Author: Saurabh Bhasin, Senior Product Manager
Enterprises are navigating the shift from scripted, volumetric attacks to sophisticated, globally coordinated fraud rings that target the entire customer journey. As AI-assisted tactics enable fraudsters to mimic human behavior with ease, security analysts require more actionable fraud intelligence to granularly segment legitimate users or agents from untrusted ones, and confidently mitigate attacks without introducing unnecessary user friction.
As the industry’s most deployed trust platform, reCAPTCHA secures the entire customer journey, from the initial interaction and account creation to the protection of downstream transactions. Today we are deepening that foundation by providing analysts with forensic depth and actionable intelligence via the following features:
- Account Takeover (ATO) Analytics (Public Preview): Credential abuse is one of the leading attack vectors that leads to account takeovers. The growing ATO problem manifests as loss of business reputation, attrition of users and increased risk of chargebacks. To help detect ATOs, we are launching a new feature that is 4 times better at detecting account takeover attempts than a score designed to detect bots. This new score is supported by new explainability reasons that provide new forensic insights.
- Transaction Defense API (General Availability): By eliminating the requirement for client-side JavaScript, the transaction defense API extends coverage to mobile and agentic commerce. The explainability reasons and expanded use-case support enables businesses to transition seamlessly from web to mobile and agentic environments, empowering analysts to perform forensic deep-dives into card testing attacks and chargeback risks.
- Attack Investigation (Public Preview): reCAPTCHA has long provided analysts with robust logging and dashboards to help understand and visualize risky activity on their sites. We are deepening this further by combining millions of data points into an 'Attack' view that allows analysts to easily spot correlated attack campaigns instead of individual logs.
We will now look at these features in detail, beginning with how reCAPTCHA Account defense secures the sign-up and login flows.
As AI-assisted tactics enable fraudsters to target signup and login flows with increasing sophistication, security analysts require more actionable intelligence to defend against account takeovers. reCAPTCHA Account defense already provides the forensic depth needed to identify suspicious logins; today, we are deepening this protection with dedicated ATO Analytics. By leveraging machine learning models specifically tuned for identity signals and behavioral anomalies, the new ATO score is 400% better at detecting account takeover attempts than a score designed to detect bots. This is supported by new explainability reasons that provide insights into reputational history and association with large clusters of made-for-abuse accounts.
Even successful ATO detection requires downstream protection and customers are looking for a solution to help them with the end-to-end customer journey. A compromised account or agent that goes undetected inevitably targets the downstream user journey: fraudulent transactions using stolen credit cards. reCAPTCHA protects the transactions on the web and now, with the Transaction Defense API, it also secures mobile, and agentic commerce without the need for client-side JavaScript. This allows analysts to defend against chargebacks and promotional fraud in 'human-not-present' scenarios, ensuring that as your business grows into new agentic channels, you can continue to assess carding attacks and chargeback risks.
Detection and mitigation alone are not enough. Analysts must be equipped with forensic depth to deconstruct attacks and extract the intelligence necessary to proactively prevent future recurrences. An overwhelming volume of logs makes it difficult to extract intelligence and identify coordinated attack campaigns within the noise.The new Attack Investigation dashboard now aggregates millions of data points into “Attacks” so that analysts can visualize a campaign, and then drill-down into an incident.
Finally, to fully unlock this forensic potential and ensure that data remains under your direct control, reCAPTCHA is transitioning to a Data Processor model for all customers. This shift gives you direct sovereignty over user data and simplifies global compliance, ensuring that your analysts have the data they need to protect your business while you maintain full control over the purpose and means of its processing. You can read more about this change in our blog, and Master Service Announcement.
Ready to put these innovations to work?
- New Customers: Create an account today to start building a more secure experience with our latest fraud defense tools.
- Existing Customers: Log into the reCAPTCHA console to explore the new features.
Connect with us: Join us at the RSA Conference to see these features in action. You’re also invited to join us at Cloud Next for new feature announcements.