Indie Dev TinyBuild Lost $450K To Fraudulent Sales Facilitated By G2A

An anonymous reader quotes a report from Paste Magazine: Indie developer TinyBuild, the studio behind Punch Club, Party Hard and SpeedRunners, had thousands of their game codes stolen through fraudulent credit card purchases, which then wound up on G2A.com, a site that allows people to resell game codes. The basic idea behind G2A is straightforward and pretty harmless: with the amount of game codes sold through Steam, the Humble Store/Bundle, and more, the site gives consumers a place to sell unwanted game codes. However, in doing so, G2A has created a huge black market for game codes sales. As TinyBuild described in their blog post on the matter, the common practice for scammers is to "get ahold of a database of stolen credit cards on the dark web. Go to a bundle/3rd party key reseller and buy a ton of game keys. Put them up onto G2A and sell them at half the retail price." This allows scammers to make thousands of dollars while preventing any profit from reaching the game developers because, once the stolen credit cards are processed, the payments will be denied. G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases. In 2011, TinyBuild was in the news for uploading their own game, a platformer called No Time To Explain, to the Pirate Bay.

Serves them right

[Dunbal]

I mean, they are the ones handing out game codes without waiting for confirmation that the credit cards being used to buy them are in fact authentic. I think they're full of shit. Everyone else apparently can process credit card payments properly, waiting for the bank to give them the OK before giving out the codes. Apparently only these guys manage to get ripped off in an age where everyone accepts online payments/activation.

Re:Serves them right

There are *tons* of companies that get ripped off by this exact same thing (I work for one of them). The transaction goes through, and then *after* the person the card is stolen from finds out hours or maybe days later, a chargeback is issued and the steam keys are already long gone. You could try to put a 3 day waiting time or something on redeeming your keys but that is obviously incredibly user hostile and nobody would put up with it.

Re:Serves them right

[Dunbal]

a chargeback is issued and the steam keys are already long gone.

Have you ever done a chargeback? You want user hostile try doing that. First the bank will intimidate you and tell you there's a "service fee" of $25 or $50 or whatever for even TRYING to charge back, THEN they say they will "investigate" and MAYBE the charge will be reversed next week sometime. Then finally if the planets are aligned correctly and the bank really feels like it - they MIGHT approve the charge-back.

Seriously if this is such a major issue and not a flaw with this particular company's security/site design/business model (or a really shitty bank they happen to have chosen), how come absolutely everyone isn't bitching about this? I'm curious. At some point credit card fraud becomes the bank's problem and not the vendor's problem.

Re:Serves them right

[OverlordQ]

You have no clue how any of this works do you?

Re:Serves them right

I mean, they are the ones handing out game codes without waiting for confirmation that the credit cards being used to buy them are in fact authentic

<citation needed>
These are chargebacks, not incomplete transactions. The banks provide confirmation almost immediately, but if you want to prevent chargebacks from happening after you've given the code then the only way to accomplish that would be to accept the payment and then wait 120 days before letting your customer access the code. No, "everyone else" doesn't do that.

Re:Serves them right

I don't know about that. I got a nice email from my bank that someone had made a suspicious charge at a grocery store not too far from where I live. It said not to worry about it, and that they were investigating. I called the number on my card, and their security team did confirm they sent the email. They asked me to confirm a few charges I recently made as valid or not valid. A few weeks later, I got a letter in the mail that said they completed their investigation, and the entire charge was now void. I would not be responsible for it.

So...maybe your bank just sucks ass.

Re:Serves them right

[Dunbal]

So basically a bank has nothing to lose from fraudulent use of THEIR credit card system. Either the account holder pays, or the merchant pays. No wonder banks are in no fucking rush at all to deal with the gaping security holes in their systems.

Re:Serves them right

[TheNarrator]

I worked for a company that had similar scam problems. These scammers are able to pull off these scams at absolutely massive scale and they've been doing it for years against everyone and anyone. They find any little rinky dink offer and exploit the living crap out of it. They have so much talent that you wonder why they don't conduct actual legitimate business.

Re: Serves them right

The obvious solution is cooperation between code resellers and code oems.

Specifically, the oem has a free mechanism for the reseller to check the time between original purchase, and attempted resale.

Couple that with a moratorium on resale, say a week before the reseller will buy you code, and you make the easy money not so easy, which will discourage fraud of this type.

Re:Serves them right

[ArmoredDragon]

Have you ever done a chargeback? You want user hostile try doing that. First the bank will intimidate you and tell you there's a "service fee" of $25 or $50 or whatever for even TRYING to charge back, THEN they say they will "investigate" and MAYBE the charge will be reversed next week sometime.

I've done chargebacks numerous times, and haven't had this once happen to me. Who is your bank? They obviously suck and I'll make sure I never do business with them.

Anyways this is credit card theft rather than a simple chargeback. In the case of fraudulent transactions, by law the bank can only hold you liable for up to $50 in fraudulent charges. And basically every bank that doesn't suck has a zero liability policy, meaning that anything somebody put on your card without your permission doesn't cost you a cent. I've had this happen a few times as well (typically from some merchant who had their credit card database hacked) and the only negative thing that happened to me was that I had no credit card (which I buy practically everything with) until my new one came in the mail.

Re: Serves them right

Just revoke the keys -- I'm really not seeing the issue, especially with digital/revokable media.

Re: Serves them right

I've had both experences and everything in between.

Definetly time for a disruption in the business though.

Re:Serves them right

a chargeback is issued and the steam keys are already long gone.

