time. This approach makes credential sharing inconvenient and frustrating since both users are continually being logged out by one another and can’t be using the same product simultaneously.
Pay Users for Referrals
While it won’t single-handedly stop credential sharing, paying users for referrals can help discourage this practice by making referrals a more attractive option. Paying for referrals re-frames credential sharing as a money-losing endeavor. Ordinary credential sharing is a net-neutral financial option for paid users: after all, it isn’t like they are paying extra to let their friend, family member, or co-worker use their credentials. When you add a referral bonus, credential sharing is re-framed as a loss.
Offering existing users a percentage of each sale, a flat rate fee, or a discount when they refer a friend incentivizes existing users to get their friends, family members, or co-workers to pay for their own accounts rather than engage in credential sharing behaviors.
Credential sharing is harmful and needs to be discouraged, whether you are concerned about paid users sharing their accounts with unauthorized, non-revenue generating users or worried about how co-workers sharing accounts impacts your organization’s security. For more information about the security, financial, and other harms credential sharing can cause, or tips on reducing or eliminating credential sharing, please contact our team today.
Cybersecurity is a complex and continually evolving field. To help your team stay up to date on the latest developments and best practices, please visit our articles and resources page and consider reviewing these suggested educational articles and resources.
Cybersecurity Basics For All Organizations
- Hacked? Here’s What to Know (and What to Do Next)
- IT Security vs Compliance: What Are Their Differences?
- Identity Management is Really Just Cybersecurity Best Practices With a Fancy (& Expensive) Name
- Guide to Creating an Effective Incident Response Plan
- Terms and Phrases Used in the Managed IT and Cybersecurity Industries
- The SMBs Guide to Getting Started with Cybersecurity
- Cyber Hygiene 101: Basic Steps to Keep Your Company Secure
- Identifying a Breach: Finding Indicators of Compromise (IOC)
- Making Sense of TTPs, Cybersecurity, and What That Means for Your Business
- The Shift From Cybersecurity Being a Want to a Need Just Happened
- What is a Managed Services Security Provider (MSSP)?
- Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology (NIST)
Cybersecurity Basics By Industry
- Cybersecurity Basics Every College and University Needs to Have in Place
- The Ultimate Guide to Cybersecurity in the Healthcare Industry
- The Rising Cost of Healthcare Industry Data Breaches
- How the Financial Industry Can Strengthen Their Cybersecurity
- Cybersecurity for the Manufacturing Industry, What You Need to Know
Minimizing Your Risks
- What Are the Risks of Using Unsupported Hardware?
- The Risks of Public WiFi (& How to Protect Yourself)
- The Ultimate Guide to Managed Threat Intelligence (2020 Edition)
- Airports are a Hacker’s Best Friend (and Other Ways Users Expose Themselves to Risk)
- Keeping Your Network Secure in a “Bring Your Own Device” World
- Basic Website Precautions: Keep Intruders Out with these Fundamental Security Best Practices
Common Threats (and How to Avoid Them)
- The Modern Hacker: Who They Are, Where They Live, and What They’re After
- In a Remote World, Social Engineering is Even More Dangerous
- Hackers Are Increasingly Targeting People Through Their Phones
- How Fear Motivates People to Click on Spam
- Ransomware is Only Getting Worse: Is Your Organization Prepared to Confront it?
- Everything You Need to Know About Ransomware (2019 Edition)
- 5 Old-School Hack Techniques That Still Work (and How to Protect Your Data)
- DNS Spoofing: What It Is and How to Protect Yourself
- Don’t Let Phishing Scams Catch You Unaware
- Cryptojacking: Because Every Currency Needs to Be Protected
- Why Your Company Could Be the Next Equifax or CapitalOne