惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
W
WeLiveSecurity
O
OpenAI News
N
News and Events Feed by Topic
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
云风的 BLOG
云风的 BLOG
N
News | PayPal Newsroom
H
Hacker News: Front Page
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The Last Watchdog
The Last Watchdog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Schneier on Security
宝玉的分享
宝玉的分享
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Y
Y Combinator Blog
Cyberwarzone
Cyberwarzone
Microsoft Security Blog
Microsoft Security Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
GbyAI
GbyAI
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
人人都是产品经理
人人都是产品经理
P
Palo Alto Networks Blog
M
MIT News - Artificial intelligence
G
GRAHAM CLULEY
C
Check Point Blog
Apple Machine Learning Research
Apple Machine Learning Research
Last Week in AI
Last Week in AI
T
Troy Hunt's Blog
L
Lohrmann on Cybersecurity
www.infosecurity-magazine.com
www.infosecurity-magazine.com
P
Proofpoint News Feed
Blog — PlanetScale
Blog — PlanetScale
量子位
博客园 - 聂微东
S
Securelist
博客园 - 三生石上(FineUI控件)
F
Full Disclosure
G
Google Developers Blog
L
LINUX DO - 热门话题
P
Proofpoint News Feed
AI
AI
PCI Perspectives
PCI Perspectives

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
I Tested Google Cloud Fraud Defense, Here is What Actually Changed 👇
Rasu · 2026-04-24 · via DEV Community

This is a submission for the Google Cloud NEXT Writing Challenge

nex cover

Google Cloud Fraud Defense Is the Old reCAPTCHA Finally Growing Up — And Developers Should Care


Every developer has a reCAPTCHA story. You know the one. You are trying to buy concert tickets or create an account or just read an article, and suddenly you are staring at a blurry intersection of faded traffic lights and crosswalks wondering if that pixelated shape is a bus or a truck. You try three times. You get it wrong every time. You switch to audio mode and hear something that sounds like a dial-up modem having a stroke. You give up.

If that scenario sounds familiar, you are not alone. reCAPTCHA has been annoying developers and users alike for nearly two decades. And at Google Cloud NEXT 26, Google finally acknowledged what the entire internet has known for years — the old approach to verifying humans was broken.

They did not just fix it. They replaced it entirely.


What Is Google Cloud Fraud Defense?

In simple terms, Google Cloud Fraud Defense is the next evolution of reCAPTCHA — but calling it that is like calling a smartphone an upgraded telephone. It is a complete rethink of how we verify humans versus bots versus sophisticated automated agents that are getting harder to distinguish from real people every single day.

The old reCAPTCHA worked like a checkpoint. You either passed or you did not. It was binary. You were a human trying to prove you were not a bot, and the system either believed you or it did not. There was no nuance, no context, no understanding of behavior — just a snapshot test at a single moment.

Fraud Defense works completely differently. It watches everything. Not just the moment of verification, but the entire journey of a user — how they landed on your site, what they clicked, how fast they moved the mouse, whether their typing pattern feels human, whether their device fingerprint looks consistent, whether the IP address matches their location, whether this account has been used for fraud before across Google's entire network of data.

This is not just captcha replacement. This is a full trust platform for businesses that need to make decisions about risk and fraud in real time.


Why This Matters for Developers

Here is the thing that got me genuinely excited about this announcement. As someone who has worked on e-commerce platforms and dealt with fraud detection before, I know the pain of trying to stop fraudulent transactions without blocking legitimate customers.

Rule Editor
ms
The old reCAPTCHA was frustrating for everyone. Legitimate users had to prove they were human. Developers had to implement it, debug it, deal with false positives, and still end up with fraud getting through anyway. And attackers got smarter — they built farms of humans to solve captchas for them, they used AI to bypass image recognition challenges, they found ways to make bots behave just human enough to pass the basic tests.

The result was a perpetual arms race that nobody was winning.

Fraud Defense flips this entirely. Instead of asking are you a robot at a single gate, it asks can we trust this interaction based on everything we know about this user, this device, this behavior pattern, and this context.

This means fewer interruptions for real users. No more squinting at blurry images just to add something to your cart. No more being blocked from your own account because your VPN made you look suspicious.

And for developers, it means much more powerful tools to actually fight fraud — not just stop the most obvious bots, but understand the full picture of what is happening on your platform.

agent overview chart

How It Works: The Policy Engine

The core of Fraud Defense is what Google is calling a policy engine. Think of it as a rules system where you can define how risk decisions get made based on all the signals available.

In practice, this means you can set up rules that make sense for your specific use case. A bank might want very strict verification because a compromised account could mean financial theft. A news site might want lighter touch verification because they just want to stop scrapers without annoying their readers.