Have you ever done a chargeback? You want user hostile try doing that. First the bank will intimidate you and tell you there's a "service fee" of $25 or $50 or whatever for even TRYING to charge back, THEN they say they will "investigate" and MAYBE the charge will be reversed next week sometime. Then finally if the planets are aligned correctly and the bank really feels like it - they MIGHT approve the charge-back.

Seriously if this is such a major issue and not a flaw with this particular company's security/site design/business model (or a really shitty bank they happen to have chosen), how come absolutely everyone isn't bitching about this? I'm curious. At some point credit card fraud becomes the bank's problem and not the vendor's problem.

Only if you're a dumb nigger. But then that's redundant, "dumb nigger". All niggers are dumb. That's why they're violent and tribal and constantly shoot each other worse than racist whites ever thought about doing. That's why they exceed every single "fail at life" stat available: obesity, single motherhood, criminal activity, drug abuse, poverty, you name it, niggers top the charts. Send 'em back to Africa. They keep complaining about how they dislike it here, okay, send them all back. The local warlord in whatever African country will be happy to show them what being a thug-nigger is REALLY all about.

Re:Serves them right

[AK+Marc]

The few times I've done a chargeback, I simply had to swear, on a recorded call, that I did not have the item I was charged for. Just a few seconds on the phone, no fees, no threats of fees, just done.

Re: Serves them right

The chargeback penalty fee? PayPal, for example, will charge the merchant $20 per chargeback.

Re:Serves them right

That is the problem with US cards and magstripes.

When you visit a site (eg Amazon or Paypal) you let those sites store your card number. You don't let Steam, GoG, Nintendo, Sony, Microsoft, etc store it. That way you know exactly who has your card number at all times. You also don't allow your web browser to store it either, all you need is a "form skimmer" ad on the website to snag your payment information because the web browser decided to auto-fill your contact information.

Only used tokenized payments (eg Apple Pay, which works everywhere that has a NFC EMV reader) and places that like to save your card numbers for loyalty purposes can go to hell.

Re:Serves them right

[whoever57]

One of my banks will occasionally send me a text message asking if a charge is legit. I can approve or deny it by texting back "yes" or "no".

Re:Serves them right

[EzInKy]

Why not have face to face stores then? It is much harder to steal from someone when you are looking them in the eye.

Re: Serves them right

The issuing bank has usually already given the money back to their customer before initiating any charge backs.

Banks that don't do enough to prevent it lose a lot of money to fraud.
Dispute resolution takes time and money, it's not in their best interest to do it often.

Re:Serves them right

[eWarz]

False. The real scenario: That is the problem all over the world, but in my apple walled garden, that seemingly doesn't exist. Nevermind the fact that credit cards 'have never been cloned before'. I can take a picture of the front and back of your credit card and for apple's purposes, it's legit.

Re:Serves them right

[tlhIngan]

Have you ever done a chargeback? You want user hostile try doing that. First the bank will intimidate you and tell you there's a "service fee" of $25 or $50 or whatever for even TRYING to charge back, THEN they say they will "investigate" and MAYBE the charge will be reversed next week sometime. Then finally if the planets are aligned correctly and the bank really feels like it - they MIGHT approve the charge-back.

Seriously if this is such a major issue and not a flaw with this particular company's security/site design/business model (or a really shitty bank they happen to have chosen), how come absolutely everyone isn't bitching about this? I'm curious. At some point credit card fraud becomes the bank's problem and not the vendor's problem.

Yes, and if it's that hard, you need to get a new card.

Because I've had to do a chargeback, and it cost me 5 minutes.

Some background - basically I ordered a product online, and it never arrived. I contacted the store and they never replied, and after a month of waiting, I gave up.

I called my bank, told them this and they were more than happy to do a chargeback. They refunded the money immediately while they investigated, told me I could be responsible for the charge up to 3 months later, and that's it. Time passes, and no charge, because I never got the item. (I'm not even sure if the store ever bothered responding).

No muss, no fuss, the money was back 5 minutes after the call. And from what I can tell, all credit cards work that way - the charge back process is extremely easy and painless.

If you made the mistake and used a debit card, then heaven help you. Credit cards are governed by many laws and regulations which make chargebacks easy. Debit cards, not so much, so it's up to each financial institution to deal with it in their own way.

And even when the charge is fraudulent, they are super easy to deal with - they even will overnight me a new card if I needed it. For free.

If you're dealing with that, you either made the fatal mistake of using a debit card, or have a really shitty bank and need to switch, because even the nationals are way better.

Oh, and on the flip side - when you do a charge back, a hold is placed on the merchant's account for those funds so that money is captured while the investigation proceeds. Part of Paypal's shittiness stems from this fact - they allow anyone to pay anyone with credit cards and most people don't actually realize what responsibilities they have in doing so or what accepting credit cards really means. If you wonder why no one else tries to compete in this area, well, there you go. It's the only service Paypal has that has no competition because no one wants to enter the arena - it's just fraught with all sorts of bad user experiences and danger.

Hell, people were wondering why Apple wouldn't want to get involved - same reason. Shittiness all around if you aren't careful, and most people don't even read the ToS.

Re:Serves them right

[davester666]

Really? Every once in awhile I'll notice a fraudulent charge on one of my credit cards, I phone the number on the card, challenge it, and then they either void it fairly soon afterwards, or, (only happened to me once), they send me a form to sign basically saying that I verify that I didn't make the charge, and then they void it. I get hassled more trying to return a mostly full container of cream that had gone bad before it's due date at the local grocery store (with a receipt).

Re: Serves them right

If it results in inactive codes they will stop bothering to try charging back

Re:Serves them right

[just+another+AC]

No it's not. If you are amoral (or better yet sociopath tendencies) - it is just as easy to steal from someone while looking at them.

