This is one of the big casualties of the American credit card conglomerates' failure to focus on reducing fraud. They get paid regardless of whether a transaction is fraudulent or not, so they have no incentive to improve. The result is that this burden gets dropped on merchants, requiring both man-hours and cost, and it disproportionately affects smaller companies. It basically amounts to a tax by the merchant processors on small businesses, for no benefit to anyone but themselves.
I've seen the discussions crop up on Hacker News before* of people starting commercial websites, getting hit with massive amounts of fraud, and either having to just shutdown completely or shell out more of their margin for a third party fraud prevention service. It's disgusting.
From the consumer's perspective it is nice that credit cards are easy to use, and that we are protected from bad merchants, thieves, etc. But we're putting a strangle on small business with this system. There are better ways that would both reduce fraud overall, thus saving consumers money, and not disproportionately penalize small businesses. It wouldn't make credit cards any harder to use.
On a tangent, Humble Bundle stopped accepting Bitcoin a year or two ago. Considering that Bitcoin can have a 0% fraud rate it makes it a somewhat odd move, especially since Humble Bundle is a really great target for fraud (the goods are easy to move). And no, I don't view Bitcoin as an ideal solution (as it exists today); it's on the opposite side of this problem, foisting fraud prevention onto the consumer. But from Humble Bundle's perspective (and any business, small or big) it is the perfect solution to preventing fraud.
* The ones I'm recalling are even more sad. They were getting hit by fraudsters who were just using their site to test the cards, before moving on to the actual fraud target(s). The end result is the same, though.
Bitcoin would be a great topic for another blog post, we have a really long love-hate relationship with it. Don't worry, Bitcoin support will hopefully return to our store and gaming bundles eventually. We know what we need to do to turn it back on (more or less, hook it into our SMS verification system) but we have many higher priority tasks work on. We are hiring if you know anyone: https://jobs.humblebundle.com/careers/ :)
While bitcoin is great for preventing chargebacks, it is inherently anonymous. That is good for certain use cases, but when you are trying to enforce a strict per customer limit, it is a nightmare. We invested a lot of resources into doing what we can to combat it, but eventually we figured that we had more important things to do and had to tap out. Almost 100% of the bitcoin traffic was bad actors, and even so it was such a tiny fraction of our sales, like under 0.05%.
There are a lot of diehard bitcoin users, like yourself, and I would love to support your preferred payment method again, but it is an incredible amount of work to do safely.
Curious how do you know they were bad actors, given the anonymity? Were those some known stolen bitcoin wallets or something? Sorry if the answer is obvious, I'm not a bitcoin user.
$1.00 asdfklasdklfm1@yahoo.com [1 second later]
$1.00 asdfklasdklfm2@yahoo.com [1 second later]
$1.00 asdfklasdklfm3@yahoo.com [1 second later]
$1.00 asdfklasdklfm4@yahoo.com [1 second later]
$1.00 asdfklasdklfm5@yahoo.com [1 second later]
etc.
Have you considered allowing them if you have a valid credit card on file. For example, I'm currently a Humble Monthly subscriber which already gives me a one click purchase options through the credit card on file.
Vultr, a VPS Host, accepts Bitcoins but started to require a valid credit card or Paypal purchase before accepting Bitcoins to prevent ToS violators who used Bitcoin.
It's not necessarily the case that someone would want to use Bitcoin for anonymity, it might just be a more convenient payment method or something else. Doesn't hurt to give people more places to spend their Bitcoin even if the circumstances are less than ideal.
In what way can Bitcoin be considered a meaningful alternative (however you define it) if you also have to input a valid credit card number (that, presumably, the merchant will run the traditional $1 verification charge on)?
The reality is that Bitcoin is less convenient than using a regular credit card (because, realistically, you're not going to be mining Bitcoin but rather you'll be buying Bitcoin using your regular credit card/bank account). I would argue that Bitcoin is also worse in every way (no chargebacks, wild fluctuations in the valuation of a unit of Bitcoin, etc.) if you also don't care about anonymity and the product you're buying is fully legal.
