
How Humble Bundle stops online fraud - walterbell
http://developer.humblebundle.com/post/147806409802/humble-fraud
======
fpgaminer
This is one of the big casualties of the American credit card conglomerates'
failure to focus on reducing fraud. They get paid regardless of whether a
transaction is fraudulent or not, so they have no incentive to improve. The
result is that this burden gets dropped on merchants, requiring both man-hours
and cost, and it disproportionately affects smaller companies. It basically
amounts to a tax by the merchant processors on small businesses, for no
benefit to anyone but themselves.

I've seen the discussions crop up on Hacker News before* of people starting
commercial websites, getting hit with massive amounts of fraud, and either
having to just shutdown completely or shell out more of their margin for a
third party fraud prevention service. It's disgusting.

From the consumer's perspective it is nice that credit cards are easy to use,
and that we are protected from bad merchants, thieves, etc. But we're putting
a strangle on small business with this system. There are better ways that
would both reduce fraud overall, thus saving consumers money, and not
disproportionately penalize small businesses. It wouldn't make credit cards
any harder to use.

On a tangent, Humble Bundle stopped accepting Bitcoin a year or two ago.
Considering that Bitcoin can have a 0% fraud rate it makes it a somewhat odd
move, especially since Humble Bundle is a really great target for fraud (the
goods are easy to move). And no, I don't view Bitcoin as an ideal solution (as
it exists today); it's on the opposite side of this problem, foisting fraud
prevention onto the consumer. But from Humble Bundle's perspective (and any
business, small or big) it is the perfect solution to preventing fraud.

* The ones I'm recalling are even more sad. They were getting hit by fraudsters who were just using their site to test the cards, before moving on to the actual fraud target(s). The end result is the same, though.

~~~
jeff18
Humble founder here.

Bitcoin would be a great topic for another blog post, we have a really long
love-hate relationship with it. Don't worry, Bitcoin support will hopefully
return to our store and gaming bundles eventually. We know what we need to do
to turn it back on (more or less, hook it into our SMS verification system)
but we have many higher priority tasks work on. We are hiring if you know
anyone:
[https://jobs.humblebundle.com/careers/](https://jobs.humblebundle.com/careers/)
:)

While bitcoin is great for preventing chargebacks, it is inherently anonymous.
That is good for certain use cases, but when you are trying to enforce a
strict per customer limit, it is a nightmare. We invested a lot of resources
into doing what we can to combat it, but eventually we figured that we had
more important things to do and had to tap out. Almost 100% of the bitcoin
traffic was bad actors, and even so it was such a tiny fraction of our sales,
like under 0.05%.

There are a lot of diehard bitcoin users, like yourself, and I would love to
support your preferred payment method again, but it is an incredible amount of
work to do safely.

~~~
akavel
Curious how do you know they were bad actors, given the anonymity? Were those
some known stolen bitcoin wallets or something? Sorry if the answer is
obvious, I'm not a bitcoin user.

~~~
jeff18
Good bitcoin purchases:

    
    
      $22 soandso@gmail.com
      [30 minutes later]
      $50 someone@real-company.com
      [30 minutes later]
      $15 person@real-company.com
      etc.
    

Bad bitcoin purchases:

    
    
      $1.00 asdfklasdklfm1@yahoo.com [1 second later]
      $1.00 asdfklasdklfm2@yahoo.com [1 second later]
      $1.00 asdfklasdklfm3@yahoo.com [1 second later]
      $1.00 asdfklasdklfm4@yahoo.com [1 second later]
      $1.00 asdfklasdklfm5@yahoo.com [1 second later]
      etc.
    

(queue removal of bitcoin)

~~~
ThatPlayer
Have you considered allowing them if you have a valid credit card on file. For
example, I'm currently a Humble Monthly subscriber which already gives me a
one click purchase options through the credit card on file.

Vultr, a VPS Host, accepts Bitcoins but started to require a valid credit card
or Paypal purchase before accepting Bitcoins to prevent ToS violators who used
Bitcoin.

~~~
kevindong
But would that not defeat the purpose of Bitcoin (don't need to interact with
the massive financial institutions, anonymity, etc.)?