Sure in this case, it creates overhead of having to have a physical card to program the stolen info on - but this is completely unrelated to your claim that the "personal touch" will stop thieves.

But congratulations, at least you have a conscience (just remember not everyone does).

Re:Serves them right

You're assuming that it's the fraudster who's doing the chargebacks, saying "I changed my mind". It isn't - it's all the victims who notice unauthorised payments and complain to their banks. And in practice nearly all of them succeed, because if the banks don't pass the loss onto the vendor then they end up on the hook for it themselves.

Re:Serves them right

[Opportunist]

Same. I once transferred a few hundred bucks to an account abroad only to get a call just minutes after placing it whether this was really me and whether I really wanted this to happen.

With all the flaws my bank has, this really impressed me.

Re:Serves them right

[drinkypoo]

They have so much talent that you wonder why they don't conduct actual legitimate business.

Because endless growth isn't, and the low-hanging real opportunities are already exploited by incumbents who will wield the legal system against new entrants into the market. If you go criminal, you don't have to deal with all the regulations that real businesses have to observe and you keep a lot more of what you earn.

Re:Serves them right

Banks in the US cannot charge a fee to a consumer for initiating a chargeback.

They can and do charge merchants fees for handling chargebacks.

Re:Serves them right

[WorBlux]

Dude, you need a different bank/card company.

Re:Serves them right

Have you ever done a chargeback? You want user hostile try doing that.

  how come absolutely everyone isn't bitching about this? I'm curious. At some point credit card fraud becomes the bank's problem and not the vendor's problem.

Like many other repliers... perhaps because this is not the norm? I also had a fraudulent charge appear on my credit card, one courteous call and ten minutes later, it was reversed without any hassle. Well, apart from having to wait for the new card in the mail.

On the off chance - are you talking about credit card or debit card transactions? Debit cards are fundamentally different, even though to most people they seem almost interchangeable. Essentially with a debit card, it is almost the same as handing over cash. Trying to get someone to hand back a wad of cash is different than what amounts to cancelling a debt. (I'm sure there are people who can explain the difference a lot better)

Re:Serves them right

[budgenator]

If your a business operating as a going concern then no the bank has little to lose, when a chargeback occurs it just get taken out of your current payments with an explanation and a service fee. A while back we had a rash of refunds and chargeback so the credit provider sent a representative out to have a chat with us, we explained that a consultant instituted some business practices had caused problems with buyers remorse and clients not fully comprehending what they were agreeing to. We fired the consultant and reverted some of the practices that were causing problems, our discount rates and transaction fees went up for a 6 month probationary period, and are now back to normal.
Now if a business isn't operating as a going concern the bank can really get hurt because the current payments may stop at any time. Businesses that sell tangible goods from a brick and mortar store get better rates because the risks are lower; an internet porn sites rates are very high because they get a lot of chargebacks on there intangible digitally delivered goods, so the risks are very high. Game keys are also an internet intangible.

Re: Serves them right

what? that does not make sense,

if i purchased game today, tried it, and want to sell it tomorrow for half price because it sucks why i have to wait with no money next 3 months, even worse game will be old than so worth less so i can get less of my money back

second, even worse problem, what if i am honest re-seller (majority ARE honest, very small percent are criminals) and i find big sale "family pack" where you pay 2 games and get 10 games "deal only valid today", i buy 200 games (100 "packs") and get 1'000 games, wait one day until offer is not anymore available, and than sell for a bit under normal price in packs of 1 (not 10) and make enough money to pay rent for next year

now if i have to wait 3 months after giving my money to be able to resell it, i will not be able to pay rent for 3 months, or even eat for 3 months since all my money is tied in this 1'000 copies of game
and after 3 months if im not already living on street value of game has fallen a lot, as you know games/movies are decreasing fast in value, so instead of having enough money to pay rent for whole year i might have just enough to pay rent for 6 moths ...

and all that just because some indie dev didnt want to pay for chargeback insurance to their credit card processor

Re: Serves them right

[slazzy]

For some reason my bank only does paper statements so it could be 45 days before I see who bought what on my card. They are quick at doing chargebacks though.

Re:Serves them right

[rhyous]

No for me. Charge backs are easy as can be.

Well's Fargo calls me. Hey we detected fraudulance on your card. Are these your expenses. They have called about 10 times. 2 times, I my card was pwned. Both times, they handled it all in seconds with no issues.

One time, I called Well's fargo, they didn't call me. Same deal. They canceled my current number, credited the charge and had me a new number all in a three minute phone call. Easy as can be.

Stolen?

[dohzer]

Wait... stolen or purchased illegally?
There's a difference, isn't there?

Re:Stolen?

[Fire_Wraith]

Likely this is just another angle in internet crime. Stealing credit card information is easy, monetizing that is harder than you think. You can't just use a US credit card to make a bunch of charges in Russia/China/etc. You'd need a way to turn that into money you can use. One of the ways they've done it in the past is to recruit accomplices in the US, usually through those work at home schemes you see spammed into comments in various places. When the accomplice gets busted, all they're out is a patsy. This sounds like it's easier though - buy game codes with stolen cards, resell the game codes for money that goes straight to you with no direct tie to the stolen card.

Re:Stolen?

[OverlordQ]

* Scammers get stolen credit card data.
* Scammers buy lots of CDkeys from tinybuild.
* Scammers put keys up on G2A.
* Legit cardholders chargeback unauthorized purchase
* tinybuild out money and a cd key.