So it's like "providing an ID", and then paying. Even if bitcoin is not "anonymous" (pseudonymous), there's still the decentralised+cheap nature of it that's worthwhile.
Ok, I think I understand - that you mean some more general money laundering of bitcoin? where source of the money need not be known, because behavior shows that it just has to be money laundering. Tx!
Typically "bad actors" in this situation are bad in regards to the company, it's not a definition of their person or the source of their money (although those often coincide).
"Name your own price" and "Humble" in the name are just marketing gimmicks. It's just a business like any other - they want you to be generous, pay more than other people. If you take "name your own price" honestly, they try to block you. Under $1? "Sorry, minimal name your own price is $1." Paying under average price? "Sorry, please try our captcha roulette or increase your 'name your price'". I can't believe they don't require scan of passport and utility bills to "assure better quality of service".
The bitcoin die-hards will lynch me for saying this, but: I think this is a good example of where using a side-agreement (sortof a sidechain, I guess?) would be a good thing.
So: don't accept bitcoin payments, accept coinbase payments, but only one per coinbase account.
I'd be happy to verify my phone number if it meant I could buy anything with Bitcoin afterwards. There are other payment solutions that work, too, I just really really like the UX of Bitcoin and the fact that it's pretty much cash. I don't need permission from my bank to transact.
The fact they removed Bitcoin may suggest it's less useful than you might think. The reasons for this are complex, but sadly it's just worse than Credit cards for most merchants.
What's annoying as a customer is many companies flag legitimate transactions, wait a few days to say so, and then handle it poorly after the fact.
> What's annoying as a customer is many companies flag legitimate transactions, wait a few days to say so, and then handle it poorly after the fact.
If by this you mean they don't notify you that the transaction was flagged until a few days later, that's (probably) part of the fraud prevention system. There was a post on HN similar to this one awhile back about how another site handled fraud prevention. One of the most successful techniques is they found was to delay notification. Fraudsters are less likely to target you if it takes them a long time to find out their transaction was declined. Credit card fraud is very much a hit and run operation, as the card is likely to quickly get flagged and blocked by the issuer within a few hours of the fraudsters using it.
That said, a few days is pretty bad and I imagine it really only takes a few hours delay to make the technique effective.
>The fact they removed Bitcoin may suggest it's less useful than you might think.
They have not removed Bitcoin. You can check the current Book bundles which do have Bitcoin enabled. In my experience, it tends to be disabled on publisher bundles like the current 2K and Revelmode Bundles. Probably the publishers not accepting Bitcoins.
I wonder why, though. The publishers don't need to accept Bitcoin, HB just gives them dollars in the end. I would like to hear from an official source on this, because Bitcoin seems like the best payment method for them (and me, because I love how easy it is to use).
I completely fail to understand why they seem to rather dislike it.
It's possible that HB doesn't want to be liable for the conversion of BTC to USD, and therefore the two parties are unable to come to an agreement as to how the royalties and compensation works for BTC sales. In the absence of an agreement on how to process BTC, it's easiest to simply not accept BTC for all parties.
That sounds unlikely to me, since Coinbase and the other processors promise to accept a price in USD and give you exactly that price, abstracting payment from you completely...
>sadly it's just worse than Credit cards for most merchants.
Don't most merchants just use something like a 'pay with bitpay / coinbase' which results in them directly getting cash? I can't imagine how that would be much worse?
I really like bitcoins ux, it's really simple to take out your phone and scan a qr code. I've also made a large number of transactions and have never had one fail (some can take a while to get confirmed but every merchant I've used credits you as soon as they get the broadcast, not when it's actually confirmed.
This is my feeling exactly! Bitcoin ux (especially for online only stuff that doesn't actually need an address) is actually way nicer than typing in my credit card.
This last time I tried to buy something with my credit card I accidentally mistyped the code on the back and they disabled it until I called the card issuer and gave them my SSN!
