How Etsy, following its pandemic popularity, beat back a barrage of bots

Craft is the making of objects through the use of skill and expertise. A tailor’s craft is to make precise measurements and turn them into fashionable garments. A jeweler uses experience, dexterity, and taste to make jewelry as part of their craft.

Etsy knows craft. 

Etsy’s mission is to support the worldwide community of craftspeople who wish to sell their goods online. More than 6.3 million sell their wares on the ecommerce platform, with more than 90 million people buying those carefully created and curated items..

Attention to detail is the utmost priority, and not only for the stitches in a quilt or gems in a necklace. Everything unravels if Etsy's platform isn't reliable and secure.

Particularly following the hypergrowth of ecommerce during the lockdown years, companies like Etsy have faced a commensurate rise in malicious hackers trying to steal the credentials of buyers and sellers alike. The attackers seek to  use already compromised passwords found on the dark web to try to gain access to users accounts, a method called credential stuffing that’s based on the assumption of reused usernames and passwords. 

Etsy is more than an ecommerce platform, though. It’s a robust technology company that takes pride in its programming and development. Code as Craft, as the saying goes in Etsy’s engineering department. And when it comes to protecting its millions of buyers and sellers, Etsy’s developers deploy all the skill, experience, and knowledge of practiced craftspeople to make sure the platform is safe and secure for everyone.

It also helps to have the right tools.

Why should you always need to prove you're not a robot? Etsy can automatically keep 95 million shoppers safe and secure from fraudulent sellers by using Google Cloud. 

To protect against the influx of credential stuffing attacks Etsy experienced during the lockdown years, the company utilized Google Cloud’s reCAPTCHA Enterprise tool to authenticate user sign-in requests and evaluate each attempt with a risk score to help determine the potential malicious intent of the request.

“With increased traffic we observed elevated bot traffic attempting credential stuffing attacks,” Etsy senior security engineer Ivan Tse said. “We anticipated that credential stuffers would try to use lists of compromised passwords from other companies’ data breaches and test those credentials on Etsy, since password reuse is common across many websites. We also thought attackers might attempt to abuse any unauthenticated forms, such as password reset forms and mailing list sign ups.” 

reCAPTCHA has more than a decade of experience defending the internet for its network of more than 5 million sites. Companies large and small use it to protect their users, gathering data about each credential request and applying AI and machine-learning techniques to determine whether the request is from a legitimate user or a malicious actor. 

“reCAPTCHA Enterprise's flexibility allows us to decide when to block suspicious behavior and keep this process invisible to our end users,” Tse said. “If we need additional confirmation of a user’s intentionality on a web page, we can request email or SMS verification. This adaptability makes us the ultimate decision makers in using reCAPTCHA Enterprise however we want to on our pages.”

Etsy also benefits from Google Cloud’s secure-by-design infrastructure, having completed a migration from its own on-premise data centers to Google Cloud in 2020. When the company moved 5.5 petabytes of data over in record time, it not only freed up its IT infrastructure to be more nimble and economical, it also gained many of the security best-practices employed by Google and its tens of thousands of corporate customers around the world.

“After adding reCAPTCHA Enterprise to our login flow, we saw dramatic results and it solidified our confidence in the tool,” Tse said. “Once we had the basic structure down, we packaged the Etsy-specific code into a reusable library so that we could then quickly add reCAPTCHA Enterprise to other parts of the platform, such as conversations and the forgot password page. This allows us to quickly add protection to web pages — and address attacks before they happen.”