Criminals can reactivate Netflix account due to lack of security

Criminals have reactivated Netflix accounts that were no longer active without knowing what data users use to pay. This is because Netflix accounts cannot be secured with two-factor authentication and Netflix does not send confirmation of reactivation.

Re-entering payment details is not necessary, because Netflix stores the payment details of users for ten months, the BBC reports. Then, when reactivating the account, users do not have to enter payment details again to take out a paid subscription. The BBC cites a few examples where criminals abused this.

The feature is intended to make it easy to become a paying customer again, but has the side effect, according to the BBC, that users whose passwords have been stolen suddenly pay for a subscription that they did not take out themselves. The password can be stolen through data breaches, after which criminals try to see if the Netflix password is the same as those users use with other services. They can make money from that practice by selling access to the account.

Netflix could have prevented this fraud by introducing two-factor authentication for accounts and sending a confirmation email when users resubscribe. Both are currently not possible with the streaming service.

It is unknown how many people are victims of this type of fraud. Netflix does not provide figures and BBC only has anecdotes from victims. In at least one case, Netflix did not return all the money to a former customer after discovering the fraud. It is not possible to remove an individual payment method from an account, even after deactivation.