Re:Stolen?

you missed..
* tinybuild gets Steam to revoke the codes used.

If even 10% of the users who bought these game codes issued chargebacks or stopped using G2A I'm sure they'd take notice.
I bet the customer support headache from 2600+ complaints would be a problem for G2A.

Re:Stolen?

Geezus I'm tired of Slashdot dorks with their idiotic distinctions that make no sense to anyone who isn't reg on this or a similar board.

Was it "murder"... or physical confrontation with unfortunate consequences? Go explain it to the police, wiseass.

Re:Stolen?

[Kjella]

* tinybuild out money and a cd key.

Well apart from fees and administration they're just back to zero. The more interesting part is what follows:

* tinybuild are too dumb to link chargebacks to game keys
* tinybuild doesn't deactivate any keys
* G2A customers happy, G2A happy, tinybuild unhappy

Instead of:
* tinybuild links transaction id and game key on sale
* tinybuild invalidates game keys with chargeback
* G2A customers go mental
* tinybuild says too bad, take it up with seller
* G2A customers chargeback their purchase
* G2A ends up in trouble

They're complaining because they're too dumb to solve their own problem, particularly if this happens on a mass scale.

Re: Stolen?

Exactly, this. Tinybuild keys are between the original purchaser and Tinybuild. If the purchase is charged back, Tinybuild should immediately revoke the key that went with that purchase. Nobody should give a crap about the middleman reseller and the secondhand buyers -- this had nothing to do with them.

Re:Stolen?

tinybuild says too bad, take it up with seller

And a large percentage of buyers still hold it against tinybuild. Of the people I've seen that had keys invalidated for one reason or another (and know offline, so not just some kid bitching in a forum), the vast majority hold it against the publisher that invalidated the key. This is regardless of who much it is not the publisher's fault, including people who were blatantly cheating on a server that gave them warnings before banning them to even people who used a keygen and didn't actually lose any money. People want someone easy and immediate to blame, which falls on the company revoking the keys as much, if not more, than the seller.

Re:Stolen?

or easier yet, leverage the built-in authentication methods of steam and others. no code needed (one is often given but is no-doubt flagged at initial purchase as 'used' and by whom), but you sure as hell will authenticate via that store front/distributor's login system, rules and policies. as an added bonus, no fucking around with wholesalers, retailers, resellers, or the ripoff artists themselves, the banks, merchant accounts, and paypal.

Re:Stolen?

[rsmith-mac]

tinybuild invalidates game keys with chargeback

Can Steam even do that? I know that they can revoke games purchased within the Steam ecosystem, but I've never heard anything about revoking a copy that comes via a key.

Since Valve isn't involved with how that key is sold, I could certainly see them not allowing vendors to revoke games. The last thing Valve wants is customers bitching to them about losing access to a game, and of course Valve can't do a thing since they aren't the original seller and can't refund the purchase.

Re:Stolen?

[Wizarth]

Interestingly, this requires DRM (dialling home to validate keys periodically). So if the company does the "good" thing and releases their game without DRM, they are set up for exactly this kind of rip off.

Re:Stolen?

It can be done with a game update that invalidates the stolen keys.

Re: Stolen?

In the Netherlands we have "i-deal" since 2005, which prevents this kind of problems. https://www.ideal.nl/en/

It can be rolled out in the US, but companies like Visa and MC don't want that.

Re:Stolen?

[eWarz]

Yes, they can. I've had it happen on about 1% of the purchases that I've bought from G2A (publishers DO report chargebacks, which filter up to valve). G2A refunds the money for sure, but they are left holding the bag. You don't get notification when valve revokes your license, nor will you with other publishers such as blizzard. Took me 2 months to get an issue resolved with blizzard (didn't notice until after the revocation had occurred). While G2A resolved it amicably (after I reported it), I've not bought a game from them since. G2A is a fly-by-night company. If they went out of business tomorrow due to charge-backs, the owners walk away millionaires and leave you, or your credit card company, SOL.

Re:Stolen?

And a large percentage of buyers still hold it against tinybuild.

Are you sure? I'm not that into gaming, I stay clear of Steam/Origin or any other software that wants to "manage" my games.
I've heard from several sources that G2A are sketchy before. The not-so-tech-savvy user is not going to know about G2A at all.
I think a large part of the persons buying from G2A have heard that they deal with stolen keys and just don't care as long as they get the game.

Re:Stolen?

[AmiMoJo]

They aren't dumb, they spun this situation into some great and almost free publicity. As you point out, the "lost" codes actually cost them almost nothing since it's likely just an automated back-end and key generation server. If they revoked all those codes it would create additional cost (admin, the need to create a key revocation system) and misdirected rage towards them.

This way they get some nearly free publicity for their games, much like they did when they uploaded a previous title to The Pirate Bay. This is how companies should treat piracy and these kinds of scam - an opportunity to monetise a nearly free resource they have.

Re:Stolen?

[Xest]

It's probably worth noting that G2A shouldn't be treated as some kind of saint, the organisation is in itself as dodgy as they come. They engage in all sorts of illegal practices such as advertising instant delivery on purchase of game keys and then demanding you hand over your phone number, or e-mail them a scan of your passport inevitably resulting in deliver of your key being far from instant.

Furthermore, in the past they've been outed as one of the biggest abusers of paid reviews to give their company a massively inflated rating. I believe they have their roots in WoW/other MMO gold farming using Chinese sweatshops to farm gold.

It wouldn't surprise me therefore if it was the case that G2A is helping facilitate the criminals actions whilst making life difficult for tinybuild, G2A are after all very clearly and openly willing to break the law to make money in other cases, so why not in this case?

