I've seen the discussions crop up on Hacker News before* of people starting commercial websites, getting hit with massive amounts of fraud, and either having to just shutdown completely or shell out more of their margin for a third party fraud prevention service. It's disgusting.
From the consumer's perspective it is nice that credit cards are easy to use, and that we are protected from bad merchants, thieves, etc. But we're putting a strangle on small business with this system. There are better ways that would both reduce fraud overall, thus saving consumers money, and not disproportionately penalize small businesses. It wouldn't make credit cards any harder to use.
On a tangent, Humble Bundle stopped accepting Bitcoin a year or two ago. Considering that Bitcoin can have a 0% fraud rate it makes it a somewhat odd move, especially since Humble Bundle is a really great target for fraud (the goods are easy to move). And no, I don't view Bitcoin as an ideal solution (as it exists today); it's on the opposite side of this problem, foisting fraud prevention onto the consumer. But from Humble Bundle's perspective (and any business, small or big) it is the perfect solution to preventing fraud.
* The ones I'm recalling are even more sad. They were getting hit by fraudsters who were just using their site to test the cards, before moving on to the actual fraud target(s). The end result is the same, though.
Bitcoin would be a great topic for another blog post, we have a really long love-hate relationship with it. Don't worry, Bitcoin support will hopefully return to our store and gaming bundles eventually. We know what we need to do to turn it back on (more or less, hook it into our SMS verification system) but we have many higher priority tasks work on. We are hiring if you know anyone: https://jobs.humblebundle.com/careers/ :)
While bitcoin is great for preventing chargebacks, it is inherently anonymous. That is good for certain use cases, but when you are trying to enforce a strict per customer limit, it is a nightmare. We invested a lot of resources into doing what we can to combat it, but eventually we figured that we had more important things to do and had to tap out. Almost 100% of the bitcoin traffic was bad actors, and even so it was such a tiny fraction of our sales, like under 0.05%.
There are a lot of diehard bitcoin users, like yourself, and I would love to support your preferred payment method again, but it is an incredible amount of work to do safely.
[30 minutes later]
[30 minutes later]
$1.00 email@example.com [1 second later]
$1.00 firstname.lastname@example.org [1 second later]
$1.00 email@example.com [1 second later]
$1.00 firstname.lastname@example.org [1 second later]
$1.00 email@example.com [1 second later]
Vultr, a VPS Host, accepts Bitcoins but started to require a valid credit card or Paypal purchase before accepting Bitcoins to prevent ToS violators who used Bitcoin.
The reality is that Bitcoin is less convenient than using a regular credit card (because, realistically, you're not going to be mining Bitcoin but rather you'll be buying Bitcoin using your regular credit card/bank account). I would argue that Bitcoin is also worse in every way (no chargebacks, wild fluctuations in the valuation of a unit of Bitcoin, etc.) if you also don't care about anonymity and the product you're buying is fully legal.
So it's like "providing an ID", and then paying. Even if bitcoin is not "anonymous" (pseudonymous), there's still the decentralised+cheap nature of it that's worthwhile.
edit: oh look downvoted for speaking my mind, go HN groupjerk
You want to limit to one super-cheap steam-key per person. So that's more of a "promotion" than a classic exchange. Corner case ;)
So: don't accept bitcoin payments, accept coinbase payments, but only one per coinbase account.
What's annoying as a customer is many companies flag legitimate transactions, wait a few days to say so, and then handle it poorly after the fact.
If by this you mean they don't notify you that the transaction was flagged until a few days later, that's (probably) part of the fraud prevention system. There was a post on HN similar to this one awhile back about how another site handled fraud prevention. One of the most successful techniques is they found was to delay notification. Fraudsters are less likely to target you if it takes them a long time to find out their transaction was declined. Credit card fraud is very much a hit and run operation, as the card is likely to quickly get flagged and blocked by the issuer within a few hours of the fraudsters using it.
That said, a few days is pretty bad and I imagine it really only takes a few hours delay to make the technique effective.
They have not removed Bitcoin. You can check the current Book bundles which do have Bitcoin enabled. In my experience, it tends to be disabled on publisher bundles like the current 2K and Revelmode Bundles. Probably the publishers not accepting Bitcoins.
