Humble has outlined the steps it is taking to combat fraud in the wake of concerns over third-party sellers exploiting the bundling marketplace.
The Humble Bundle commonly allows buyers to pay what they want for a set of games, starting at as little as one cent, with more titles often unlocking at higher prices.
Devs across the industry have expressed fears that unscrupulous third-party sellers could use the platform to buy codes for their games in bulk, before selling them on for profit on sites such as the controversial key marketplace G2A. Often these scam purchases are made with illegally-obtained credit cards that are subsequently charged back, resulting in lost sales for devs.
“Humble Bundle is an enticing target for fraudsters out to make a quick buck,” the site admitted in a blog post. “The most common approach is to buy as many keys as possible using a stolen credit card, and then resell them elsewhere for a profit.”
The site went on to detail its countermeasures, including the ‘machine-learning-based anti-abuse startup’ Sift Science, a first line of defence which “has a really good idea when someone is up to no good”.
Following Sift is the use of SMS verification to judge whether customers are genuine, followed by manual review of any suspicious-looking transactions.
The next step is the use of rate limits and captchas to “minimise damage”, Humble continued. “They might be able to steal two copies of a game, but they’ll need to steal another credit card to steal the third.”
Should keys be obtained by a party deemed illegitimate, the site also has the ability to cancel codes.
“We cancel the order, revoke the download page and the Steam, uPlay, or Origin keys associated with that order,” it explained. “We send those keys back to the developer or publisher, and to the platform owner. The person holding that key loses access to the game. If they purchased it from a reseller, that means the reseller’s reputation is diminished.”
Insisting its efforts are having a positive effect, Humble reassured developers: “Let us take care of this for you using our infrastructure.
“We’re monitoring fraud daily, and we’re always tweaking variables in every step of the process above,” it concluded. “The fraudsters are persistent. They poke and poke until they find a hole. When they find it, we find it too and close it up."