Our company, being in the technology field, consult all our clients on security. We cover how they can be safer online and take steps to protect their identity and data by using complex, frequently updated passwords, anti-virus and anti-malware protections, secured connections and more. I even wrote an article in March (2018) inviting our clients and others to get in touch with us for a “security checkup” to assess possible vulnerabilities. I re-read that article after a recent experience with Netflix and realized that I did not cover online account security.
I received a text from my sister, who I share the Netflix account with, alerting me to the fact that there was a new profile on the account. As I logged into the account to investigate, I discovered my son added the profile as a joke. While that was harmless enough, my additional discovery wasn’t as harmless. Each profile has access to the main account controls, such as adding and editing profiles, changing payment information, the account email, password, parental controls and more. Some of those edits require the password to be re-entered, but others, like changing the phone number or adding/removing profiles on the account, do not require the password. Furthermore, the last four digits of my card number and expiration date are displayed. My concern? Any savvy computer user or hacker with a few minutes of unsupervised or undetected access to the account can get a good deal of information and “fill in the blanks” on the rest.
I immediately change the account password, log out all devices and tell only my sister the updated password. I also tell her about the importance of logging out after each use. I’ve done my due diligence. My next step is to review Netflix support documentation to see if there is a restriction I can enable so my information and related controls are not accessible by other profiles. There is no mention of an “owner account” or restrictions that can be made other than viewing for additional profiles.
Perhaps the online documentation is outdated, so I call support. The rep tells me, after verifying my account email, that nothing is wrong with my account, so “what is the problem?”. The problem, I tell her, is that other users on the account have access to account controls and management when logged into their devices. I’d like a solution as soon as possible because this is a major security concern for me. Her response is “Change your password. Then, personally log everyone in and out of the account on each use. If they don’t know the password, they really can’t do anything important.” Hmmmm (big breath). I relay to her the steps I’ve already taken to secure as much of the account as possible, but I’m sharing the expense of the account with another user so she is entitled to the password and I am not going to personally oversee her habits in her home, half an hour away from me. While it may seem that just having access to a logged in device won’t harm me, there is a concern. Furthermore, Amazon has this functionality. I also share that account with my sister. She can’t access my personal data and I can’t access hers. So, what is Netflix doing to ensure my security?
The repeated response to each step and the Amazon example is “If your password has changed, you have nothing to worry about.”, “ I can relay your feedback as we do not have that feature.” and “You have to create a new account if you want to eliminate that access now.” I get it. She didn’t understand the concern or the urgency and certainly wasn’t interested in transferring me up the chain to provide my feedback personally. I suppose my only recourse to guarantee my security is to close the account and share my experience.
The takeaway is to not only do your own due diligence with passwords, protections, security appliances and back ups, but also to share your concerns and experiences with the companies charged with securing your information. If you have a similar experience with this or any other company, contact them. You may get a better response than I did and you may help to effect change toward improved security.
Mandy Haga