G2A is one of those companies that kind of works for consumers in practice whilst nothing is going wrong, but is ultimately just not a good idea and should probably be shut down, because given the intrusiveness of data it collects on people (again, passport information) coupled with it's generally shady practices and willingness to work with criminals it's pretty much inevitable that it's not going to end well. It strikes me as the sort of company that's a mass consumer credit card fraud tragedy or similar just waiting to happen and given that it's based in China there will be zero accountability for the impact on it's largely Western customer base when it does.

Re:Stolen?

> Are you sure?

I'm not the above AC but I am. People feel very entitled, especially bargain hunters who think they are smart by going to sites like G2A. They'll blame it on the easiest target who can get them a new key, i.e. the indie dev who cannot afford the publicity of someone with too much time on their hands going on a social media crusade to portray themselves as the victim of a shady developer.

Re:Stolen?

You don't understand. The game keys aren't the issue. The issue is the massive amount of chargebacks and fees associated with it.

Re:Stolen?

That is not correct. They are competing against stolen copies of their own game. Who would buy a full price version on steam when they can get a stolen Key from a reseller online for half the price?

Re:Stolen?

Both. They abscond with the keys after using illegal purchases (someone else's money) to get access to the keys in the first place.

Re:Stolen?

[flink]

As you point out, the "lost" codes actually cost them almost nothing since it's likely just an automated back-end and key generation server.

There's some cost because some percentage of the customers that bought keys through G2A would have been willing to pay the higher cost on Steam if there weren't keys being dumped at artificially lower prices financed by credit card fraud. That number is probably not the full $450k, because some number of those customers don't value the game at the full retail price, but it's probably nowhere near $0 either.

Re:Stolen?

[timrod]

They absolutely can. In late 2011, one of the graphics card manufacturers did a promotion where they bundled Steam keys for Dirt 3 (which was a $60 game at the time) with their cards. The exact delivery system involved something like entering a code from a piece of paper inside the card box into a thing on the manufacturer's site, which would then spit out a Steam key.

Somewhere along the line, someone figured out that you could access a directory on the manufacturer's website that had a single .txt file with all of the keys (several thousand of them) listed inside. The list circulated around the internet, and as a result a whole bunch of people got the game for free. The manufacturer found out a few days later what had happened and went to Valve, who immediately began revoking the game from people's accounts. I don't know how far they actually got, since a couple of people I know who did it still have the game on their accounts today - though I think that might be because they figured out that some of the keys had been used by people who had actually bought the videocard and were now confused as to why access to their game had suddenly been revoked.

The problem for Valve is that it's really hard to make a working policy on this sort of thing. Years ago, they used to lock or ban accounts for receiving gifted games that came from a stolen credit card or if the card used to make the purchase had been issued a chargeback. The problem there became that you'd have people banned for no reason other than that they accepted a gift from someone who later had their credit card stolen or had the charge disputed for some other reason. I can recall at least one instance where someone got banned trying to get around the censorship restrictions in Germany by having someone from the US buy them a US copy of the game.. only to find out that the person in the US was a minor using their parent's credit card and that the parent disputed the charge, resulting in a ban. They've since changed their policy slightly (in that they'll usually only ban the person who made the actual transaction and not the person who received the gift) but it's still imperfect.

At the same time, Valve also had the same issues with Team Fortress 2 and Counterstrike: GO. There were numerous reported cases of Russian or Chinese credit card thieves using stolen credit cards to make in-game purchases (usually "keys" to unlock potentially valuable items) which they would then trade to an unsuspecting victim knowing that Valve was reluctant to delete in-game items once they'd been traded. The scammer would then take whatever they'd gotten in trade and sell it at a fraction of market value. There was one notable Russian scammer who was moving several thousand dollars in TF2 items a week this way. Valve's response to this was to introduce one of the most user-hostile systems ever invented: you either attach a phone number to your Steam account or become almost unable to trade with 20+ day waiting periods involved.

Re:Stolen?

[OverlordQ]

Except that isn't what happens. Companies have tried this before and all this does is get those customers pissed at the developer, instead of their shady sellers.

Re: Stolen?

[OverlordQ]

> , Tinybuild should immediately revoke the key that went with that purchase.

Companies have tried this before and customers went postal. Since they paid money for those keys, how dare they deactivate them.

Re: Stolen?

[orgelspieler]

Except if you charged back, you did NOT pay money for the key.

Re:Stolen?

i am 3rd AC, if i want some game, first i will find where i can get game cheapest
if its $10 at game company, $9 at amazon and $5 at G2A, i will buy it at G2A, and check immediately does it work

if key does not work from start i will say to myself "i was stupid/should not have trusted G2A" and next time less likely to buy there (but G2A has policy if key does not work on first day, they return you money on their cost so this will never happen)

if i try and game plays and i play it for a week and game company itself says i have valid account, and than one day suddenly game company removes my game, regardless what is reason, yes i will be furious and tell all my friends, colleagues, followers, and everybody else for the rest of my life to newer buy anything from that game company, they just lost hundreds of sales for costing me my money for 1 sale ...

Re: Stolen?

You don't get it. The game code was bought with a stolen credit card. It's sold to someone else through a middleman. Later the person whose card stolen reports it and issues a chargeback. The person who bought the game code had no idea it was a fraudulent purchase.

Re: Stolen?

Then you are dumb because the developer doesn't need to subsidize your cheaper games by absorbing charge backs that come in up to 3 months later. That's still between you and the reseller who sold you a bunk key.

Re:Stolen?

[OverlordQ]

> They're complaining because they're too dumb to solve their own problem, particularly if this happens on a mass scale.

