Wednesday, June 22, 2016

Down The Rabbit Hole With TinyBuild And G2A

Sometimes I get what, at first glance, is a simple story. StupidGenius from the Cap Stable podcast let me know about a story claiming that G2A was selling game keys obtained through credit card fraud. Again. 

The victim in the most recent event is an indie company called tinyBuild. TinyBuild's CEO, Alex Nichiporchik, wrote an article that appeared both on the tinyBuild website and Gamasutra claiming that G2A sold and estimated $450,000 worth of games.

Sales of tinyBuild games on G2A according to tinyBuild
Nichiporchik claims that people using G2A as a method of laundering money from stolen credit cards using G2A cost tinyBuild dearly:
"I've been dismissing the issue for a long time. Sure, a few game keys leak here and there - nothing major. For a few months we supported our own little store on - just so we can give some discounts to our fans, and do creative giveaways that'd include scavenging for codes.

"The shop collapsed when we started to get hit by chargebacks. I'd start seeing thousands of transactions, and our payment provider would shut us down within days. Moments later you'd see G2A being populated by cheap keys of games we had just sold on our shop."
Credit card fraud affects the entire industry, as IndieGameStand reported at the beginning of March.
"The bigger problem killing the little guys is when scammers use stolen credit cards to purchase games from online retailers to resell Steam keys.

"Here’s how the scam works:  You get a bunch of stolen credit card numbers and then go to a legit Steam key reseller site and use the stolen info to buy the digital codes.  You grab as many codes as you can and then go over to one of these gray market resellers and turn your keys into real money since you bought them with stolen cards.  Meanwhile, the website and/or developer that you purchased the key from gets a credit card chargeback or other dispute 30-60 days later.

"This has been a huge problem at IndieGameStand this past year. I’ve personally wasted around 6-9 months of development time on security detection rather than building cool new things for our site.  I’m sure it’s affected other game marketplaces too since I know larger sites like Humble Bundle build in a refund/chargeback percentage to all their sales payouts and my guess is that this type of scamming has contributed to the closing of smaller sites like ShinyLoot and maybe even Desura.  In the case of IndieGameStand, I estimate it’s directly cost us well over $12k and that’s just in raw chargeback fees and developer payouts (for refunded/scammed sales) – not counting the hours of ongoing development time that we’ve wasted on this problem."
Of course, retweeting the IndieGameStand post probably led to increased pirating activity against tinyBuild.
In a developer blog published on 23 March, a developer wrote:
"Guess which games were pirated / falsely purchased the most in the last few weeks? TinyBuild was almost exclusively targeted on our site in the past few weeks (sorry guys).  TinyBuild actually wrote their own article about Steam Key piracy and how their game Punch Club has sold 330k copies and been pirated over 1 million times.  This all really really sucks for indie developers and indie sites."
Before continuing, I need to leap back to September 2015 in order to provide some additional context. A few days before Riot banned G2A as a sponsor of professional League of Legend teams and events for promoting terms of service breaking RMT activities, an interesting article appeared on Gamasutra. Paul Taylor, the Joint Managing Director of Mode 7 Games, examined the legality of key reselling sites such as G2A. Some of the answers Taylor received from G2A are extremely interesting in light of this week's news around tinyBuild.
Taylor: Can you describe how your marketplace works?

G2A: G2A’s marketplace, much like any similar marketplace such as eBay, brings together buyers and sellers of goods. G2A’s marketplace is primarily focused on facilitating the growing demand for digital games and allows over 50,000 sellers to list digital games that they own for sale.

G2A in continuing to lead the industry in distributing digital content is opening a “Brands Direct” portion of our marketplace to assist all game developers and publishers, big and small, to instantly tap into G2A’s preexisting network of over 6 million users.

Taylor: Would you agree that the use of game’s intellectual property on your site is contingent on the legality of that marketplace?

G2A: The G2A marketplace is legal. As in any reputable marketplace, such as Amazon or eBay, the responsibility for the legality of the product being sold in the marketplace rests with the individual sellers on that marketplace. G2A’s Terms and Conditions, just as Amazon’s and eBay’s Terms and Conditions, require that any item listed by a seller is legal.

Taylor: Would you also agree that if you had knowledge of users frequently reselling games when they had no right to do that, that would invalidate the legality of the marketplace?

G2A: We at G2A are firm believers in the universally held axiom that one should not punish all for the transgressions of one. Much like eBay’s marketplace would not, and in fact has not, been rendered illegal by the sales of unscrupulous users selling items that are illegal, neither would such an act render G2A’s marketplace illegal. When G2A is made aware of a user violating the law G2A, pursuant to its notice and takedown provision, takes appropriate action against such users in order to ensure the integrity of G2A’s marketplace.

Taylor: What protection do you have against that?