"Scan QR code, press Accept" is poor UX? You should see Visa's 3D secure, the thing that just makes me close the browser window whenever I see it, because it means I'm never getting the payment through.
I would guess, just having it as an option in addition to credit cards, wouldn't make someone abandon their cart in the case of a poor UX (more likely abandon bitcoin)
The various tipping services on reddit and other message boards that enable bots are anything but poor UX. Nothing else can come close to enable that kind of instant tipping.
Yes there's a small but significant percentage of transactions for my company that are flagged and completely withheld because of some non-related issue of fraud. For example they lost their card, or their card had some other fraud on it, or they mistakenly reported fraud.
Despite not being our fault, the CC companies withhold the cash for months....
>Humble Bundle stopped accepting Bitcoin a year or two ago
It seems to be enabled on a individual bundle basis. While the main bundles going on right now are not accepting it, the two Book Bundles are accepting Bitcions.
However it's always been the less noticeable button.
I meant in the store which added support maybe 3 or so years ago, and then dropped it a year or two ago. I used to prefer buying my games there, instead of on Steam, because of that as well as not having my games library locked to Steam. Nowadays I'll usually buy from GMG for the same reasons, though their store interface is much more confusing and conflated compared to Humble's.
> They get paid regardless of whether a transaction is fraudulent or not, so they have no incentive to improve.
It doesn't take away from your main point, but credit card companies do have some incentive to improve. They want the customer not to be inconvenienced by having to report fraud in the first place, and they want to avoid having those people call the support staff. That's why banks monitor your activity and automatically decline transactions that seem fishy.
Huh. I actually used Bitcoin to buy Crashlands through the dev's Humble link since they said they get a larger cut there than through Steam, and I decided to cash out my Stellar (or whatever those morphed into recently) which worked out nicely for me. I guess they don't accept Bitcoin for some of their bundles which could then be resold on shady websites.
Because, right off the bat, the CC processor can do a better job. They have more volume and resources, so their fraud prevention could be just as good if not better than the third party systems (note: _could_, assuming they actually put the necessary effort into it). More importantly, though, what I suggest is implementing actual security on credit cards. These fraud detection systems would be largely unnecessary if credit cards were secure. That's primarily what I suggest, and that would reduce fraud overall, thus reducing overall costs for everybody.
> We even have shared Slack channels with Paypal and Stripe so that as we see problems, we work together in real time to diagnose, fix, and improve our joint system together.
Is this a normal service that Paypal and Stripe provide to their customers, or is this something that Humble pays extra for/gets as a bonus for being a high volume customer?
I think you're not this naive and you are joking, but I will bite...
If you are founded by well known vc's with connections (to management at Paypal or Stripe), then yes you have this extra service at cost or rather as a favor.
For anyone else, you need to pray PayPal won't decide one day to ban you and freeze your assets for good reason or no reason at all. Or just call their toll-free line...
For what it's worth, we had an awesome 24/7 account manager with PayPal back when we were 100% bootstrapped. I think it's more about volume than Silicon Valley connections.
I've never had to work with payment processing services, so I had no idea if this kind of thing is normal or not, but it struck me as very manpower-intensive and therefore unlikely to be a standard service.
Was Humble founded by well-known VCs with connections? If it was, I didn't know that either.
We have direct contacts with Stripe through Slack. Though in our case we're providing a Stripe integration as well as our own services, so our issues are sometimes a bit more complex
(as an aside: Stripe integrations are amazingly easy to do. Stripe Dashboard is the canonical example of "API as a dashboard". Everything you think is possible in the API is doable through the UI)
As much as I'd like to believe their numbers, something seems off.
If you look "underground" you'll find hundreds of thousands of forum posts selling keys that are from, you guessed it, HumbleBumble; they're also not shy about citing their sources. In fact, I'd say that more than 75% of all "carded" steam keys are from HumbleBundle, if not more.
Nobody else has the ease of ordering and uses Stripe (pathetic antifraud — which this post alludes to. More about that in my comment history); SMS verification isn't all that grandiose either.
