Saturday, February 11, 2023

Bypassing location-based account restrictions, and the risks of password sharing

A company who I will not name has recently taken corporate-driven action to reduce the accessibility of signing into their service from different locations, under the claim that it reduces password sharing. I'll discuss why these actions do not actually reduce password sharing, and some actions which could be taken to actually stop password sharing and also maintain profits.

This company is a certain media streaming company who has been in the news recently for forcing location-based account restrictions. Included in these restrictions are supposively requirements to sign into an account at a "home address" every month, and also the ability to add other accounts into a "family" for an increased price. It's clear that this company is making these actions in an effort to lock down on "freeloaders", more importantly to receive a subscription from them like they believe they should be doing. These restrictions however are fairly easy to bypass, at least seemingly so at the time of writing this, and there are proven ways to allow for account sharing on other mediums without imposing such restrictions.

To start off, let's discuss password sharing. Password sharing is simply giving someone else a password to access an account. I want this to be very clear:


With that said, people do it anyways. Why? To access something someone else paid for, typically. In a sense, it's P2P/torrent file sharing, except rather than a collective and anonymous means of sharing content, it's "privately" shared between people. Now, the legality of torrent file sharing is already questionable, as it comes down to the difference between owning a product/software versus owning the right to use a product/software- I won't discuss that, but just know that services have TOS/EULAs which should clear up this to the point where if someone gets caught doing something questionably legal, it probably can be brought to court and deemed illegal.

The nice thing about password sharing under one account is there's no definitive way to prove that it's happening. If someone is on a trip, they may log into 10 different places around the world, but in reality it's just them logging into different airports to enjoy content on their mobile device. The entire idea of a mobile app, in fact, is to be able to access services on-the-go.

But actually, they didn't log into 10 different locations- they instead have 8 friends who access their account, thanks to password sharing. Of course, these friends all agreed to keep it a secret so no one gets caught and the account stays up.

But 8 friends + original owner = 9 people? What about that 10th person? Well there's where password sharing becomes a risk. Let's say one of those friends just so happened to be logging in on a subway, and some stranger just so happened to be looking over their shoulder to catch their username and password. Or, another friend unknowingly installed a keylogger on their PC, or another friend got into an account scam, or another friend reused that password for another account that got hacked into. Maybe one friend just forgot to log out of their account on some random computer.

There are hundereds of security holes which open up as soon as a private credential like a password is shared- by word of mouth, over private chat or just SMS, over the phone, even over an insecure wifi network. And once the account is exposed, it's just a floodgate of dangerous actions that can happen with the account- turned into a scamming scheme front; stealing credit card info and draining wallets; even exposing the service to perform illegal actions like DDOSing, all from some random hacked account. Exposing an account can expose the original account holder to legal action they aren't directly responsible for, but they are certainly (indirectly) responsible for because they didn't keep a secure hold of their account.

How to fix this then? Two simple answers:
  2. Require 2FA
  3. Optional but recommended: keep track of logins on all devices
  4. Required if you log into public devices: log out of them.

2 factor authentication (NOT OTP or One Time Passwords) is a pretty important necessity for keeping anything secure. In short, it's not good enough to give a password- there should also be something that actually identifies you as yourself, or otherwise actually authorized to use a password. For example, for extra phone security, a pin/pattern PLUS a face ID or fingerprint should be an option (but why isn't it, Android???? Speaking of which, if you haven't seen my rant about Google, do so). Anyone can steal your PIN, but they can't exactly forge a fingerprint. Conversely, if you are forced into a situation to log into a device, you can refuse to share your PIN, even if they forcibly grab your fingerprint.

2FA today requries a code on a phone (which should be secured behind additional security, just in case your phone is stolen) or email or SMS (both methods less secure, but more secure than nothing) or a physical security key (most secure unless it's stolen) to log into an account, in addition to a username and password. Therefore, the original account holder is always made aware if anyone wants to log into the account, because either they'll be asked for a 2FA code, or receive a notification informing them of such. As long as they don't have access to another account of the account holder's, like their email or the 2FA code originally used, then there is no way an unauthorized user can access an account, friend or stranger. For more info on 2FA, I suggest watching this video by Tom Scott: Why You Should Turn On Two Factor Authentication.

Some of the other ways I mentioned involve keeping track of where you're logged in. If you don't need to frequently use a device you logged in to, then log out of the device. If the account allows for such, regularly check the locations of all the logged in devices, and if at all suspicious, remove the device or change your password to something secure (not to say the original password should be insecure). If it's your account, then it's your responsilibity, and you can change the password and sign-in as you see fit (of course without 2FA this opens the door for someoen to steal an account too, by changing the password themselves, so in a nutshell, DON'T SHARE PASSWORDS).

Alright, with that out of the way, let's talk about not how to keep accounts secure: only allow location-based logins, or restrict based on location. Regarding the company mentioned in the introduction, I've noticed many people who said that they can no longer use the service because they travel, or watch on a mobile device, or use a VPN, and because of this, they have to either cancel their subscription, or resort to piracy (or be forced to pay more). This quite simply is incompatible for a public, mobile world where logins are on a per-device basis, which the device is not guaranteed to stay in one location forever. This has nothing to do with password or account sharing, in fact, and is fairly innocent use of a service, especially when a mobile app is provided for such.

There are different ways to identify a location on a device. The old, original way was using GPS satellites, hundreds or so orbiting satellites which can be used to triangulate positions on the earth. While planes and boats still rely on such, today devices might not necessarily come equipped with GPS detection equipment, but instead use other signals to locate (not to say that they don't entirely avoid such). These often rely on the Internet Service Provider, or ISP, to provide a relative location connected on the network. A home internet ISP knows your address because you have to register an internet plan for that address, so using that they can register your home's IP onto databases indicating a location as to where the IP is physically in the world (usually for security reasons, ISPs won't give the exact location, but rather locate the IP in the same city or region). For cellular networks, device locations can be identified with triangulation between cell towers, plus identifying where in the world these cell towers are located. There are other ways to identify a device location, such as using DNS servers, or manually specifying, or spoofing.