You can layer intelligence into these policies. The system can score every request based on thousands of signals — device age, behavior patterns, historical fraud data, third-party threat intel, IP reputation — and then your policy decides what to do with that score. Block it, challenge it with a lighter verification, or let it through.

For developers building on Google Cloud, this integrates directly with their existing infrastructure. You do not need to rip out your current auth system and replace it with something new. You layer Fraud Defense on top as an additional risk signal that makes your existing decisions smarter.


The New Verification Experience

One of the most interesting parts of the announcement is the evolution of the actual challenge experience for users. Google showed a new QR code-based verification that is genuinely clever.

Imagine you are logging into a high-value application — maybe a banking portal or an admin dashboard. Instead of typing a code or answering security questions, you scan a QR code with your phone. Your phone confirms your identity through biometrics, and the session on the computer is verified in seconds with essentially zero friction.

This is dramatically better than the old way for two reasons. First, it is fast. No typing, no reading, no guessing. Second, it is actually more secure — scanning a QR code with your personal phone that has your biometrics is significantly harder to spoof than a distorted image or an audio challenge.

For developers, this means you can now offer genuinely better security without making your users miserable. That is a rare combination.


The Agentic Web Problem

Google framed this launch around the concept of the agentic web — the idea that soon, software agents will be doing more and more on behalf of users. Booking travel, making purchases, filling forms, scheduling meetings — all handled by AI systems acting on your behalf.

This creates a fundamental challenge for traditional verification. If an AI agent is legitimately acting on behalf of a human, how do you verify that the request is authorized? The old captcha approach treats all automation as suspicious by default, but in an agentic world, some automation is completely legitimate and even desired.

Fraud Defense is explicitly built to handle this. The system is designed to differentiate between unauthorized bots, suspicious automated behavior, avxnd legitimate AI agents operating with proper authorization. It looks at the broader context — is this agent known and trusted, has this user authorized this specific action, does the pattern of behavior indicate consent?

This is a genuinely forward-looking approach. Most fraud and verification systems today are still fighting the last war — trying to catch bots and scrapers. Fraud Defense is trying to solve the next problem before it becomes a crisis.

qr code

What This Means for the Average Business

If you run an online business and deal with fraud or fake accounts, this matters a lot. The old reCAPTCHA was a cost of doing business — you accepted some fraud, you accepted some user frustration, and you hoped the balance came out okay.

Fraud Defense changes that math. By providing much richer signals about what is happening on your platform, you can actually make better decisions. Lower fraud without raising false positives. Smoother user experience without opening yourself up to abuse.

For large enterprises handling millions of transactions, this could represent significant cost savings — fewer fraud losses, fewer manual reviews, fewer chargebacks. For smaller businesses that could not afford sophisticated fraud detection systems, this brings enterprise-grade intelligence within reach through Google Cloud infrastructure.


The Bigger Picture

What strikes me most about this announcement is the timing. Google did not just decide to rebuild reCAPTCHA for fun. They did it because the threat landscape has fundamentally changed.

Bots used to be easy to catch. They moved wrong, clicked wrong, behaved wrong. But as AI has advanced, the line between human behavior and automated behavior has blurred considerably. A sophisticated enough bot can move a mouse naturally, type at human speed, avoid common honeypots, and pass basic behavioral checks.

The old captcha approach is simply not adequate for this world anymore. You cannot reliably tell a human from an AI-generated bot using static challenges.

Fraud Defense approach of looking at the full context — the entire behavioral pattern, the device history, the cross-platform signals — is the only viable path forward. It is not about passing one test at one moment. It is about building a continuous understanding of trust based on everything Google knows across billions of interactions.

That is a very different philosophy, and it is the right one for where the internet is heading.


Final Thoughts

As someone who has spent time building and maintaining web applications, I am genuinely excited about this launch. The old captcha experience was a necessary evil — something we inflicted on our users because we had no better option. Fraud Defense finally gives developers a real alternative.

The hands-on aspects are what make me most curious to try it. The policy engine seems powerful enough for real enterprise use cases, and the fact that it is available through Google Cloud means any developer can experiment with it without massive infrastructure investment.

Most importantly, it is designed for where the web is going — not where it has been. The focus on the agentic web, on handling authorized AI agents differently from unauthorized bots, on continuous trust signals rather than point-in-time verification — all of this points toward a more thoughtful approach to the problems developers will actually face in the next five years.

Whether this actually delivers on its promise depends on how well it works in practice across real, varied use cases. But the direction is right, the philosophy is sound, and the execution looks thoughtful. That is more than you can say for most product announcements.

I will definitely be experimenting with this on my own projects. And if you have been dealing with fraud, fake accounts, or bot problems without a good solution — you probably should too.


Tags: googlecloud frauddefense security webdev ai recaptcha cloud devops developers