Does this stop the "buys cards casually, doesn't make a career out of it" carder? Sure does. But they're not the ones companies and individuals need to worry about. It's the guys who are making $250, $500, $1000, $2500 a day that you need to worry about.
I'll say this every time the subject of fraud comes up: Do not trust your processor to do anything for you. They have little-to-no interest in protecting you. Hire a nerd to school you on fraud; if you have massive transaction volume, hire that nerd to help train some models on fraud. But do not, and I mean do not fucking trust your processor.
Can you email me at jeff@humble.com? I would love to see what you are talking about. We do have an awesome engineering team that works on fraud and "trusting the processor" is actually the last step in our defense.
I build/train models for high transaction volume. The real struggle for gaming fraud specifically is that the data is typically non-stationary. I came into my job without formal training in machine learning so I may have the terminology wrong but essentially the machine learning models are typically learning distributions over time. Meaning that this combination of features typically has this ratio of fraud to legitimate orders and assumes those ratios will hold in the future.
For example a model trained using historical data will flag too many orders during a sale that brings a spike in legitimate order volume. This can be mitigated somewhat by feeding into the model volume indicators such as time of day and day of week.
For gaming however the organized fraud rings typically hit en-masse. The largest ring that I saw went from zero to 3000 to 4000 attempts a day in a week. A model tuned at the peak would reject too many orders on a typical day and vice-versa.
The other challenge is that all statistical models rely on IID assumptions which means that the attacker isn't supposed to "learn" between attacks. For the typical smash and grab jobs seen with physical goods this (roughly) holds true but completely falls down with organized fraud rings in gaming. Any competent attacker will quickly see when his success rate drops and change tactics or increase attacks when the success rates rise.
The result is that a model that takes a week to build can decay in a matter of days or hours. I use DataRobot which can automate model building and you can combine short term and long term models in your strategy but it's still a struggle.
Historically the patch has been to limit velocity based on a specific data point that was hard to change but one-by-one they have fallen. Credit cards, email addresses, ip addresses, device IDs and now phone numbers. Each is successful for a while but it's an arms race. For example the largest attacks that I've seen utilized a 100,000+ computers over a three month period and 300,000+ credit cards. The attackers had the ability to login to the machines using remote-desktop like software to evade device ID limits.
Getting good results against these types of attacks requires a multi-layered defense but if there was a magic bullet it wouldn't be with classifiers but with anomaly detection. The problem domain is closer to detecting a hacker inside a network or a disease outbreak.
This particular problem is hard and DARPA has thrown lots of money at a lot of people looking for solutions. At the turn of the century it was intrusion detection and after 9/11 it was bio-terror. After years of research none of these have resulted in commercial products because the false positive rates are always to high.
I second not trusting your payment partners to manage fraud for you. For low price games it's possible to be fined and lose your merchant account even when your internal chargeback reports don't show a problem. In some cases the card issuing bank may not issue a chargeback (and absorb the loss) but will still report it to Visa/MasterCard.
> The largest ring that I saw went from zero to 3000 to 4000 attempts a day in a week.
> which means that the attacker isn't supposed to "learn" between attacks
Those are key takeaways and I'm glad someone else (on this side of the job) understands it.
It's a hard problem for anyone to solve. Not to self-promote, but I'm working on something that doesn't rely on machine learning; instead, it's focusing on patterns.
Because I used to be that guy that you worried about. Now, I'm the guy that the guys that you worry about worry about.
I wish you luck and if you succeed I'm sure that there will be some three letter agencies knocking on your door. I've had some luck using off-the-shelf clustering algorithms but they are too CPU intensive to run real time and require an investigator to interpret (great productivity boost though).
Personal anecdote here ... I bought a book bundle a few months ago (ironically, a "Hacker" bundle). Transaction went through, no problems.
A day or two later, they contacted me, asking for confirmation of some info (my phone number, I think), then another email saying they couldn't confirm some of my payment details, etc. ... and then followed a two-week-long back-&-forth with customer service, trying to get them to take my money.
