Humble Bundle on battling fraud and why you should buy from stores with a “relationship with the developer”

Humble Bundle

Cheap game keys are a hot topic right now, particularly when it comes to fraudulent purchases and chargebacks for developers. You may have noticed some digital stores have managed to stay out of the headlines on this topic, particularly Humble Bundle, the good guys who sell keys for good prices and for a good cause. They’re very good, and now they’re speaking up about game key reselling and how they tackle the unscrupulous. 

What’s better than cheap? Our list of the best free games, for a start.

In a recent blog post, Humble say they’ve “invested heavily” in anti-fraud technology and they lay out all the steps they’re taking to fight for this worthy cause.

“Our first line of defense is a machine-learning-based anti-abuse startup called Sift Science, which we’ve been training for years across 55,000,000 transactions,” says Humble about the not-so-humble numbers. “Given how many orders we process, Sift Science has a really good idea when someone is up to no good. The model adapts daily as we get more data.

“If the transaction risk is high, we ask the user to verify their phone number through SMS. This helps us confirm that our legit customers are who they say they are. We are able to ban fraudsters by phone numbers, which substantially raises the cost of attacking us. This can be annoying for legitimate customers, but thanks to our machine learning, only a tiny fraction get flagged for verification.”

If the transaction still looks dodgy, the company escalates it to a manual review. Here customer services check through the transaction and the customer’s transaction history, among other things. Transactions will be blocked only if they’re sure, as “the only thing worse than fraudsters is blocking legitimate customers from getting their game”, which is another thing I have a lot of time for.

Beyond these methods, captchas stop any cheeky robot robbers, while limit rates make sure the amount of games stolen stays humble. “So they might be able to steal two copies of a game,” Humble say, “but they’ll need to steal another credit card to steal the third. We were among the first test cases for Google’s latest captcha implementation.

“We’re diligent about cancelling orders and the included digital goods when the rare transaction slips by us. Sometimes we find related transactions during a manual review, or even more rarely, a purchase results in a chargeback. When that happens, we cancel the order, revoke the download page and the Steam, uPlay, or Origin keys associated with that order. We send those keys back to the developer or publisher, and to the platform owner (Valve / Ubisoft / EA). The person holding that key loses access to the game. If they purchased it from a reseller, that means the reseller’s reputation is diminished.”

It’s a daily job that has lots of resources pointed at it – the methods are always being tweaked and improved, just as the tactics of fraudsters change with the times.

“We have great relationships with our payment processors,” explain Humble. “We even have shared Slack channels with PayPal and Stripe so that as we see problems, we work together in real time to diagnose, fix, and improve our joint system together.”

These efforts have seen fraud reduced to a “tiny fraction of all the transactions” on Humble Bundle. Of course, not everywhere you buy from is quite as diligent, so what can you do to make sure the right person gets the money for your purchase? “Purchase from stores that have a known relationship with the developer or publisher, like the Humble Store,” say Humble. “If you get caught in one of these fraud checks, we apologise.

“It’s an unfortunate necessity to protect our developers’ products. We ask for your patience while we work it out and forgiveness if we make a mistake. This most commonly happens to customers who are new or spending a lot in a short period of time.”

This follows the recent controversy with key resellersG2A and developers speaking up against them.G2A have taken some steps to changealready, but whether it’s enough just yet remains to be seen.