Indonesia has been an overlooked e-commerce market since the pandemic, with roughly one-half of the population shopping online and $59billion predicted sales revenue in 2022. Meanwhile, cyberattacks targeting Indonesia have increased nearly six times in 2020 and cost the country’s online businesses dearly. Indonesian e-commerce firms are now at the make-or-break point for the continuous boom of their business. 

The boom of Indonesian e-commerce

The pandemic might be a changing point for Indonesia's e-commerce market. According to Redseer, a consulting company, Indonesian online shoppers increased from 75 million before the covid outbreak to 85 million during the pandemic. Another good news is that Indonesia's e-commerce market is believed to have a 23.8% growth in 2022 and the sales revenue will reach $30 billion, predicted by GlobalData. 

With the fourth largest population in the world, Indonesia has 273.5 million people waiting to transfer to the digital ecosystem. Not to mention that 20% of the population is middle-class and has strong purchasing power. It is reasonable to believe that e-commerce growth will benefit Indonesia and its population in foreseeable future. 

Not only does Indonesia have great spending potential, but it also has considerable e-commerce platforms to support consumption. You must have heard about or shopped on e-commerce marketplaces like Shopee, Tokopedia, Lazada, Blibli, etc. These are among Indonesia's most popular online shopping platforms. Although they enjoy awesome web traffic, these platforms are significantly short in web security.

Insufficient web security in Indonesia

ecommerceDB, a division of Statista, did a survey to find out the top 5 most visited Indonesian e-commerce marketplaces, and they are Tokopedia, Shopee, Bukalapak, Lazada, and Blibli. I'm sorry to say this, but only one of them has been deployed CAPTCHA verification for users at registration. I tried to register in the platforms mentioned above, it turns out that only Lazada requires CAPTCHA verification and the rest only ask for a real-time verification code, except Shopee, the second-largest marketplace there in terms of traffic asks for nothing.

Image source: Lazada

Image source: Tokopedia

Image source: bukalapak

Image source: Blibli

Image source: Shopee

Websites with high traffic. Poor web security. When you put the two things together, usually there would not be a happy ending. Actually, the harm has been done already. Tokopedia, an Indonesian e-commerce unicorn, suffered a database breach in March 2020, resulting in a data leak of 91 million users which was put up for sale on the dark web later.

At this make-or-break point, Indonesian e-commerce firms have to take a reliable user verification process into consideration, or else fraudulent actors will keep exploiting those unguarded websites by coming in and out freely, taking as many sought-after products or user data as possible.


Currently, CAPTCHA is one of the most direct solutions that e-commerce companies have at their disposal in their fight against account fraud, such as account takeover and fake user registrations. But CAPTCHAs are so commonplace across the Internet that many don’t recognize just how efficient they are. Like every other product, sometimes CAPTCHA needs to be sharpened and serviced to become a security service while delivering a better user experience.

Outsmart attackers with Adaptive CAPTCHA

The reason why many think CAPTCHA is an annoying and time-consuming necessity of the internet is that they came across too many times deciphering distorted words and proving they know what a car looks like by clicking boxes. That’s illy sharpened and serviced CAPTCHAs or legacy CAPTCHAs. 

With machine learning, artificial intelligence, behavior analysis, and so many new technologies, CAPTCHA has been a reassuring security measure while still offering good users a delight interaction or no interaction at all. GeeTest Adaptive CAPTCHA is a brand new approach provided by GeeTest. 

Ways of cyber attacks may change over time, but the underlying principles have not. All sorts of bot-driven attacks can be categorized into two types: web simulator bypass and API bypass

Whether bypassing CAPTCHA via web simulators or APIs, attackers can not avoid a key step, that is, to obtain CAPTCHA challenges and solve them, which is the core of the CAPTCHA attack and defense.

The unique point of GeeTest Adaptive CAPTCHA is the 7-layer dynamic security strategy. It makes GeeTest Adaptive CAPTCHA an evolving solution that does not weaken over time, as it can adapt to the changing data it analyses.

Try demo

 7-layer dynamic security strategy

  1. JS dynamic obfuscation update
  2. Dynamic update of data
  3. Risk database matching
  4. CAPTCHA types
  5. CAPTCHA difficulty
  6. Behavior algorithm model
  7. Parameter encryption

The first layer: JS dynamic confusion update

  • Trigger timing: when users request CAPTCHA, the CAPTCHA resource will be loaded, that is, JS script loading, and JS will be dynamically updated.

  • How it works: cybercriminals may reversely decode the JS script to crack CAPTCHA, and GeeTest uses JS obfuscation technology to regularly obfuscate and update the JS invoked by the user.

  • Update frequency: Once a day

  • Value: The front-end JS is regularly obfuscated and transformed to invalidate the reversed script, which greatly increases the cost of attackers. 

Second layer: dynamic update of data

  • Trigger timing: After CAPTCHA resources are loaded, JS will collect and return necessary data, and GeeTest will dynamically update the data in this step.

  • How it works: GeeTest carries different dynamic data in each version of JS to achieve a dynamic update of the data link.

  • Update frequency: Once a day

  • Value: front-end dynamic data changes regularly, increasing the cost of attackers.

Third layer: risk database matching

  • Trigger timing: After data is collected, GeeTest will assess the risk based on its global risk database.

  • How it works: GeeTest's global risk database is supported by 320,000 enterprises worldwide, and 1.4 billion daily CAPTCHA requests. 

  • Update frequency: Once a day

  • Value: The global risk database will be updated regularly.

Fourth layer: dynamically changed CAPTCHA types

  • Trigger timing: After risk assessment, GeeTest will present different types of CAPTCHA according to the user's risk level. Currently, it provides up to 5 types of CAPTCHA types, and these types can be customized at a given time.

  • How it works: balance security and user experience with different types of CAPTCHA.

  • Value: different types of CAPTCHA can be switched flexibly to increase security without sacrificing user experience.

Fifth layer: CAPTCHA difficulty changes

  • Trigger timing: CAPTCHA difficulty can be configured at a given timetable.

  • How it works: CAPTCHA difficulty and CAPTCHA frequency can be customized in accordance with different business demands.

  • Levels of difficulty: 3

  • Value: Different CAPTCHA types have different difficulty levels.

Layer 6: Behavior algorithm model update

  • Trigger timing: After users submit CAPTCHA answers, the GeeTest behavior algorithms will be updated based on new behavioral trajectories and abnormal behavior samples across its global database.

  • How it works: GCN model

  • Update frequency: Once a day

  • Value: Improve the ability to identify abnormal behavior trajectory, and greatly improve the cost of web simulator bypass.

Seventh layer: Parameter encryption

  • Trigger timing: After users submit CAPTCHA answers, the "verify" request will encrypt the credential data of CAPTCHA interaction, and GeeTest can dynamically change the encryption algorithm.

  • How it works: multiple encryption methods

  • Encryption types: 2

  • Value: flexible change of parameter encryption algorithm, increase the cost of attackers.

All in all, the battle between attackers and security vendors is not defeating each other permanently. It is a dynamic contest, as both of them are testing each other's bottom line. GeeTest turns CAPTCHA from a static tool into an ever-changing security solution that enables businesses to make more accurate fraud and risk decisions at speed and scale, with minimal manual intervention to update the fraud management system.

Get your GeeTest Adaptive CAPTCHA free version now.

Start your free trial
Over 320,000 websites and mobile apps worldwide are protected by GeeTest captcha

Hayley Hong

Content Marketing @ GeeTest