I completely fail to understand why they seem to rather dislike it.
Don't most merchants just use something like a 'pay with bitpay / coinbase' which results in them directly getting cash? I can't imagine how that would be much worse?
This last time I tried to buy something with my credit card I accidentally mistyped the code on the back and they disabled it until I called the card issuer and gave them my SSN!
"Scan QR code, press Accept" is poor UX? You should see Visa's 3D secure, the thing that just makes me close the browser window whenever I see it, because it means I'm never getting the payment through.
Despite not being our fault, the CC companies withhold the cash for months....
It seems to be enabled on a individual bundle basis. While the main bundles going on right now are not accepting it, the two Book Bundles are accepting Bitcions.
However it's always been the less noticeable button.
It doesn't take away from your main point, but credit card companies do have some incentive to improve. They want the customer not to be inconvenienced by having to report fraud in the first place, and they want to avoid having those people call the support staff. That's why banks monitor your activity and automatically decline transactions that seem fishy.
This practice is infuriating and does the opposite of encouraging me to call support less.
That is, you can prove ownership of a Bitcoin address, but you can't prove that you don't own an address.
how is that meaningfully worse than your proposed solution, paying the CC processor for fraud-prevention?
GitHub had an issue with this IIRC.
Is this a normal service that Paypal and Stripe provide to their customers, or is this something that Humble pays extra for/gets as a bonus for being a high volume customer?
If you are founded by well known vc's with connections (to management at Paypal or Stripe), then yes you have this extra service at cost or rather as a favor.
For anyone else, you need to pray PayPal won't decide one day to ban you and freeze your assets for good reason or no reason at all. Or just call their toll-free line...
Was Humble founded by well-known VCs with connections? If it was, I didn't know that either.
(as an aside: Stripe integrations are amazingly easy to do. Stripe Dashboard is the canonical example of "API as a dashboard". Everything you think is possible in the API is doable through the UI)
If you look "underground" you'll find hundreds of thousands of forum posts selling keys that are from, you guessed it, HumbleBumble; they're also not shy about citing their sources. In fact, I'd say that more than 75% of all "carded" steam keys are from HumbleBundle, if not more.
Nobody else has the ease of ordering and uses Stripe (pathetic antifraud — which this post alludes to. More about that in my comment history); SMS verification isn't all that grandiose either.
Does this stop the "buys cards casually, doesn't make a career out of it" carder? Sure does. But they're not the ones companies and individuals need to worry about. It's the guys who are making $250, $500, $1000, $2500 a day that you need to worry about.
I'll say this every time the subject of fraud comes up: Do not trust your processor to do anything for you. They have little-to-no interest in protecting you. Hire a nerd to school you on fraud; if you have massive transaction volume, hire that nerd to help train some models on fraud. But do not, and I mean do not fucking trust your processor.
For example a model trained using historical data will flag too many orders during a sale that brings a spike in legitimate order volume. This can be mitigated somewhat by feeding into the model volume indicators such as time of day and day of week.
For gaming however the organized fraud rings typically hit en-masse. The largest ring that I saw went from zero to 3000 to 4000 attempts a day in a week. A model tuned at the peak would reject too many orders on a typical day and vice-versa.
The other challenge is that all statistical models rely on IID assumptions which means that the attacker isn't supposed to "learn" between attacks. For the typical smash and grab jobs seen with physical goods this (roughly) holds true but completely falls down with organized fraud rings in gaming. Any competent attacker will quickly see when his success rate drops and change tactics or increase attacks when the success rates rise.
The result is that a model that takes a week to build can decay in a matter of days or hours. I use DataRobot which can automate model building and you can combine short term and long term models in your strategy but it's still a struggle.
Historically the patch has been to limit velocity based on a specific data point that was hard to change but one-by-one they have fallen. Credit cards, email addresses, ip addresses, device IDs and now phone numbers. Each is successful for a while but it's an arms race. For example the largest attacks that I've seen utilized a 100,000+ computers over a three month period and 300,000+ credit cards. The attackers had the ability to login to the machines using remote-desktop like software to evade device ID limits.
Getting good results against these types of attacks requires a multi-layered defense but if there was a magic bullet it wouldn't be with classifiers but with anomaly detection. The problem domain is closer to detecting a hacker inside a network or a disease outbreak.