~~~
samb1729
It's not necessarily the case that someone would want to use Bitcoin for
anonymity, it might just be a more convenient payment method or something
else. Doesn't hurt to give people more places to spend their Bitcoin even if
the circumstances are less than ideal.

~~~
kevindong
In what way can Bitcoin be considered a meaningful alternative (however you
define it) if you also have to input a valid credit card number (that,
presumably, the merchant will run the traditional $1 verification charge on)?

The reality is that Bitcoin is less convenient than using a regular credit
card (because, realistically, you're not going to be mining Bitcoin but rather
you'll be buying Bitcoin using your regular credit card/bank account). I would
argue that Bitcoin is also worse in every way (no chargebacks, wild
fluctuations in the valuation of a unit of Bitcoin, etc.) if you also don't
care about anonymity and the product you're buying is fully legal.

~~~
rtpg
CC serves as verification. Bitcoin has less fees.

So it's like "providing an ID", and then paying. Even if bitcoin is not
"anonymous" (pseudonymous), there's still the decentralised+cheap nature of it
that's worthwhile.

~~~
traviscj
Fees argument doesn't really hold water because authorizations costs money
too, even if subsequently voided.

------
justinlardinois
> We even have shared Slack channels with Paypal and Stripe so that as we see
> problems, we work together in real time to diagnose, fix, and improve our
> joint system together.

Is this a normal service that Paypal and Stripe provide to their customers, or
is this something that Humble pays extra for/gets as a bonus for being a high
volume customer?

~~~
joering2
I think you're not this naive and you are joking, but I will bite...

If you are founded by well known vc's with connections (to management at
Paypal or Stripe), then yes you have this extra service at cost or rather as a
favor.

For anyone else, you need to pray PayPal won't decide one day to ban you and
freeze your assets for good reason or no reason at all. Or just call their
toll-free line...

~~~
jeff18
For what it's worth, we had an awesome 24/7 account manager with PayPal back
when we were 100% bootstrapped. I think it's more about volume than Silicon
Valley connections.

------
joshmn
As much as I'd like to believe their numbers, something seems off.

If you look "underground" you'll find hundreds of thousands of forum posts
selling keys that are from, you guessed it, HumbleBumble; they're also not shy
about citing their sources. In fact, I'd say that more than 75% of all
"carded" steam keys are from HumbleBundle, if not more.

Nobody else has the ease of ordering and uses Stripe (pathetic antifraud —
which this post alludes to. More about that in my comment history); SMS
verification isn't all that grandiose either.

Does this stop the "buys cards casually, doesn't make a career out of it"
carder? Sure does. But they're not the ones companies and individuals need to
worry about. It's the guys who are making $250, $500, $1000, $2500 a day that
you need to worry about.

I'll say this every time the subject of fraud comes up: Do not trust your
processor to do anything for you. They have little-to-no interest in
protecting you. Hire a nerd to school you on fraud; if you have massive
transaction volume, hire that nerd to help train some models on fraud. But do
not, and I mean do not fucking trust your processor.

~~~
slv77
I build/train models for high transaction volume. The real struggle for gaming
fraud specifically is that the data is typically non-stationary. I came into
my job without formal training in machine learning so I may have the
terminology wrong but essentially the machine learning models are typically
learning distributions over time. Meaning that this combination of features
typically has this ratio of fraud to legitimate orders and assumes those
ratios will hold in the future.

For example a model trained using historical data will flag too many orders
during a sale that brings a spike in legitimate order volume. This can be
mitigated somewhat by feeding into the model volume indicators such as time of
day and day of week.

For gaming however the organized fraud rings typically hit en-masse. The
largest ring that I saw went from zero to 3000 to 4000 attempts a day in a
week. A model tuned at the peak would reject too many orders on a typical day
and vice-versa.

The other challenge is that all statistical models rely on IID assumptions
which means that the attacker isn't supposed to "learn" between attacks. For
the typical smash and grab jobs seen with physical goods this (roughly) holds
true but completely falls down with organized fraud rings in gaming. Any
competent attacker will quickly see when his success rate drops and change
tactics or increase attacks when the success rates rise.

The result is that a model that takes a week to build can decay in a matter of
days or hours. I use DataRobot which can automate model building and you can
combine short term and long term models in your strategy but it's still a
struggle.

Historically the patch has been to limit velocity based on a specific data
point that was hard to change but one-by-one they have fallen. Credit cards,
email addresses, ip addresses, device IDs and now phone numbers. Each is
successful for a while but it's an arms race. For example the largest attacks
that I've seen utilized a 100,000+ computers over a three month period and
300,000+ credit cards. The attackers had the ability to login to the machines
using remote-desktop like software to evade device ID limits.

