Identity & Security

How HBO Max uses reCAPTCHA Enterprise to make its customer experience frictionless

reCAPTCHA.jpg

Editor’s note: Randy Gingeleski, Senior Staff Security Engineer for HBO Max and Brian Lozada, CISO for HBO Max, co-authored this blog to share their experiences with reCAPTCHA Enterprise and help other enterprises achieve the same level of security for their customer experiences.  

The COVID-19 pandemic gave audiences more time than ever to explore all the content hosted on HBO Max, and dramatically increased the demand for quick and reliable streaming. To support this demand, we made huge investments in our customer experience tools and digital experiences to continue bringing our customers the latest content while curating a best-in-class experience. But as the demand for our services increased, so did our attack surface. 

We were part of the 65% of enterprises that noticed an increase in online attacks last year. Attackers tried to throw anything and everything our way, ranging from using leaked credentials to log in to accounts, to entering fake promotion codes, to using stolen credit card information on the payments page. 

As we evaluated our approach to protect against web-based attacks, we set out to build a security strategy that would keep the customer’s experience at the core of everything that we did. At HBO Max, we believe that security should be usable for our security team and invisible to our end users. One of the tactics we use to achieve that goal is reCAPTCHA Enterprise, a frictionless bot management solution that stops fraudsters while allowing customers to use our services. Today, we’re going to share how we use reCAPTCHA Enterprise to create a frictionless experience for our customers, empower our security team, and further grow our business.

Like most businesses with a website and mobile application, we have multiple web pages that get targeted by human and automated actors. The web pages that come under the largest and most frequent attacks are the web pages involved in helping a customer purchase an HBO Max membership. We noticed attackers trying to use stolen credit card information or repeatedly reentering the same credit card information on our payments page. We also noticed attackers trying to use current and expired coupon codes over and over again on the payment page. 

We chose reCAPTCHA Enterprise because we wanted a proven product that can protect against credential stuffing, coupon fraud, and other fraudulent attacks while providing a frictionless customer experience. Google has over a decade of experience defending the internet and data for its network of more than 5 million sites, and this experience is what reCAPTCHA Enterprise is built on, which gave us faith it could work for us. 

A significant portion of our user base does not have to sign up for HBO Max because they are already customers of Hulu, AT&T, or another partner company. For brand new customers, they need to sign up, create an account, and login at HBO Max directly. When securing the signup system for these customers, we had to balance the needs of several of our internal stakeholders. Our customer experience team needed a security product that would not apply friction to the customer journeys they build and optimize to make it as easy as possible to sign up for HBO Max. Our marketing team needed a security product that would not stop them from engaging and connecting directly with potential customers. And our product team wanted customers to be able to safely browse and stream content. Our signup flow had to meet the needs of all our stakeholders while providing advanced security to our website. 

The legacy approach of checking boxes, clicking images, or making our customers engage in some kind of challenge felt like an outdated and cheap approach. With reCAPTCHA Enterprise, we eliminated the burden on the audience, as it secures the signup flow without requiring humans to engage in any kind of challenge. It’s a win for everyone. Internal stakeholders can create customer-centric experiences, and customers can easily use our services. And it’s even resulted in customer preference for our services over our competitors’ that use security products that require more effort. 

reCAPTCHA Enterprise comes with many features, including mobile application SDK support and an Annotation API for model tuning, that help our security team determine if an interaction with our website is from a human or bot.

We use risk scores in reCAPTCHA Enterprise to determine if an interaction is going to impact legitimate customers and our business. reCAPTCHA Enterprise gives us 11 scores between 0 and 1, with scores closer to 0 like 0.1 and 0.3 being high risk or highly fraudulent and scores like 0.7 and 0.9 being low risk and likely a human. We review our risk scores with an analysis of our web and network traffic and customer’s usernames and account IDs. Together, all this information helps us set a risk threshold for our website, where we do not let interactions with a low score engage with the site. We also use reCAPTCHA Enterprise’s Annotation API to tune the web risk analysis to our website’s preferences, such as not letting an interaction with a low score proceed on our webpages. So far, we’ve had no issues with our threshold, and legitimate customers have been able to engage with our website.

In addition to using reCAPTCHA Enterprise’s risk scores, we also use its reason codes to help us interpret interactions with our website. Reason codes are how reCAPTCHA Enterprise assigns a risk score to an interaction. They tell us things like if an interaction was automated or is not following normal patterns. The reason codes give us confidence, accuracy, and a starting point to determine what went wrong in an interaction. From there, we also look at logs and how quickly a user moved through different actions.

reCAPTCHA Enterprise has not only made a difference to our customers and our security team, but also to our business. By protecting some of our most vulnerable pages, such as the account creation, login, promotion code page, or payment page, we’ve seen a dramatic decrease in brute force and credential stuffing attacks. We also replaced our legacy software that was used to protect gift cards with reCAPTCHA Enterprise, and we noticed a considerable decrease in token-cracking fraud. Due to the number of locations HBO Max accounts can be created, including smart TVs, phones, and computers, our website receives billions of requests per day. reCAPTCHA Enterprise has made it easy for us to determine which of those requests are from our customers and which ones are fraudulent and therefore grow our customer base and revenue. 

Because of its frictionless experience for our customers and usability for our security team, we highly encourage other enterprises who are looking to secure their customer experience to start with reCAPTCHA Enterprise today. We strongly encourage any enterprise with a web application or mobile application to use reCAPTCHA Enterprise to protect against online fraud and abuse and preserve your customer experience.