After two weeks of this, they decided to cancel the order, said I needed to re-place the order from scratch ... except by then, the package I had originally ordered was no longer available. They're very sorry for the inconvenience, but fuck me.
I want to emphasize that I had a credit card and two different debit cards, all valid forms of payment, in my name, that I've used at various times to order things online. To this day, I have no idea what the problem was, as they never told me.
tl&dr: HB stops online fraud by (I guess) erring on the side of caution, and periodically alienating legitimate customers. Now I will never shop there again, and routinely warn others not to.
Email sent. Thank you. Very nice to see the founder of a business personally following up on things like this. This already goes a long way towards restoring my faith in your company.
5% of gross sale price is a lot. That represents a huge portion of our margin. As others have said here, fraud protection should be an inherent component of credit cards, and not tacked on by humble bundle or anyone else.
Fraud protection is built into credit cards: It's just not good enough fraud protection, and it has a lot of false positives: I've had to clear charges with my credit card company from a store plenty of times.
The trick here is that stronger fraud protections have to come from the places that have more information: When dealing with credit cards, fraud can happen in any direction: merchant fraud, customer fraud, third party with a cloned card, and even merchants with cloned cards: All trying to defraud someone, and with no one party having all the important fraud related information.
Therefore, in practice, fraud detection is a multi-pronged approach. What is true is that we shouldn't ask anyone grossing less than 100 million a year to have to do any fraud detection: Their online credit card processor should be doing a whole lot of the work, if not all the work, for them, if just because they are ill equipped to deal with the problem. Having to hire yet another company to wrap their own fraud detection tooling around your credit card processing just sounds like making it way too hard to run a profitable online business.
I was about to say this as well. However, if they were to split their payment protection as an API that anyone can use. I'd happily pay 1% of each transaction.
And more importantly, the marginal cost on software is close to $0, so 30% doesn't cut as deep. If you're selling a service where the margin is ~ 12%, a 5% of gross fee will take almost half of that.
I love the Humble store. I got really worried after learning about these second hand key stores and fraud, that this might be a venue by which they acquired the keys with stolen credit cards. Glad to know that the Humble Store isn't merely aware of this practice but actively taking steps to stop it.
Contact new age hackers at Surehack007@gmail.com to help you hack any site, bank account transfer and change school grades.
We are professional hackers in europe and we hack every areas of information and communication technology which includes the following and more:
Bank account transfer
Hack and upgrade/change university grades
Bank accounts hack
Erase criminal records hack
Facebook hack
Any social media account hack
Android & iPhone Hack
Text message interception hack
email interception hack
Untraceable Ip
Twitters hack
email accounts hack
Grade Changes hack
Website crashed hack
server crashed hack
Skype hack
Databases hack
Word Press Blogs hack
Individual computers hack
Control devices remotely hack
Burner Numbers hack
Verified Paypal Accounts hack
University grades changing
We also do western union and money gram transfer in less than 3 hours you have your MTCN and pin.
Contact us at surehack007@gmail.com.......662 493-2362 for details.
I wonder how Humble Bundle will stop "developer fraud" - if you look at the list of people who paid the most for a bundle, it seems that often developers themselves will buy bundles for some higher than typical sums to quickly inflate the average price...
I'm not sure how it is now, but in the beginning it was well known developers (and not necessarily related to the titles involved, such as notch) paying lots of money not to inflate the price specifically, but to support the charities involved (and you can choose the amount that goes to the charities). Then again, a higher average price helps the charities as long as the total amount spent is higher, so maybe that is part of the goal, but for altruistic reasons.
I don't remember exactly how the very early bundles were set up, but the first ones I think were purely "pay what you want" and didn't have the "pay more than average to unlock" mechanic. It seemed... cleaner back then.
Still, my only real complaint about HB is that they seem to want to create another GOG or something - most of their mails now are pretty much spammy, advertising the same deals on "regular store" over and over again. I used to be excited when I got a mail from them because it meant another cool bundle. Now it's mostly store promotions.