You really have no clue what you're talking about do you? Companies have tried this before and people go postal. Instead of going "Well I should stop buying from G2A" they'll go "Well fuck you tinybuild"

Re: Stolen?

Ideology vs reality, your expectations of people are way to high. That is how it should work, what he described is how it does work.

The problem with getting mad at G2A and not the developer is that as the secondary key purchaser I have zero recourse to recoup my money. I may never buy from G2A again but I may also never buy from the developer as those are the two companies I am interacting with and both are blaming each other and the only one hurt by it is me. G2A won't give me money back, Developer won't let me play.

Now I'm very unsympathetic in general as this is how the real world works for other products too. If I buy a bike from a pawn shop (even after the waiting period) and two weeks later the cops come by and confiscate it because it can be proven as stolen property the only one out is me, even though I'm the last person to have known. It's just how it is.

In general I toss this up to Caveat emptor.

But in the end the dev should revoke the keys and if they lose business because of it, well c'est la vie, they have the right to protect their product.

Latin and French in one post, classy.

Place dingdong in hoohoo

nt

No time to Explain is fantastic

[rsilvergun]

And I want the pirate bay version now :). While we're on the subject what ever happened with Green Man Gaming and those gog Witcher 3 keys?

Re:No time to Explain is fantastic

Never heard anything bad about GMG before. Care to elaborate or provide a link to what the issue was?

Game Dev here.

As a mid-tier indie Game Dev, with two titles on Steam, the key system is something I've never quite understood.

It is a hold-over from box copy days. The box industry is still around in the third world, but outside of those few select counties why do keys still exist?

My publisher hands out about five figures worth of keys to about 6 different legit places. After a year, hundreds of "retailers" have my game, all selling them for under Steam price. (Well under discount margin too.)

Leaving out the credit card scamming. Someone can just purchase keys in Yuan or Bhat's or Rupiahs for 40-50% (Or more if the game is discounted) and resell them for 25% less than the steam price. Luckily they closed off Russian keys from being used by anyone but Russians.

On top of this, Steam makes no money on keys. Zero. It's just a distro lock for them.

The key system needs to be done away with. Replace it with an API that legit and official stores can use to grant users copies of games. Extend this API into the client for "gifting." If steam wants, charge a tiny fee for each API transaction from a vendor. More money in their pockets and the system doesn't really change. Allow ownership of multiple copies of a title and allow you to transfer these to other users (But you must always keep 1 copy.) This will allow bundles to still function as they did. If they just did that, it would close up the key black market and make everyone more money. (Except the folks buying on these black markets of course.)

But knowing Steam. This won't ever happen. Hell I can't even send out an update without having 50-100 people having corrupt files issues which file verification doesn't fix. I hate telling people to uninstall my product (and reinstalling) to fix their problems.

Re: Game Dev here.

Well this is why god invented always-online, client-server games...

Re: Game Dev here.

So what should the client/game pass to the server API to prove the copy is legit....hmmmm..... let me think....I know! A KEY!

And your are an Indie game developer?

Re:Game Dev here.

[ensignyu]

Humble Bundle used to require you to sign into your Steam account and they would add the game directly to your account instead of giving you a key. It was originally keys, then the linking system, and then back to keys.

I'm guessing that Valve disabled that API because they don't want to make the process of buying games outside of Steam as seamless as their own store.

Re: Game Dev here.

Oh yeah, I love when those games make millions then get shut down after 3 years because millions per region is apparently not profitable enough.

Re: Game Dev here.

Derp!

The point is to get the keys out of customers hands and make it a vendor to steam transaction or an in-client transaction.

Re:Game Dev here.

"Someone can just purchase keys in Yuan or Bhat's or Rupiahs for 40-50% (Or more if the game is discounted) and resell them for 25% less than the steam price."

Oh noes! Someone bought the game for a price you were willing to sell it for, and then sold it on.

Why is it when companies/corporation take advantage of globalisation it's good. But when consumers take advantage via parallel imports, it's bad?

Besides, steam has a region system (it's not just Russia) for preventing this if you really wanted to.

Re:Game Dev here.

[El_Muerte_TDS]

Changes in Steam key redemption

A little over a year ago, we launched OAuth Steam key redemption, creating one-click Steam key redemption for games purchased through Humble Bundle. However, Steam is removing support for OAuth, so we’ll be returning to the system we used before, which requires you to manually redeem your Steam keys.

http://blog.humblebundle.com/p...

Re:Game Dev here.

[kav2k]

Luckily they closed off Russian keys from being used by anyone but Russians.

And that's why, as a Russian, I need keys to exist. After the ruble crash happened, Valve decided to region-lock activation of gifts from Russian accounts. And I have many friends outside the geofence.

As a result, I have to use sources outside Steam to gift games to those friends (Humble, GMG, direct sales).

Re:Game Dev here.

On top of this, Steam makes no money on keys. Zero. It's just a distro lock for them.

That's how they make money: competitors have to make their customers install the Steam client.

There's little more valuable than having your dedicated store-app on millions of devices. Great to get eyes on your ads and keep people from going back to competitors because they already have to have the Steam store running all the time.

Replace it with an API

Requiring an API would just further Valve's already-near monopoly. Valve would have total control over which of their competitors are allowed to sell games. That's about as big a conflict of interest as you can imagine: you'd need a license from Valve to be allowed to compete with them, and in your example you'd have to pay them for the privilege.

Plus, you'd have to log into Steam from 3rd party sites, which likely would make people even more reluctant to buy from legitimate shops.

The whole focus on Steam as the sole distribution platform is already pretty unhealthy.