Getting good results against these types of attacks requires a multi-layered
defense but if there was a magic bullet it wouldn't be with classifiers but
with anomaly detection. The problem domain is closer to detecting a hacker
inside a network or a disease outbreak.

This particular problem is _hard_ and DARPA has thrown lots of money at a lot
of people looking for solutions. At the turn of the century it was intrusion
detection and after 9/11 it was bio-terror. After years of research none of
these have resulted in commercial products because the false positive rates
are always to high.

I second not trusting your payment partners to manage fraud for you. For low
price games it's possible to be fined and lose your merchant account even when
your internal chargeback reports don't show a problem. In some cases the card
issuing bank may not issue a chargeback (and absorb the loss) but will still
report it to Visa/MasterCard.

~~~
joshmn
> The largest ring that I saw went from zero to 3000 to 4000 attempts a day in
> a week.

> which means that the attacker isn't supposed to "learn" between attacks

Those are key takeaways and I'm glad someone else (on this side of the job)
understands it.

It's a hard problem for anyone to solve. Not to self-promote, but I'm working
on something that doesn't rely on machine learning; instead, it's focusing on
patterns.

Because I used to be that guy that you worried about. Now, I'm the guy that
the guys that you worry about worry about.

~~~
slv77
Takes a thief to catch a thief I guess? ;-)

I wish you luck and if you succeed I'm sure that there will be some three
letter agencies knocking on your door. I've had some luck using off-the-shelf
clustering algorithms but they are too CPU intensive to run real time and
require an investigator to interpret (great productivity boost though).

------
spiraldancing
Personal anecdote here ... I bought a book bundle a few months ago
(ironically, a "Hacker" bundle). Transaction went through, no problems.

A day or two later, they contacted me, asking for confirmation of some info
(my phone number, I think), then another email saying they couldn't confirm
some of my payment details, etc. ... and then followed a two-week-long
back-&-forth with customer service, trying to get them to take my money.

After two weeks of this, they decided to cancel the order, said I needed to
re-place the order from scratch ... except by then, the package I had
originally ordered was no longer available. They're very sorry for the
inconvenience, but fuck me.

I want to emphasize that I had a credit card and two different debit cards,
all valid forms of payment, in my name, that I've used at various times to
order things online. To this day, I have no idea what the problem was, as they
never told me.

tl&dr: HB stops online fraud by (I guess) erring on the side of caution, and
periodically alienating legitimate customers. Now I will never shop there
again, and routinely warn others not to.

~~~
jeff18
Could you please email me at jeff@humble.com so I can debug this? I'm sorry
that we failed you so badly.

~~~
spiraldancing
Email sent. Thank you. Very nice to see the founder of a business personally
following up on things like this. This already goes a long way towards
restoring my faith in your company.

------
wmf
Coincidentally, the Rimworld developers recently got hit with this type of
fraud: [https://ludeon.com/blog/2016/07/steam-key-giving-stopped-
for...](https://ludeon.com/blog/2016/07/steam-key-giving-stopped-for-new-
buyers/)

------
tux1968
5% of gross sale price is a lot. That represents a huge portion of our margin.
As others have said here, fraud protection should be an inherent component of
credit cards, and not tacked on by humble bundle or anyone else.

~~~
iamcreasy
Steam takes 30%. Isn't HB charging very small amount?

~~~
tux1968
They are providing a captive market and a delivery platform, not just payment
protection.

------
andrewclunn
I love the Humble store. I got really worried after learning about these
second hand key stores and fraud, that this might be a venue by which they
acquired the keys with stolen credit cards. Glad to know that the Humble Store
isn't merely aware of this practice but actively taking steps to stop it.

------
surehack007
Contact new age hackers at Surehack007@gmail.com to help you hack any site,
bank account transfer and change school grades. We are professional hackers in
europe and we hack every areas of information and communication technology
which includes the following and more: Bank account transfer Hack and
upgrade/change university grades Bank accounts hack Erase criminal records
hack Facebook hack Any social media account hack Android & iPhone Hack Text
message interception hack email interception hack Untraceable Ip Twitters hack
email accounts hack Grade Changes hack Website crashed hack server crashed
hack Skype hack Databases hack Word Press Blogs hack Individual computers hack
Control devices remotely hack Burner Numbers hack Verified Paypal Accounts
hack University grades changing We also do western union and money gram
transfer in less than 3 hours you have your MTCN and pin. Contact us at
surehack007@gmail.com.......662 493-2362 for details.