I think the pay over the average was very early. According to wikipedia[1] it was the 6th bundle[2], 17 months after the initial one. Bundles were offered much less often back then.
> most of their mails now are pretty much spammy, advertising the same deals on "regular store" over and over again
You know, I see the same thing. But this spurred me to look, and their account settings[3] allow you to customize exactly what types of promotions you want to be emailed about, so there's relief for both of us.
As for the early bundles, I recall paying attention to the first two-three, then ignoring them for few years, and only coming back to them around a year ago.
I absolutely agree. I liked buying the bundles before they started to artificially inflate the prices with a combination of beat the average and pay over X for this other game.
Before they started that I purchased every (or at least almost every) bundle for 20-30 dollars, but I haven't bought one since.
In the past couple of years, the only times I can think of that developers have made vanity purchases, the average would have been affected by a few pennies at most. Calling that fraud feels incorrect.
It could inflate prices much more than by just a few pennies if done soon enough. When vanity purchases are done very early, they can temporarily raise the average price by few dollars, which will then be sustained by those who want the "beat the average" games.
Fraud may be a bad word for that, but reading through the "biggest buyers" lists leaves a bad taste in my mouth.
Meanwhile, try to purchase a copy of a Humble Bundle for yourself, and one as a gift to a friend using the same card, and suddenly STOP! DO NOT PASS GO.
Anyone knows if the situation is similar or different on GOG and itch.io? It's sure a good, valuable (because informative) marketing piece by Humble, but if anyone can chime in with info about the competition, potential users among us could benefit even more!
Not everybody owns a mobile phone (I, for example, don't have and want such a bugging device). In my opinion requiring a mobile phone is thus a dangerous idea.
You're willing to go through the hassle of not having mobile phone, but you complain about your choice making it difficult for you to purchase extremely cheap software?
Yep, you guys were right this time, and we've banned the offending accounts and sites.
In the future, though, please email hn@ycombinator.com about stuff like this, as the site guidelines ask. That's the only way to be sure we'll see it. Fortunately someone did send an email; without that, we'd probably never have seen this, and we can't take action about things we don't see.
Are there any plans to add a 'report' feature to HN? It would be much more obvious, as I was not aware that I should email hn@ycombinator.com before today.
Only vizza and antonplus posted the same verbatim comment. Could just be the same person, different accounts. The accounts were created a long time ago as well. Doesn't look like shilling.
Really?? On HN? Who cares? This is a niche site... isn't it? If it's not, my account is 2138 days old, almost six years, how much could I get for it :P ? (I know, about tree fiddy.)
Some article I read ages ago suggested making a "just jar" like a "swear jar" such that when someone said "you can just do X" they'd have to put money into the jar. I found that amusing and try to remember it when I catch myself saying the word "just".
I've seen the discussions crop up on Hacker News before* of people starting commercial websites, getting hit with massive amounts of fraud, and either having to just shutdown completely or shell out more of their margin for a third party fraud prevention service. It's disgusting.
From the consumer's perspective it is nice that credit cards are easy to use, and that we are protected from bad merchants, thieves, etc. But we're putting a strangle on small business with this system. There are better ways that would both reduce fraud overall, thus saving consumers money, and not disproportionately penalize small businesses. It wouldn't make credit cards any harder to use.
On a tangent, Humble Bundle stopped accepting Bitcoin a year or two ago. Considering that Bitcoin can have a 0% fraud rate it makes it a somewhat odd move, especially since Humble Bundle is a really great target for fraud (the goods are easy to move). And no, I don't view Bitcoin as an ideal solution (as it exists today); it's on the opposite side of this problem, foisting fraud prevention onto the consumer. But from Humble Bundle's perspective (and any business, small or big) it is the perfect solution to preventing fraud.
* The ones I'm recalling are even more sad. They were getting hit by fraudsters who were just using their site to test the cards, before moving on to the actual fraud target(s). The end result is the same, though.