Indie Dev TinyBuild Lost $450K To Fraudulent Sales Facilitated By G2A

An anonymous reader quotes a report from Paste Magazine: Indie developer TinyBuild, the studio behind Punch Club, Party Hard and SpeedRunners, had thousands of their game codes stolen through fraudulent credit card purchases, which then wound up on G2A.com, a site that allows people to resell game codes. The basic idea behind G2A is straightforward and pretty harmless: with the amount of game codes sold through Steam, the Humble Store/Bundle, and more, the site gives consumers a place to sell unwanted game codes. However, in doing so, G2A has created a huge black market for game codes sales. As TinyBuild described in their blog post on the matter, the common practice for scammers is to "get ahold of a database of stolen credit cards on the dark web. Go to a bundle/3rd party key reseller and buy a ton of game keys. Put them up onto G2A and sell them at half the retail price." This allows scammers to make thousands of dollars while preventing any profit from reaching the game developers because, once the stolen credit cards are processed, the payments will be denied. G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases. In 2011, TinyBuild was in the news for uploading their own game, a platformer called No Time To Explain, to the Pirate Bay.

Re:Stolen?

[Fire_Wraith]

Likely this is just another angle in internet crime. Stealing credit card information is easy, monetizing that is harder than you think. You can't just use a US credit card to make a bunch of charges in Russia/China/etc. You'd need a way to turn that into money you can use. One of the ways they've done it in the past is to recruit accomplices in the US, usually through those work at home schemes you see spammed into comments in various places. When the accomplice gets busted, all they're out is a patsy. This sounds like it's easier though - buy game codes with stolen cards, resell the game codes for money that goes straight to you with no direct tie to the stolen card.

Re:Serves them right

There are *tons* of companies that get ripped off by this exact same thing (I work for one of them). The transaction goes through, and then *after* the person the card is stolen from finds out hours or maybe days later, a chargeback is issued and the steam keys are already long gone. You could try to put a 3 day waiting time or something on redeeming your keys but that is obviously incredibly user hostile and nobody would put up with it.

Re:Serves them right

I don't know about that. I got a nice email from my bank that someone had made a suspicious charge at a grocery store not too far from where I live. It said not to worry about it, and that they were investigating. I called the number on my card, and their security team did confirm they sent the email. They asked me to confirm a few charges I recently made as valid or not valid. A few weeks later, I got a letter in the mail that said they completed their investigation, and the entire charge was now void. I would not be responsible for it.

So...maybe your bank just sucks ass.

Re:Stolen?

[Kjella]

* tinybuild out money and a cd key.

Well apart from fees and administration they're just back to zero. The more interesting part is what follows:

* tinybuild are too dumb to link chargebacks to game keys
* tinybuild doesn't deactivate any keys
* G2A customers happy, G2A happy, tinybuild unhappy

Instead of:
* tinybuild links transaction id and game key on sale
* tinybuild invalidates game keys with chargeback
* G2A customers go mental
* tinybuild says too bad, take it up with seller
* G2A customers chargeback their purchase
* G2A ends up in trouble

They're complaining because they're too dumb to solve their own problem, particularly if this happens on a mass scale.