Re:Game Dev here.

[AmiMoJo]

Extend this API into the client for "gifting."

No thanks. This is why players want codes, they want something physical that they can re-sell, gift and lend without having to rely on the good grace of Valve to allow it. If you want to tie games into a system like that you had better reduce your prices appropriately, because your product is worth much less than a physical copy.

You can't do that either

[rsilvergun]

since most merchant processors require delivery of goods to be prompt. The best bet here would be to verify the 3/4 digit code on the Card and the billing address and (if you're not in North America) do "3D Secure". The trouble with this is it makes the transaction harder on legitimate purchasers.

What worries me is the possibility that G2A is making most of their sales off this. I honestly don't know, and I'm not sure how you could prove it. These key reseller sites always struck me as a little dodgy though so I've steered clear in the past. I'd rather pay an extra $5 bucks and get it from a site I know/trust. Heck, I don't even shop at GMG anymore because of the shady goings on with the Witcher 3...

GW2 affected also

On the Guild Wars 2 forums, it turned out a player had purchased the Heart of Thorns expansion from G2A and their account was suspended. Later they found out the serial they purchased was obtained through a fraudulent credit card purchase. The player's account was reinstated but access to what they purchased was removed.

https://forum-en.guildwars2.com/forum/support/support/Guildwars-2-Account-Suspended-I-need-help/first#post6210373 [Guild Wars 2 forums]

So it seems G2A has a hand in defrauding multiple game companies

Speaking of the Pirate Bay

No Time To Explain, to the Pirate Bay.

https://kat.cr/tails-1-4-1-i386-iso-multilang-tntvillage-t10922671.html
http://lsuzvpko6w6hzpnn.onion/tails-1-4-1-i386-iso-multilang-tntvillage-t10922671.html

Use Ed Snowden's Tails. You can run but you can't hide.

This summary and story is a m-fing HOAX

G2A has created a huge black market for game codes sales

There is no huge market for game codes on Tor. What a bullshit story. Run Tails in a VM as a live CD and go look on Tor yourselves. The link above for 1.4.1 is the only safe way to use Tor unless you know what you are doing.

Re:This summary and story is a m-fing HOAX

Also, if you get a message in your VM that the time is off by several hours simply change the time zone and time in your VM and offset it by whatever the Tor network will accept.

In general it is a good idea to run your PC clock in a different time zone. This totally screws up Google tracking among other surfing trackers. Better yet is to have your system clock completely set wrong at any time you don't implicitly need it correct.

The US government (FBI/CIA) completely depend on timelogging for tracking as a failsafe.

Firefox (mysteriously *cough* enough) blocks time zone spoofing in the browser settings itself as of Firefox 45.0. Now you have to literally change your clocks on your actual PC or individually in virtual machines to scramble the tracking the US government loves so much.

I suggest you spread this wisdom on Reddit and Facebook and other forums to every man woman and child. The amount of tracking right now is asinine.

Re:This summary and story is a m-fing HOAX

All modded down to hide from Google scraper.

The American Government is actively monitoring Slashdot. Smartest post on Slashdot in 20 years.

Re:This summary and story is a m-fing HOAX

Streisand effect
The Streisand effect is the phenomenon whereby an attempt to hide, remove, or censor a piece of information has the unintended consequence of publicizing the information more widely, usually facilitated by the Internet. It is an example of psychological reactance, wherein once people are aware something is being kept from them, their motivation to access and spread the information is increased. More at "Wikipedia"

am I missing something legally here?

[v1]

G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases.

Since when did "selling stolen property" become legal???

Re:am I missing something legally here?

What was stolen?

Re:am I missing something legally here?

[RogueyWon]

You're right, of course, that there is criminal activity here and that getting law enforcement involved would in theory be a better idea than just complaining on the internet.

However, for quite some time there's been a level of criminality around the margins of games-reselling - and I'm not talking about piracy here. As others above have pointed out, what is likely going on here with G2A is money-laundering; people are probably making "unprofitable" trades using the service to convert "dirty" (and hard to use) money from stolen credit cards into "clean" money. This isn't exactly a new concept; when a "bug" in MS's phone-support protocols allowed a large number of Xbox Live accounts to be compromised a few years ago (it got little media coverage, because it wasn't a fancy, high profile attack like the Sony one), the major use of this exploit was to launder money via FIFA Ultimate Team transactions (unique at the time among XBox games for allowing players to monetise and trade in-game rewards).

Hell, even on the high-street, there's a well-known UK brand of second-hand games and movies stores with a distinctive red logo which is (un)affectionately known as "The Fence's Friend", being a favourite destination for smack-heads looking to turn stolen goods into cash quickly. I even spent an afternoon back in 2014 walking around a medium-sized English town with a friend as we hunted its (three) branches in that town for his stolen laptop and games console. And yes, we found them and, as he had proof they were his and was able to find a police officer (who was definitely having deja vu about the situation), he got his stuff back.

Lost due to stupidity

... should be the correct title.

In the current open payment environment TinyBuild should have considered building a system where they can revoke codes/accounts based upon their purchase information.

MAFIAA statistics

In other news, the entire entertainment industry has lost more money than the GDP of the nations they sell their products to.

Regular G2A customer

[RubberDogBone]

Well, I've been a G2A customer for about a year, using it for Windows 8 licenses, antivirus licenses, Steam games, and a few other things.

Their "how do we do this" stuff always seemed a bit fishy but none of the license keys I bought has ever had any issues. I assumed it was legit or it would have been shutdown by now.