------
TeMPOraL
I wonder how Humble Bundle will stop "developer fraud" \- if you look at the
list of people who paid the most for a bundle, it seems that often developers
themselves will buy bundles for some higher than typical sums to quickly
inflate the average price...

~~~
kbenson
I'm not sure how it is _now_ , but in the beginning it was well known
developers (and not necessarily related to the titles involved, such as notch)
paying lots of money not to inflate the price specifically, but to support the
charities involved (and you can choose the amount that goes to the charities).
Then again, a higher average price helps the charities as long as the total
amount spent is higher, so maybe that is part of the goal, but for altruistic
reasons.

~~~
TeMPOraL
I don't remember exactly how the very early bundles were set up, but the first
ones I think were purely "pay what you want" and didn't have the "pay more
than average to unlock" mechanic. It seemed... cleaner back then.

Still, my only real complaint about HB is that they seem to want to create
another GOG or something - most of their mails now are pretty much spammy,
advertising the same deals on "regular store" over and over again. I used to
be excited when I got a mail from them because it meant another cool bundle.
Now it's mostly store promotions.

~~~
kbenson
I think the pay over the average was very early. According to wikipedia[1] it
was the 6th bundle[2], 17 months after the initial one. Bundles were offered
much less often back then.

> most of their mails now are pretty much spammy, advertising the same deals
> on "regular store" over and over again

You know, I see the same thing. But this spurred me to look, and their account
settings[3] allow you to customize exactly what types of promotions you want
to be emailed about, so there's relief for both of us.

1:
[https://en.wikipedia.org/wiki/List_of_Humble_Bundles](https://en.wikipedia.org/wiki/List_of_Humble_Bundles)

2: Although the 5th bundle offered a prior bundle, the Frozenbyte bundle, if
you paid over the average, so you could count that.

3:
[https://www.humblebundle.com/user/settings](https://www.humblebundle.com/user/settings)

~~~
TeMPOraL
Thanks for the 3.! I fixed my mailing settings.

As for the early bundles, I recall paying attention to the first two-three,
then ignoring them for few years, and only coming back to them around a year
ago.

------
Jaymoon85
Meanwhile, try to purchase a copy of a Humble Bundle for yourself, and one as
a gift to a friend using the same card, and suddenly STOP! DO NOT PASS GO.

------
akavel
Anyone knows if the situation is similar or different on GOG and itch.io? It's
sure a good, valuable (because informative) marketing piece by Humble, but if
anyone can chime in with info about the competition, potential users among us
could benefit even more!

------
wolfgke
Concerning "Step 2 - SMS Verification"

Not everybody owns a mobile phone (I, for example, don't have and want such a
bugging device). In my opinion requiring a mobile phone is thus a dangerous
idea.

~~~
Teever
Than you or anyone else without a cellphone is simply not a customer they
consider worth having.

To be quite frank you're too small and too troublesome of a group to cater to.

~~~
wolfgke
It is a dangerous idea to annoy members of quite vocal groups - especially as
a company...

~~~
orcdork
You're willing to go through the hassle of not having mobile phone, but you
complain about your choice making it difficult for you to purchase extremely
cheap software?

------
B1FF_PSUVM
> free to build and only cost 5% of each transaction

Ah, disintermediation, how we love thee ...

(What was the line about pushed out the door, back through the window?)

------
vageli
Looks like we've got some shills in this thread: vizza, kearneyface, and
antonplus all posted with the same, verbatim comment:
[http://i.imgur.com/P2adbAh.png](http://i.imgur.com/P2adbAh.png),
[http://i.imgur.com/C4DUgTy.png](http://i.imgur.com/C4DUgTy.png),
[http://i.imgur.com/aKY91bN.png](http://i.imgur.com/aKY91bN.png)

~~~
fbonetti
Only vizza and antonplus posted the same verbatim comment. Could just be the
same person, different accounts. The accounts were created a long time ago as
well. Doesn't look like shilling.

~~~
AceJohnny2
But then vizza posted the same comment as kearneyface (or vice-versa), as
evidenced by the second and third screenshots.

~~~
fbonetti
Oh wow you're right. How bizarre.

