Indie Dev TinyBuild Lost $450K To Fraudulent Sales Facilitated By G2A

An anonymous reader quotes a report from Paste Magazine: Indie developer TinyBuild, the studio behind Punch Club, Party Hard and SpeedRunners, had thousands of their game codes stolen through fraudulent credit card purchases, which then wound up on G2A.com, a site that allows people to resell game codes. The basic idea behind G2A is straightforward and pretty harmless: with the amount of game codes sold through Steam, the Humble Store/Bundle, and more, the site gives consumers a place to sell unwanted game codes. However, in doing so, G2A has created a huge black market for game codes sales. As TinyBuild described in their blog post on the matter, the common practice for scammers is to "get ahold of a database of stolen credit cards on the dark web. Go to a bundle/3rd party key reseller and buy a ton of game keys. Put them up onto G2A and sell them at half the retail price." This allows scammers to make thousands of dollars while preventing any profit from reaching the game developers because, once the stolen credit cards are processed, the payments will be denied. G2A states that TinyBuild's retail partners are the ones selling the codes on G2A, not scammers, despite the thousands of codes they lost through their online store to fraudulent credit card purchases. In 2011, TinyBuild was in the news for uploading their own game, a platformer called No Time To Explain, to the Pirate Bay.

Stolen?

[dohzer]

Wait... stolen or purchased illegally?
There's a difference, isn't there?

Re:Stolen?

[Fire_Wraith]

Likely this is just another angle in internet crime. Stealing credit card information is easy, monetizing that is harder than you think. You can't just use a US credit card to make a bunch of charges in Russia/China/etc. You'd need a way to turn that into money you can use. One of the ways they've done it in the past is to recruit accomplices in the US, usually through those work at home schemes you see spammed into comments in various places. When the accomplice gets busted, all they're out is a patsy. This sounds like it's easier though - buy game codes with stolen cards, resell the game codes for money that goes straight to you with no direct tie to the stolen card.

Re:Stolen?

[Kjella]

* tinybuild out money and a cd key.

Well apart from fees and administration they're just back to zero. The more interesting part is what follows:

* tinybuild are too dumb to link chargebacks to game keys
* tinybuild doesn't deactivate any keys
* G2A customers happy, G2A happy, tinybuild unhappy

Instead of:
* tinybuild links transaction id and game key on sale
* tinybuild invalidates game keys with chargeback
* G2A customers go mental
* tinybuild says too bad, take it up with seller
* G2A customers chargeback their purchase
* G2A ends up in trouble

They're complaining because they're too dumb to solve their own problem, particularly if this happens on a mass scale.

Re: Stolen?

Exactly, this. Tinybuild keys are between the original purchaser and Tinybuild. If the purchase is charged back, Tinybuild should immediately revoke the key that went with that purchase. Nobody should give a crap about the middleman reseller and the secondhand buyers -- this had nothing to do with them.

Re:Stolen?

[eWarz]

Yes, they can. I've had it happen on about 1% of the purchases that I've bought from G2A (publishers DO report chargebacks, which filter up to valve). G2A refunds the money for sure, but they are left holding the bag. You don't get notification when valve revokes your license, nor will you with other publishers such as blizzard. Took me 2 months to get an issue resolved with blizzard (didn't notice until after the revocation had occurred). While G2A resolved it amicably (after I reported it), I've not bought a game from them since. G2A is a fly-by-night company. If they went out of business tomorrow due to charge-backs, the owners walk away millionaires and leave you, or your credit card company, SOL.

Re:Stolen?

[timrod]

They absolutely can. In late 2011, one of the graphics card manufacturers did a promotion where they bundled Steam keys for Dirt 3 (which was a $60 game at the time) with their cards. The exact delivery system involved something like entering a code from a piece of paper inside the card box into a thing on the manufacturer's site, which would then spit out a Steam key.

Somewhere along the line, someone figured out that you could access a directory on the manufacturer's website that had a single .txt file with all of the keys (several thousand of them) listed inside. The list circulated around the internet, and as a result a whole bunch of people got the game for free. The manufacturer found out a few days later what had happened and went to Valve, who immediately began revoking the game from people's accounts. I don't know how far they actually got, since a couple of people I know who did it still have the game on their accounts today - though I think that might be because they figured out that some of the keys had been used by people who had actually bought the videocard and were now confused as to why access to their game had suddenly been revoked.

The problem for Valve is that it's really hard to make a working policy on this sort of thing. Years ago, they used to lock or ban accounts for receiving gifted games that came from a stolen credit card or if the card used to make the purchase had been issued a chargeback. The problem there became that you'd have people banned for no reason other than that they accepted a gift from someone who later had their credit card stolen or had the charge disputed for some other reason. I can recall at least one instance where someone got banned trying to get around the censorship restrictions in Germany by having someone from the US buy them a US copy of the game.. only to find out that the person in the US was a minor using their parent's credit card and that the parent disputed the charge, resulting in a ban. They've since changed their policy slightly (in that they'll usually only ban the person who made the actual transaction and not the person who received the gift) but it's still imperfect.

