Jump to Content
Security & Identity

How reCAPTCHA Enterprise protected customers during the holidays

April 1, 2021
Cy Khormaee

Head of Product reCAPTCHA

Kelly Anderson

Product Marketing Manager

Every business had to adapt to a new reality in 2020, and make online business their primary channel. But as online business increased, so did web-based attacks. In research commissioned by Forrester consulting, 84% of companies have seen an increase in bot attacks. 71% of organizations have seen an increase in the amount of successful attacks. 65% of businesses have experienced more frequent attacks and greater revenue loss due to bot attacks. With online fraud expected to only increase, the security of web pages has never been more important.

Online fraud and abuse impacts various industries differently, ranging from inventory problems to account access difficulties. Attack methods also vary; some businesses have to deal with frequent credential stuffing or payment fraud attacks, and some are more subject to account takeovers to spam logins. Credential stuffing is one of the most common attacks our customers face, due to a spike in the availability of usernames and passwords from a wide range of successful breaches, and the ease of scripting these kinds of attacks. Account takeovers are another common attack type, as billions of account records have been leaked over the last several years from breaches, and these credentials have been posted and sold on the dark web. 

While the attacks are varied, they all share the same end result: damage to your business, customers, and bottom line.

Successful online businesses require successful online security 

The more digital an organization becomes, the more its success is tied to its ability to understand and manage online attacks. And though the 2020 holiday season unleashed more online attacks than ever before, customers using reCAPTCHA Enterprise were prepared. 

Any organization that conducts business online can be susceptible to online fraud. But this susceptibility can be mitigated by reCAPTCHA Enterprise, which is particularly helpful for businesses in the retail, gaming, media, entertainment, software and internet industries. reCAPTCHA Enterprise customers create, sell, offer or manage everything from smart home devices, to office supplies, to software, online marketplaces, social media, and streaming services. And all of them face a myriad of automated attacks that, unless properly defended, could weaken their businesses.

For example, retailers need protection from bots putting inventory in their shopping carts, thereby decreasing the amount of inventory available to legitimate customers. They are sometimes faced with malicious attempts to identify missing start/expiry dates and security codes for stolen payment card data, by bots that test different values and personal information at checkout. Gaming, media, and entertainment customers are challenged by bad actors trying to log in into a legitimate customer’s account with stolen credentials. Event companies deal with automated scalping, with bots buying up tickets and then reselling them later at a profit. And many vendors are challenged by repeated attempts to use a coupon number, voucher code or discount token on web pages during payment. 

Halting 2020 holiday hacks

The most common attacks our customers experienced this holiday season were credential stuffing, followed by scraping, card fraud, and account takeovers.

In a credential stuffing attack, bots list stolen credentials against an application’s authentication mechanisms to identify whether users have reused the same login credentials. The stolen usernames (often email addresses) and password pairs could have been sourced directly from another application by the attacker, purchased in a criminal marketplace, or obtained from publicly available breach data dumps. reCAPTCHA Enterprise detects and stops credential stuffing attacks by recognizing bot behavior and introducing friction into the bot’s attempt at an attack—alerting that an attack is taking place, and implementing a response like two-factor authentication to defeat the attempt while letting valid users through the website. 

In a scraping attack, large volumes of data are extracted from web pages and applications. Scraping can be used to collect personal data from social media accounts, which malicious actors use to create applications for loans, credit cards, or other forms of identification. Scraping can also be used to collect legitimate information about products or services, and then create fake products and services and trick buyers into purchasing them. reCAPTCHA Enterprise uses an adaptive risk analysis engine to keep malicious software from engaging in abusive activities on your site. 

Another type of fraud that has been prominent in the last year is card cracking. Fraudsters often use automated tools to verify stolen credit cards before they’re sold or used. reCAPTCHA uses machine learning models that analyze site-specific behavior to recognize patterns of legitimate and fraudulent transactions and detect this type of abuse. reCAPTCHA Enterprise returns a score based on interactions with your websites, with 1.0 being a likely good interaction and 0.0 being a likely abusive action. This can reduce the transaction costs of such abuse, and prevent larger scale attacks resulting from the use of stolen payment mechanisms.

Sometimes, a bad actor will use a stolen or leaked credential to log in and access a legitimate user’s account, in an attack called an account takeover. Account takeovers are typically followed by the attacker transferring money, buying a gift card or making purchases with the user’s account. The reCAPTCHA Enterprise API risk score gives you the granularity and flexibility to protect your webpages in the way that makes the most sense to your business; you can decide which action to take based on that score. There’s no one-size-fits-all approach to managing risk, so you should have the levels of protection for different web pages. A suspected fraudulent request on a login page could force a two-factor authorization challenge, while you could just block the request on a less valuable webpage.

reCAPTCHA Enterprise is built to help mitigate fraudulent online activity for your enterprise, with technology that has helped defend millions of websites for over a decade. The number and types of attacks your business will experience will only increase over time, so it’s important to remember that the success of your business is dependent on how well you can protect against these attacks. To protect your business from online fraud and abuse, get started with reCAPTCHA Enterprise today.

Posted in