Are We Making Progress on SSAI’s Fraud Vulnerabilities?

18 October, 2021 

One of the few factors dampening enthusiasm from the buy-side towards connected TV – particularly CTV inventory on the open marketplace – is the risk of fraud.

It seems like every few months a new CTV fraud scheme, which often cost advertisers millions in misspent money, gets uncovered by one of the fraud detection specialists. Rooting out these schemes is, of course, an important part of the battle against fraud – which often resembles a game of cat and mouse.

But these schemes almost always have one thing in common – they exploit weaknesses in server-side ad insertion (SSAI). In 2020 alone, fraud prevention business DoubleVerify identified more than twelve SSAI-based schemes.

This isn’t an unsolvable problem. Ben Antier, CEO of ad-server and SSAI specialist Publica (now owned by IAS) told VideoWeek earlier this year that SSAI isn’t an inherently vulnerable process: server-to-server transactions are already used for things like banking, where security is obiously key. “It’s more about the ad industry stepping up its game,” said Antier.

And seven months on from that interview, the industry has taken some significant steps in tackling SSAI’s issues.

Securing server-to-server

SSAI is a special type of ad serving whereby ads are sewn directly into the content they’re played alongside. It’s common in CTV environments since it creates a smooth transition between content and ads, preventing awkward pauses and loading screens.

To do this, a special SSAI ad server which is responsible for this stitching sits between the viewer’s device and the buyer. But since the ad isn’t served directly on the device, the SSAI server is often responsible for passing on most of the information about the impression being served, and for handling reporting.

Often fraudulent schemes exploit this need for trust, spoofing legitimate SSAI servers and passing on completely false information, allowing them to sell completely fake impressions. Historically this spoofing has been possible as the industry has lacked standardised way to authenticate servers in server-to-server connections (the key problem referenced by Publica’s Ben Antier).

Industry standards body IAB Tech Lab actually took a significant step in solving this problem at the end of last month.

“Specifically when transacting with SSAI, it is important to authenticate that you are receiving ad requests from legitimate ad tech partners and can identify them in real time,” said Shailley Singh, SVP of product management at IAB Tech Lab. “Last month we launched ads.cert 2.0 protocols with ‘Authenticated Connections’ specifically to address server to server communications.”

This new set of specifications covers standardised and secure ways to authenticate the origin of server-to-server requests, as well as protocols to help tell whether bid parameters in a bid request have been tampered with, and protocols for device manufacturers to attest to the legitimacy of the device an ad is being served on.

These specifications, if widely adopted, should help cut out a lot of the SSAI server spoofing which has been used to falsify CTV impressions.

IAB Tech lab is also releasing ‘Open Measurement SDK’ for CTV, which will initially be compatible with Apple’s tvOS and Google’s Android TV. This SDK will help verify that an ad has actually been delivered to a device, and seen by a user, to combat cases where impressions are completely falsified. Tech Lab plans to bring on other device manufacturers including Roku further down the line

These two specifications together should provide a significant increase in transparency, according to Singh, and make a sizable difference in shoring up SSAI’s vulnerabilities.

But again, adoption will be key. A consistent theme whenever VideoWeek has covered CTV fraud is that creating standards and best practices for preventing and avoiding fraud is just part of the challenge – the other part is making sure these standards become widely used across the industry. 

Keeping pace with the fraudsters

That’s not to say SSAI is now bulletproof. As SSAI security evolves, so do fraudsters’ tactics.

Earlier this year DoubleVerify uncovered a new scheme, dubbed ‘SneakyTerra’, which hijacked real CTV device sessions (rather than creating entirely fake sessions). This was a marked change in tactics to what DoubleVerify had seen previously.

Similarly, as industry standards make certain types of fraud more difficult, or impossible, fraudsters will turn to other methods. Staying on top of this adaptation will be vital to staying on top of SSAI-exploiting fraud.

“Progress is being made but fraud follows the money, and bad actors will continue to evolve their attacks – particularly on emerging channels like CTV,” said Tanzil Bukhari, EMEA managing director at DoubleVerify.

“Ultimately, as we identify and catch fraudsters, they will continue to adapt strategies with the aim to go undetected, putting unprotected advertisers at risk,” Bukhari added. “That’s why ongoing, real-time protection is so important and why our focus is to continue to invest in, evolve, and refine our technology to keep one step ahead of the bad actors.”

Nonetheless – recent moves do represent significant progress. As Bukhari says, CTV’s high CPMs will make it an attractive target for fraudsters – and given SSAI’s role in CTV advertising, it will be mentioned whenever a new scheme is uncovered. But over time, it looks likely that SSAI will shift to being part of the overall story, rather than CTV’s Achilles’ heel.


About the Author:

Go to Top