At the same time, Valve also had the same issues with Team Fortress 2 and Counterstrike: GO. There were numerous reported cases of Russian or Chinese credit card thieves using stolen credit cards to make in-game purchases (usually "keys" to unlock potentially valuable items) which they would then trade to an unsuspecting victim knowing that Valve was reluctant to delete in-game items once they'd been traded. The scammer would then take whatever they'd gotten in trade and sell it at a fraction of market value. There was one notable Russian scammer who was moving several thousand dollars in TF2 items a week this way. Valve's response to this was to introduce one of the most user-hostile systems ever invented: you either attach a phone number to your Steam account or become almost unable to trade with 20+ day waiting periods involved.

Re:Serves them right

There are *tons* of companies that get ripped off by this exact same thing (I work for one of them). The transaction goes through, and then *after* the person the card is stolen from finds out hours or maybe days later, a chargeback is issued and the steam keys are already long gone. You could try to put a 3 day waiting time or something on redeeming your keys but that is obviously incredibly user hostile and nobody would put up with it.

Re:Serves them right

I don't know about that. I got a nice email from my bank that someone had made a suspicious charge at a grocery store not too far from where I live. It said not to worry about it, and that they were investigating. I called the number on my card, and their security team did confirm they sent the email. They asked me to confirm a few charges I recently made as valid or not valid. A few weeks later, I got a letter in the mail that said they completed their investigation, and the entire charge was now void. I would not be responsible for it.

So...maybe your bank just sucks ass.

Re:Serves them right

[TheNarrator]

I worked for a company that had similar scam problems. These scammers are able to pull off these scams at absolutely massive scale and they've been doing it for years against everyone and anyone. They find any little rinky dink offer and exploit the living crap out of it. They have so much talent that you wonder why they don't conduct actual legitimate business.

Game Dev here.

As a mid-tier indie Game Dev, with two titles on Steam, the key system is something I've never quite understood.

It is a hold-over from box copy days. The box industry is still around in the third world, but outside of those few select counties why do keys still exist?

My publisher hands out about five figures worth of keys to about 6 different legit places. After a year, hundreds of "retailers" have my game, all selling them for under Steam price. (Well under discount margin too.)

Leaving out the credit card scamming. Someone can just purchase keys in Yuan or Bhat's or Rupiahs for 40-50% (Or more if the game is discounted) and resell them for 25% less than the steam price. Luckily they closed off Russian keys from being used by anyone but Russians.

On top of this, Steam makes no money on keys. Zero. It's just a distro lock for them.

The key system needs to be done away with. Replace it with an API that legit and official stores can use to grant users copies of games. Extend this API into the client for "gifting." If steam wants, charge a tiny fee for each API transaction from a vendor. More money in their pockets and the system doesn't really change. Allow ownership of multiple copies of a title and allow you to transfer these to other users (But you must always keep 1 copy.) This will allow bundles to still function as they did. If they just did that, it would close up the key black market and make everyone more money. (Except the folks buying on these black markets of course.)

But knowing Steam. This won't ever happen. Hell I can't even send out an update without having 50-100 people having corrupt files issues which file verification doesn't fix. I hate telling people to uninstall my product (and reinstalling) to fix their problems.

Re:Game Dev here.

[ensignyu]

Humble Bundle used to require you to sign into your Steam account and they would add the game directly to your account instead of giving you a key. It was originally keys, then the linking system, and then back to keys.

I'm guessing that Valve disabled that API because they don't want to make the process of buying games outside of Steam as seamless as their own store.

Re:Game Dev here.

"Someone can just purchase keys in Yuan or Bhat's or Rupiahs for 40-50% (Or more if the game is discounted) and resell them for 25% less than the steam price."

Oh noes! Someone bought the game for a price you were willing to sell it for, and then sold it on.

Why is it when companies/corporation take advantage of globalisation it's good. But when consumers take advantage via parallel imports, it's bad?

Besides, steam has a region system (it's not just Russia) for preventing this if you really wanted to.

Re:Game Dev here.

[El_Muerte_TDS]

Changes in Steam key redemption

A little over a year ago, we launched OAuth Steam key redemption, creating one-click Steam key redemption for games purchased through Humble Bundle. However, Steam is removing support for OAuth, so we’ll be returning to the system we used before, which requires you to manually redeem your Steam keys.

http://blog.humblebundle.com/p...

Re:Game Dev here.

[kav2k]

Luckily they closed off Russian keys from being used by anyone but Russians.

And that's why, as a Russian, I need keys to exist. After the ruble crash happened, Valve decided to region-lock activation of gifts from Russian accounts. And I have many friends outside the geofence.

As a result, I have to use sources outside Steam to gift games to those friends (Humble, GMG, direct sales).

Re:Serves them right

[EzInKy]

Why not have face to face stores then? It is much harder to steal from someone when you are looking them in the eye.

*Alleged* G2A involvement

It should be noted that the dev is assuming that the keys were sold on G2A with no proof. The only claimed proof is purely based on coincidental listing timing, but that could be due to several factors.

Also G2A offered to work with the dev, if they could provide examples of the allegedly stolen keys, and agree to revoke the keys (Which will drop teh devs sales figure). Instead the dev chose to write a blog post accusing G2A of criminal activity (Facilitating the sale of stolen goods).

Instead the problem here is that the dev failed to link keys to transactions, such that they could revoke keys that were subject to charge backs. This is the equivalent of accepting a promise to pay for goods, delivering those goods, and then blaming ebay because those goods were sold on to other people after the original seller fails to follow through on teh original payment.

The only failure here is the devs in providing safeguards against credit card fraud. But they sure do like getting a cheap shot in at 3rd parties that they don't like for other reasons.