But now I see how G2A is able to stay hands off far enough to say it's not their fault, the same way pawn shops avoid being responsible for stolen goods that they end up reselling. I mean it's totally not the shop's fault if the entire neighborhood is being burgled for pawnable stuff. /s

Why are they/we all still using this sort of software key model? Why not do more authentication of purchases and tie them to email addresses or some other thing that can't be resold?

Vendors foot the bill for fraud

Credit card fraud is ONLY the vendor's problem. On a fraudulent transaction the bank removes the money from the vendor's account, charges them a "chargeback fee" of $40-$50 and notifies the vendor after the fact. The vendor has no practical recourse. The credit card company APPROVES the transaction in advance, but if they change their mind, again no recourse.

Re:Vendors foot the bill for fraud

actually no, it is just issue of vendor "tinybuild" not willing to get chargeback insurance

when you sign with CC processor (i did that few years ago but currently i dont need this service) i had 2 options
  - no chargeback insurance, i pay 0.5% - 1% of every transaction in fees, but in case of chargeback i loose money
  - with chargeback insurance, i pay between 2% and 17% in fees
(this depends on industry, every industry has diffrent chargeback rate, videogames are among high-risk/high insurance fee but less than 17%)

so if i sell game worth 100$ i can get 99$ after fees but no insurance, so in case of chargeback i loose all
OR if i choose insurance i sell $100 game and get $83 but in case of chargeback credit card processor will just eat any chargeback costs and i keep my $83

its up to them if they want to insure themselves against thief's, but once they choose they cant complain, it was their choice

Invalidate the codes

[loufoque]

If the charge is cancelled by the bank, just cancel the validity of the code as well.
The only problem is that they probably didn't design their code system to allow this, but that's their own fault.
It's not rocket science.

buyer hostile

[aepervius]

In such a scheme as described there are two ways :
1) ream the end buyer and get it hostile to BOTH G2A and tinybuild because let us get real end buyer would also be unhappy with the developer
2) do what they did and eat the loss knowing this would be better PR rather than remove keys.

Frankly in their position I would do the same, and make sure the PR is out that they did not remove the keys from the end user.... Which is exactly what they did since we are getting them on slashdot and other outfit. That would be a positive points for them and if in the future they develop something it may makes me and other more interrested into supporting them. I would not be surprised if they are right now getting a slight surge in sales.

*Alleged* G2A involvement

It should be noted that the dev is assuming that the keys were sold on G2A with no proof. The only claimed proof is purely based on coincidental listing timing, but that could be due to several factors.

Also G2A offered to work with the dev, if they could provide examples of the allegedly stolen keys, and agree to revoke the keys (Which will drop teh devs sales figure). Instead the dev chose to write a blog post accusing G2A of criminal activity (Facilitating the sale of stolen goods).

Instead the problem here is that the dev failed to link keys to transactions, such that they could revoke keys that were subject to charge backs. This is the equivalent of accepting a promise to pay for goods, delivering those goods, and then blaming ebay because those goods were sold on to other people after the original seller fails to follow through on teh original payment.

The only failure here is the devs in providing safeguards against credit card fraud. But they sure do like getting a cheap shot in at 3rd parties that they don't like for other reasons.

don't be a bank

Rule #1 if you're a startup (i.e. you don't have huge amounts of cash): don't be a bank in *any* way. That means, don't give out *anything* of value without *immediately* receiving cash for it. That's not a new rule. It has been like that forever. Because any such liability is uncontrollable and can catapult you out of business if it goes wrong.
That means your game codes should not work if the CC transaction was unsuccessful.

Re:don't be a bank

[guruevi]

The transactions are successful, it's only later when people check their statements that the charges are flagged as fraudulent and charged back. The customer has 30 days after receiving their statement to dispute a transaction. It could take in the worst case 60-90 days before a merchant gets a chargeback.

The problem here is that CC companies simply do not give any protection against fraud. They have no incentive either, the CC company gets their transaction fees AND a chargeback fee AND issue a $50k/month fine to whoever lost the information (because they aren't PCI compliant) AND get to send in their expensive auditors and higher transaction fees to whoever lost the information (highest level of PCI compliance).

Re:don't be a bank

[jittles]

The transactions are successful, it's only later when people check their statements that the charges are flagged as fraudulent and charged back. The customer has 30 days after receiving their statement to dispute a transaction. It could take in the worst case 60-90 days before a merchant gets a chargeback.

The problem here is that CC companies simply do not give any protection against fraud. They have no incentive either, the CC company gets their transaction fees AND a chargeback fee AND issue a $50k/month fine to whoever lost the information (because they aren't PCI compliant) AND get to send in their expensive auditors and higher transaction fees to whoever lost the information (highest level of PCI compliance).

The fine is levied by the card brands and goes to the card brands, not the issuing or acquiring banks. Furthermore, the amount of the fine is based on the size of the organization in question and the level of compliance they are required to have based on the transaction volume of the organization.

Re:don't be a bank

[guruevi]

That's what I meant by CC companies. VISA, MC etc. They have no incentive to create systems that would prevent fraud. The fine is 50k for the lowest level. I think the fines go up to 500k/month for higher compliance levels.

Can't keys be revoked?

[ilsaloving]

Sounds like these companies need to implement the game code equivalent of CRLs.

Another hypocritical article

[smooth+wombat]

TinyBuild lost nothing since nothing was stolen. At least that is what I am repeatedly by people on here when they try to justify not paying people for their work (movies or music).

So which is it? Either TinyBuild lost money because people are using games they haven't paid for or they haven't lost money because nothing was stolen. You can't have it both ways.

!wutang

For a second I thought the genius was involved