How Etsy uses reCAPTCHA Enterprise to stop fraud and not customers
Senior Security Engineer, Etsy
Try Google Cloud
Start building on Google Cloud with $300 in free credits and 20+ always free products.Free trial
At Etsy.com, our mission is to Keep Commerce Human by providing a global marketplace that connects 5.2 million sellers with more than 90.5 million active buyers looking for unique items with a human touch. For our vibrant global community to continue to grow and thrive, interactions on the platform must be safe, private, and secure.
Like many other online businesses, Etsy saw a sharp increase in traffic over the past year as people turned to e-commerce during the COVID-19 pandemic. With this surge, we wanted to get ahead of any potential challenges that could impact our brand, revenue, and customers.
With increased traffic we observed elevated bot traffic attempting credential stuffing attacks. We anticipated that credential stuffers would try to use lists of compromised passwords from other companies’ data breaches and test those credentials on Etsy, since password reuse is common across many websites. We also thought attackers might attempt to abuse any unauthenticated forms, such as password reset forms and mailing list sign ups.
These are only a few examples of the types of fraud we look for, as these risks are always evolving and increasing in complexity. For that reason, we continually reevaluate our tooling and regularly research third party products to improve our security posture.
One of the most important products we've added since the pandemic began to protect against fraud is Google Cloud’s reCAPTCHA Enterprise, a frictionless bot management solution that works by classifying fraudulent HTTP requests. One reason we chose to implement reCAPTCHA Enterprise is because of the flexibility it grants us. Instead of dictating what action to take (ie. blocking the request), it provides an assessment which contains information classifying a particular user interaction. This data can be combined with our internal automated controls to make informed decisions in near real time.
While we primarily use risk scores, reCAPTCHA Enterprise also provides reason codes and additional features to securely check if a user has reused their password on another site that has been compromised. Because reCAPTCHA Enterprise protects over 5 million sites, the system is also able to recognize attack patterns that we may not be able to identify on our own. We can leverage all this information without causing friction for our users, as reCAPTCHA Enterprise doesn’t require any user interaction. This is a huge win for our security team because we can add reCAPTCHA Enterprise to any page without any design concerns and with minimal effort.
In the past, potentially malicious requests were shown a captcha challenge. reCAPTCHA V1 provided a text-based challenge while reCAPTCHA V2 is using an image-based challenge. Image recognition has improved recently and the current image captcha challenge may be obsolete in a few years. Therefore, we can use reCAPTCHA Enterprise to protect our web pages but maintain a frictionless customer experience.
reCAPTCHA Enterprise's flexibility allows us to decide when to block suspicious behavior and keep this process invisible to our end users. If we need additional confirmation of a user’s intentionality on a web page, we can request email or SMS verification. This adaptability makes us the ultimate decision makers in using reCAPTCHA Enterprise however we want to our pages.
After making the choice to integrate reCAPTCHA Enterprise, we added it to several points of the user workflow, including signing in and opening a shop. We started by logging and storing the assessments in our databases, which then get replicated to Google's BigQuery for later analysis. All this is done seamlessly without disrupting the user experience.
We immediately saw results. reCAPTCHA Enterprise provides graphs that tell us which parts of the website have the highest risk scores, indicating potential abuse and allowing us to prioritize appropriately. In addition, we combined the stored assessment data with our existing tools to lock out malicious users and thereby prevent any potential harm to our community. These data points are available to our Trust & Safety and Security teams, enabling them to help identify bot activity like credential stuffing.
In the case that an assessment incorrectly classifies a legitimate user as fraudulent, reCAPTCHA Enterprise provides an Annotation API where you can annotate previous assessments with additional information. This will train the underlying engine to better understand our traffic and improve the detection of inauthentic bot activity.
After adding reCAPTCHA Enterprise to our login flow, we saw dramatic results and it solidified our confidence in the tool. Once we had the basic structure down, we packaged the Etsy-specific code into a reusable library so that we could then quickly add reCAPTCHA Enterprise to other parts of the platform, such as conversations and the forgot password page. This allows us to quickly add protection to web pages and address attacks before they happen.
In addition, we are well adapted to rapidly defend against a bot attack should the need arise. Overall, we achieved many wins by using reCAPTCHA Enterprise as a tool in our bot management strategy and believe it to be a worthwhile investment in keeping the Etsy community safe.