A Case of Attacking Account Abuse

Page 2 of 2

ISI's homegrown solution to the account abuse was "pretty successful" for a time, but the company decided it needed something more "holistic" that went beyond simple IP or session tracking, particularly in dealing with customers in developing countries such as Russia and China where abuse was more widespread, Monteiro said. The company turned to Scout Analytics, which, Monteiro notes, had established a "very good" track record over the last 2 to 3 years and promised to provide a more complete picture of account activity as one of the few overarching products on the market.

Monteiro opted for Scout Analytics' Assurance, a SaaS application that transparently monitors and gathers account activity information, performs pattern analysis on the data, and identifies any problem behavior. Suspected unlicensed activity triggers a response chain, according to the content provider's preferences.

Like many companies, ISI knew unlicensed activity was occurring-in fact, paid content providers like ISI with a named-user licensing model often see between 20% and 40% of their users share credentials with unlicensed individuals, according to Scout Analytics SVP of Strategy for Scout Analytics Matt Shanahan. When this happens, "companies fail to capture the revenue associated with unlicensed users, and their renewal rate drops over time as people find that they don't get caught," Shanahan says. "Essentially, their business model has a leak."

ISI, like some of its peers, has previously patched the problem with homegrown solutions that tracked IP and network information. Many companies attempt to put the kibosh on unlicensed activity by barring users from running concurrent sessions, and some, like ISI, had systems in place to track geolocation information to flag logins that happened close in time but far away in terms of geography. The high rate of false positives resulting from these approaches could harm companies' ability to confront and deal with the problem, while allowing as much as 80% of actual illicit use to go unnoticed, according to Shanahan.

"In many cases, the sharing occurs within an office building, not in geographically separate locations," says Shanahan. "Additionally, these solutions have a high false positive rate, since some users log in to multiple machines at once."

To take a broader view of user license activity, Scout Activity Assurance tracks username patterns, including biometric typing patterns, along with PC and system information. Individuals might be able to share login information, but they will usually distinguish themselves when they physically type using their own distinct style-hitting certain keys faster or slower or typing with a unique rhythm-according to the company. When several different patterns become attached to the same username, account managers are able to see when different individuals are logging in with the same name, not just when the same name is used to log in from different computers or locations.

Shanahan estimates that the Assurance method is able to capture between four to five times the unlicensed activity that homegrown solutions capture. The more holistic approach to account usage also helps cut back on the false alarms, he added.

Any red flags raised trigger a remediation workflow, notifying system managers who can then decide on the next course of action. In some cases, managers can use the usage report as a third-party audit when confronting customers about unlicensed use, push customers to upgrade their licenses, and create new subscribers, boosting revenue anywhere between 10% and 15%, according to Shanahan.
It took ISI about 6 weeks to fully deploy Scout Analytics Assurance across its platform over dozens of offices, with a set-up process that Monteiro describes as relatively easy. The SaaS service sets a JavaScript code on the login page of a content site, which then begins collecting session data and transmitting it to the Scout Analytics web-based analysis service.
However, even after that, results weren't immediate. The program needed about 6 months to collect enough data on users' accounts, behavior, networks, biometric typing patterns, and other information to produce a full-fledged, meaningful analysis, since users didn't necessarily log in daily. Once that was in place, however, a clearer picture about ISI users' unlicensed activity began to emerge.

According to data collected by Scout Analytics Assurance, 23% of ISI customer accounts showed usage beyond their licensing agreement. Approximately 25% of service users had no license, while 34% of site license accounts were being used by only one person. The report also showed that 10 of ISI's major clients had fewer than 10% of their accounts in use.
ISI took the data generated by Scout Analytics and printed out a report, which it then used as the basis for confronting customers where abuse was problematic. How they responded to it varied from customer to customer.

"If you approach a customer like a large international bank, the last thing they want to be accused of doing is cheating the system," says Monteiro. "If you're talking to people a lot smaller, they'll say, oh, we'll tell this guy to stop using it. Then it's up to the finesse of the salesperson."

Shanahan says that ISI's use of Scout Analytics' report is fairly typical for similar companies with business-to-business online content publications and sales teams. "During the notification, the sales team will try to up-sell more subscriptions, or at least ensure the unlicensed use halts," says Shanahan. "Typically, half of the unlicensed use results in
an up-sell."

Even in cases where customers are reluctant to shell out more to upgrade their licensing agreements, Shanahan said that the reports can provide a powerful deterrent to rule breakers. "The notification typically stops revenue erosion from previously undetected violations whose renewal spend would decline around 40% of the time," adds Shanahan.

The resulting reports, with precise details on suspicious activity, "change the dynamic of how you approach customers," says Monteiro. The company leveraged the data to upsell some clients' licensing agreements and to convince others to address account abuses, he added.

While homegrown IP address and cookie-tracking systems had previously given ISI some rudimentary details on unauthorized access, Scout Analytics Assurance represents a more "holistic approach," with tougher safeguards to ensnare those who try to cheat the system, Monteiro says, adding that the SaaS model made it easy to install or uninstall. "You've got to have a number of tools at your disposal, and what we found is that this is one of them."

Page 2 of 2