G2A: G2A takes great pride in ensuring that transactions on the marketplace are safe and secure. As such, to prevent against instances of illegal or fraudulent conduct G2A has a well-established notice and takedown procedure. If a party feels that a product being offered for sale has violated an established law, the aggrieved party may contact G2A at with the item details and the alleged law violated and G2A will investigate the matter (for full details please review our notice and takedown provision found in section 10 of our terms and conditions Additionally, G2A complies with all legal regulations such as the Anti-Money Laundering requirements and Hong Kong Money Services Operator requirements.
The "Brands Direct" mentioned in the first response is interesting, as tinyBuild was in talks to become a partner of G2A. So are the comments about taking down offers involving keys fraudulently obtained. Nichiporchik definitely did not like the answer he received from G2A. He summarized the answer as follows:
"In short, G2A claims that our distribution partners are scamming us and simply selling keys on G2A. They won’t help us unless we are willing to work with them. We are not going to get compensated, and they expect us to undercut our own retail partners (and Steam!) to compete with the unauthorized resellers."
Nichiporchik in an update listed his key distribution partners: Humble Store, BundleStars, IndieGameStand, and IndieGala.

In a Reddit thread on r/gaming, Trion CEO Scott Hartsman weighed in with his experience dealing with both G2A and credit card fraud.
"[From G2A] Honestly I think you will be surprised in that it is not fraud, but your resale partners doing what they do best, selling keys. They just happen to be selling them on G2A."

"So sorry to hear you guys are having to deal with this.

"Have one more data point: Based on our (Trion's) past experience with fraud-driven g2a sales when we were mostly key-driven, that is a complete garbage statement. They've hit us up to "partner" also, and we've continued to tell them to go piss up a rope.

"They're a large part of why we've almost entirely moved to keyless in favor of account entitlements on our own platform and deeper integration with trustable (e.g. Steam, Amazon, etc) partners.

"Wish we didn't have to do any of it (especially in places where it dings the user experience), but storing it all in our own platform and having human beings manage/review is the thing that keeps the chargebacks to an acceptable level to stay in business. Without it, the fraud is just overwhelmingly insane."
Hartsman hung around and answered a couple of questions worth posting.
Anshin: The way I see it, is that G2A's entire system works on keys right? So if small time companies can have an easier way to distribute their games without keys (like some direct steam integration) it would really hurt G2A. Unless they have another method I'm not aware of.

hartsman: Exactly. Keyless integrations (where a dev or publisher's platform talks directly to a distributor's platform) render the 3rd-party fraud enablers powerless.
Keys are really just a transportable, manual way to make a couple different platforms talk to each other via a human being who has to type it into a thing.

Thjoth: How has G2A not gotten into a boatload of legal trouble? If fraud committed through their site is so obvious that mid-sized companies like Trion are literally changing the technology they use for sales specifically to defeat it, it seems like the type of thing that would get picked up by a bunch of lawyers somewhere. Not to mention the credit card companies that have to deal with tens of thousands of chargebacks connected to a single source. Credit card companies normally get pretty salty about stuff like that and have millions of dollars to drop nuclear lawyer-bombs on anybody they don't like.

hartsman: That's a really good question. I'm curious too. I have no idea what the relevant laws would be (given that they seem to be HQ'ed in Hong Kong, based on the footer on their site), but I'll ask.

Just my guess, but I'm betting that I'll hear some combination of: 1) It'd be complicated and time consuming, 2) It'd be expensive, 3) A sane outcome would be far from guaranteed, and the perennial favorite, 4) Even if you were to get a sane outcome, enforcement or recovery of any type would be unlikely.
In a late breaking development, G2A shot back at tinyBuild. Kotaku Australia reported late last night:
"And this is where G2A’s latest demand comes in. According to them, tinyBuild now has '3 days from the date of this transmission' to provide a 'list of suspicious keys' so the website can investigate the activity further. G2A even said that 'they identified more than 200 tinyBuild production auctions' on their website before the two parties were in contact, and that all of them were 'suspended because they violated G2A.COM Terms and Conditions and security procedures'.

"In an email to Kotaku Australia, tinyBuild’s Alex Nichiporchik said G2A never told tinyBuild that they had removed any keys or merchants in regard to their products.

"'We were never told they removed 200 keys/merchants — we wanted them to do it, they told us they weren’t going to unless we decide to work with them and we had to provide the keys,' Nichiporchik said. 'So did they or did they not? Because they just said we didn’t give them a list of keys, which is true. So how did they remove these keys/merchants? I’m genuinely curious.'"
The Kotaku reporter does not portray the tinyBuild CEO as a happy individual. If the following is true, I can't blame him:
"Nichiporchik then dug the foot in further by saying that he was able to create an account on G2A and 'sell a ton of keys' without any verification. 'If Ebay allowed you to sell merchandise without verifying sellers’ credentials (they ask you for IDs, statements confirming addresses, tie it to your bank account, etc), they’d probably under similar fire right now as they’d facilitate stolen goods trade.'

"'No developer is going to put their games onto G2A when any other merchant on their site can undercut them,' he added. 'As a small company we will never create a situation that pisses off our fans … everybody knows [G2A’s] reputation, so why would anyone even consider giving them a list of keys to ‘verify’? I believe they’d just resell those keys and make more money off of it.'"
I'll just leave the story here. Let me just give a final warning to all EVE Online players. CCP is death on credit card fraud. Redeeming a PLEX code purchased from an unauthorized reseller, especially if any credit card fraud is involved, can result in a permanent ban of all of a player's accounts. Anyone wishing to purchase a PLEX should either visit the account management page or visit one of the authorized PLEX resellers. And given G2A's history of selling game codes obtained through credit card fraud, if you think someone is giving you a PLEX code purchased from G2A, I'd run away as quickly as possible.

No comments:

Post a Comment