This particular problem is hard and DARPA has thrown lots of money at a lot of people looking for solutions. At the turn of the century it was intrusion detection and after 9/11 it was bio-terror. After years of research none of these have resulted in commercial products because the false positive rates are always to high.
I second not trusting your payment partners to manage fraud for you. For low price games it's possible to be fined and lose your merchant account even when your internal chargeback reports don't show a problem. In some cases the card issuing bank may not issue a chargeback (and absorb the loss) but will still report it to Visa/MasterCard.
> which means that the attacker isn't supposed to "learn" between attacks
Those are key takeaways and I'm glad someone else (on this side of the job) understands it.
It's a hard problem for anyone to solve. Not to self-promote, but I'm working on something that doesn't rely on machine learning; instead, it's focusing on patterns.
Because I used to be that guy that you worried about. Now, I'm the guy that the guys that you worry about worry about.
I wish you luck and if you succeed I'm sure that there will be some three letter agencies knocking on your door. I've had some luck using off-the-shelf clustering algorithms but they are too CPU intensive to run real time and require an investigator to interpret (great productivity boost though).
A day or two later, they contacted me, asking for confirmation of some info (my phone number, I think), then another email saying they couldn't confirm some of my payment details, etc. ... and then followed a two-week-long back-&-forth with customer service, trying to get them to take my money.
After two weeks of this, they decided to cancel the order, said I needed to re-place the order from scratch ... except by then, the package I had originally ordered was no longer available. They're very sorry for the inconvenience, but fuck me.
I want to emphasize that I had a credit card and two different debit cards, all valid forms of payment, in my name, that I've used at various times to order things online. To this day, I have no idea what the problem was, as they never told me.
tl&dr: HB stops online fraud by (I guess) erring on the side of caution, and periodically alienating legitimate customers. Now I will never shop there again, and routinely warn others not to.
The trick here is that stronger fraud protections have to come from the places that have more information: When dealing with credit cards, fraud can happen in any direction: merchant fraud, customer fraud, third party with a cloned card, and even merchants with cloned cards: All trying to defraud someone, and with no one party having all the important fraud related information.
Therefore, in practice, fraud detection is a multi-pronged approach. What is true is that we shouldn't ask anyone grossing less than 100 million a year to have to do any fraud detection: Their online credit card processor should be doing a whole lot of the work, if not all the work, for them, if just because they are ill equipped to deal with the problem. Having to hire yet another company to wrap their own fraud detection tooling around your credit card processing just sounds like making it way too hard to run a profitable online business.
Still, my only real complaint about HB is that they seem to want to create another GOG or something - most of their mails now are pretty much spammy, advertising the same deals on "regular store" over and over again. I used to be excited when I got a mail from them because it meant another cool bundle. Now it's mostly store promotions.
> most of their mails now are pretty much spammy, advertising the same deals on "regular store" over and over again
You know, I see the same thing. But this spurred me to look, and their account settings allow you to customize exactly what types of promotions you want to be emailed about, so there's relief for both of us.
2: Although the 5th bundle offered a prior bundle, the Frozenbyte bundle, if you paid over the average, so you could count that.
As for the early bundles, I recall paying attention to the first two-three, then ignoring them for few years, and only coming back to them around a year ago.
Before they started that I purchased every (or at least almost every) bundle for 20-30 dollars, but I haven't bought one since.
Fraud may be a bad word for that, but reading through the "biggest buyers" lists leaves a bad taste in my mouth.
Not everybody owns a mobile phone (I, for example, don't have and want such a bugging device). In my opinion requiring a mobile phone is thus a dangerous idea.
To be quite frank you're too small and too troublesome of a group to cater to.
Ah, disintermediation, how we love thee ...
(What was the line about pushed out the door, back through the window?)
In the future, though, please email firstname.lastname@example.org about stuff like this, as the site guidelines ask. That's the only way to be sure we'll see it. Fortunately someone did send an email; without that, we'd probably never have seen this, and we can't take action about things we don't see.
Anytime you ever think "you can just" the answer is almost always no. No you cannot just...
The comic is making fun of physicists, but honestly, programmers are as bad or worse.