The biggest vulnerability in the OTT/CTV industry is the widespread use of Server-Side Ad Insertion (SSAI). According to Pixalate data from Q2 2019, over one-third (38%) of all programmatic OTT/CTV ad transactions are delivered via SSAI.
This post demystifies OTT/CTV ad fraud by debunking common myths about SSAI, which is also referred to as ad stitching.
Want to learn more about how fraudsters can take advantage of SSAI security gaps? Register for our upcoming webinar on July 11 at 1pm ET hear from OTT/CTV industry experts.
Based upon Pixalate’s own analysis, more than one-third (38%) of all over-the-top and connected television (“OTT/CTV”) programmatic ad transactions purport to use SSAI.
Pixalate deems 26% of those transactions invalid, making SSAI one of the riskiest channels in terms of ad fraud rates, on par with the ad fraud risks posed by mobile in-app video advertising.
In an effort to avoid false positives in invalid traffic (“IVT”) designations — especially where SSAI fraud detection systems and methods are lacking — digital supply chain partners oftentimes wholly whitelist SSAI IPs.
Unfortunately, blanket approaches enable exploitation of SSAI integrations by scammers. Dedicated sophisticated invalid traffic (“SIVT”) detection and filtration vendors are a must in the context of OTT/CTV and SSAI.
SSAI integrations are just as susceptible to ad fraud schemes as client-side ad insertion techniques.
Furthermore, shifts in ad spend toward OTT/CTV channels and digital supply chain partners’ tendencies to fully whitelist purported SSAI servers have enabled an explosion in SSAI proxy exploitation.
Based upon Pixalate’s IVT figures, blind faith in SSAI implementations puts more than one-fourth (26%) programmatic OTT/CTV ad budgets spent on SSAI impressions at risk. This makes programmatic OTT/CTV (done via SSAI) one of the riskiest environments across all channels:
There is no deterministic way at present to identify valid vs. invalid SSAI inventory.
However, for the past several years Pixalate has been making significant investments to become the leading innovator in SSAI fraud detection. Leveraging our early start and unwavering commitment, we have developed and refined algorithms that estimate the reputation of tens of thousands of purported SSAI servers.
Our proprietary, machine-learning Proxy Reputation System analyzes more than 30 composite signals that characterize the overall behavior of purported SSAI proxies and such proxy systems’ interactions with the publisher (e.g., OTT/CTV apps) and the client (e.g. Device ID).
We have also implemented IPv4 and IPv6 dual-stack recognition as part of our Proxy Reputation System, as more and more OTT/CTV devices are connecting to the internet via IPv6 infrastructure.
In addition to providing Pixalate with the ability to render well-founded opinions regarding valid vs. invalid proxies, this data-driven analysis also helps Pixalate build blocklists for invalid OTT/CTV devices, IPv6 and IPv4 users, and proxies.
Although the methodology behind our Proxy Reputation System leverages, and is in accord with, the latest VAST 4.0, VAST 4.1 and VAST 4.2 guidelines — and Pixalate captures all associated header information — Pixalate also utilizes a large variety of additional traffic signals (more than 30 in total) to render our opinions regarding the validity of purported SSAI transactions.
Pixalate nonetheless applauds the IAB’s and MRC’s push towards transparency and the industry standards for SSAI. One reason the OTT/CTV programmatic advertising ecosystem is so susceptible to fraud is that it is too opaque.
Only 26% of all instances of valid SSAI are “transparent,” which Pixalate defines as an impression where the purported SSAI proxy passes at least an X-Device-User-Agent header.
Of course, ideally, we would also receive X-Device-IP (in accordance with VAST 4.1), as well as additional HTTP headers proposed for more transparency by the IAB (e.g., X-Device-Referer and X-Device-Accept-Language).
Simply put, one of the most important determining factors in catching fraudsters is to have access to as much information in the header as possible. Through fully-transparent views into the OTT/CTV ad ecosystem, Pixalate is able to identify and catalog proxies and their behaviors at scale, which enables us to create and optimize our Proxy Reputation System to automatically detect invalid SSAI.
Thus, despite our above-noted proprietary signals and years of innovation, our refined and sophisticated process would not be as successful at detecting fraud in a completely opaque ecosystem.
Pixalate promotes transparency across our solutions, surfacing our SSAI analysis to our clients through 12 distinct, SSAI-specific metrics. These and other metrics are combined with additional SSAI data analysis to inform all of our OTT/CTV-optimized, cross-channel product offerings.
Pixalate, the first and currently only company accredited by the MRC for sophisticated invalid traffic (SIVT) detection and filtration in OTT/CTV, has gathered industry experts for a webinar on the use of Server-Side Ad Insertion (SSAI) in OTT/CTV advertising.
On Thursday, July 11, 2019 at 1:00pm ET, Pixalate Product Manager Chris Schwarz will host:
Disclaimer: The content of this blog reflects Pixalate’s opinions with respect to the factors that Pixalate believes can be useful to the digital media industry. Any proprietary data shared is grounded in Pixalate’s proprietary technology and analytics, which Pixalate is continuously evaluating and updating. Any references to outside sources should not be construed as endorsements. Pixalate’s opinions are just that - opinion, not facts or guarantees.
Per the MRC, “'Fraud' is not intended to represent fraud as defined in various laws, statutes and ordinances or as conventionally used in U.S. Court or other legal proceedings, but rather a custom definition strictly for advertising measurement purposes. Also per the MRC, “‘Invalid Traffic’ is defined generally as traffic that does not meet certain ad serving quality or completeness criteria, or otherwise does not represent legitimate ad traffic that should be included in measurement counts. Among the reasons why ad traffic may be deemed invalid is it is a result of non-human traffic (spiders, bots, etc.), or activity designed to produce fraudulent traffic.”