And this transitions into ways to bypass the location restrictions, but first, a thing about Virtual Private Networks, or VPNs. As said before, a location can be identified based on the ISP, with a given IP address. With a VPN (or even just a proxy), this location can be different from the actual location of the end user, because a VPN isn't necessarily going to be located where the end user is, hiding their IP as well- the receiving server only sees the VPN's IP, so they can only really locate a client based on that (unless explicitly asking the client). Because of this, it's likely that VPN users won't have one set location because VPN services often have different servers around the world, making it seem like this user is jumping all over the place (but there are other practical uses of VPNs, too). But not all hope is lost for VPN users.

One way to bypass these account restrictions is with a VPN. If you have a home ISP plan, chances are you can set up a VPN server in your home network (though not always). Take a look at this or other resources on how to set up a home VPN. Alternatively, you could use a VPN service, preferably paid, to try to always use the same VPN server when using the service. In fact, I got a paid subscription of ProtonVPN which is one such VPN that could come in handy if I use the service. With ProtonVPN specifically, I can manually select which VPN server I will connect to, rather than auto connecting to a random one, so that my IP, and therefore my location, always appears to be the same. One last thing, it might be worth trying out a proxy service instead- a proxy is like a VPN but only routing web traffic, which the serivce likely is only working over HTTP(S), and likely cheaper than a paid VPN.

But using an IP isn't the only way to change a location, and depending on how the service checks account login locations, a VPN or proxy might not be enough. Luckily, many devices actually allow spoofing locations (or uh setting default locations). On Android, this functionality is built-in with mock locations- a guide on doing this can be found here. On Windows, you can set a default locaiton in settings or the maps app, for instance, but for other programs and OSes it varies on how to do it, and on some things (probably Apple devices) you can't spoof locations. But if you can't do it on one device, you might be able to accomplish it on another device (ehem an Android phone) and then open a hotspot, which might fake the location for any devies connected onto the hotspot.

One more thing about restrictions- it might not be location-based. Device-based restrictions also exist and can be as difficult to deal with with such services, but even these can be bypassed. Granted, however, faking an entire device is far more advanced process, involving often spoofing MACs, copying identification cookies, running VMs, copying license keys, or even hacking apps to retrieve identifying info. At some point, this would turn from trying to act as one device, to outright hacking or pirating the software, so I won't go over how to do this sort of stuff.

Now with the location-based restrictions completely bypassed, let's talk about good ways to do account sharing, or library sharing. First, don't share passwords, as discussed. But people still want to be able to share and enjoy software and products with their friends, without their friends breaking the bank to do so. Now either their friends can all go pirate the content or set up a complicated system like a VPN as described before, or the service can make it easy for them to do exactly that. This is the methodology behind other services with notable library sharing abilities, such as certain game library services I won't name, or certain package delivery services I once again won't name. Such services let the original account holder, who owns the games or books or other services, to grant permission to use what they bought to other accounts, each with their own sign-in. These other accounts can't access everything, only that which the original account holder lets them access, and also what the service in use allows for access. Then, with a secure 2FA enabled account, the original account holder can enjoy their content, and so can their friends or family, separate and under one ownership, but private, secure, and restricted still. Services can even put this feature out as a premium feature, where for a small additional price, they can add up to 4 people in a family, for example.

But then, you might ask, the unnamed media service in question also has such a family sharing feature! Perhaps, but the way the company set it up, there is no benefit over simply using individual accounts- the family is limits to 2 more people, for an additional subscription per person which is the same price as the base subscription. The advantage with the better services and their family subscriptions is that the cost is lower per person, incentivizing families and friends to save and opt to share their library, over using individual accounts, and then the service still receives profit because it still requires one account to make a purchase for the other accounts can do so. In the long run, the service should still make a profit all things considered, as long as accounts are still incentivized to buying products into the service. The cost of an individual purchase of a product or service should be enough to offset the profit lost from 4 accounts that didn't make such a purchase as part of a family plan, and then with the price of the family plan, it should be that I would guess less than 10% of all accounts be in such a family plan not paying for the product, and as a result 90% of the accounts can make up for the loss of 10% of the accounts. I'm not an economist but this sounds ideal, especially compared to losing 20%+ of accounts from piracy, or password sharing, or dropping subscriptions.

It's a challenge to balance the income and expenses of a service, which requires making something competitive actually worth the price, to get people to keep paying, such as for a family subscription. Fighting this would be to limit accessibility to per-device or per-location, but incentivizes pirating or loss of profits over respectful use of a service, if the service itself isn't worth the price on a single account basis. With pirating, hacking, password sharing, etc. security risks arise which should be accounted for over profits, so it's important for users regardless of if they approve of a subscription plan or not, to take measures to secure their subscription and account from unauthorized access: enable 2FA, and DON'T SHARE PASSWORDS.

I have chosen to keep the companies, organizations, and services in question anonymous, for plausible deniability, among other reasons. The stuff discussed in here may change, such as location-based account restrictions, and the methodologies I discussed to bypass them which may no longer work. Because of this anonymity, resources linked in the article are provided as-is, but if you wish to review sources backing up my claims, I suggest you search for news articles and user comments regarding "password sharing", "account sharing", or "subscriptions" during the timespan of January-Febuary 2023 and possibly earlier (this article is not guaranteed to be updated in the future).

No comments:

Post a Comment