With over a million sales of great games in a typical month, Humble Bundle is an enticing target for fraudsters out to make a quick buck. The most common approach is to buy as many keys as possible using a stolen credit card, and then resell them elsewhere for a profit. Over the years we have invested heavily in our anti-fraud technology to keep everything running smoothly. Here are some of the steps we take to stop fraud.





Step 1 - Risk Assessment

Our first line of defense is a machine-learning-based anti-abuse startup called Sift Science, which we’ve been training for years across 55,000,000 transactions. Given how many orders we process, Sift Science has a really good idea when someone is up to no good. The model adapts daily as we get more data.

Step 2 - SMS Verification

If the transaction risk is high, we ask the user to verify their phone number through SMS. This helps us confirm that our legit customers are who they say they are. We are able to ban fraudsters by phone numbers, which substantially raises the cost of attacking us. This can be annoying for legitimate customers, but thanks to our machine learning, only a tiny fraction get flagged for verification.

Step 3 - Manual Review

If the transaction still looks risky, we hold onto it for manual review. If you’re a customer that placed the order at a discount, the discount is still honored during this review period. Our customer service team looks at every risky transaction, customer history, and more to determine if the transaction looks legitimate. If they’re on the fence, we generally approve because the only thing worse than fraudsters is blocking legitimate customers from getting their game.

Step 4 - Rate Limits & Captcha

When all else fails, we use rate limits and captchas to minimize the damage. So if someone gets past everything else, they are still contained to a modest amount of thievery. So they might be able to steal two copies of a game, but they’ll need to steal another credit card to steal the third. We were among the first test cases for Google’s latest captcha implementation.

Step 5 - Key Cancellation

We’re diligent about canceling orders and the included digital goods when the rare transaction slips by us. Sometimes we find related transactions during a manual review, or even more rarely, a purchase results in a chargeback. When that happens, we cancel the order, revoke the download page and the Steam, uPlay, or Origin keys associated with that order. We send those keys back to the developer or publisher, and to the platform owner (Valve / Ubisoft / EA). The person holding that key loses access to the game. If they purchased it from a reseller, that means the reseller’s reputation is diminished.

Step 6 - Keep watching and working with our processors

We’re monitoring fraud daily, and we’re always tweaking variables in every step of the process above. The fraudsters are persistent. They poke and poke until they find a hole. When they find it, we find it too and close it up. We have great relationships with our payment processors. We even have shared Slack channels with Paypal and Stripe so that as we see problems, we work together in real time to diagnose, fix, and improve our joint system together.

But does it work?

The short answer is yes. We’ve seen fraud go up and down, but overall, it’s a tiny fraction of all the transactions that we process at Humble Bundle. But don’t take our word for it, we recently asked Scott Klonan, one of the people behind Factorio.

The widget customer support system has helped reduce the administrative cost of selling on our website by at least 90%. Previously we were dealing with fraud from both our payment provider and PayPal, and it was onerous. Since moving to the Humble Widget it is super easy to manage and deal with any transaction errors and customer issues. It has also simplified the monthly accounting for the company a great deal, giving our accounts manager more time to focus on other tasks. So overall we feel it has worked exceptionally well, and it is a very well designed tool.

Thanks, but what does it mean for me?

I’m a customer, what can I do?

Purchase from stores that have a known relationship with the developer or publisher, like the Humble Store. If you get caught in one of these fraud checks, we apologize. It’s an unfortunate necessity to protect our developers’ products. We ask for your patience while we work it out and forgiveness if we make a mistake. This most commonly happens to customers who are new or spending a lot in a short period of time.

I’m a developer, what can I do?

Let us take care of this for you using our infrastructure. We have worked very hard over the years to solve these problems and you can benefit from our work by using the Humble Widget and Humble Gamepage to power your direct sales.

We provide the anti-fraud technology, content and/or Steam key distribution, and transaction customer support for everything you sell through Humble. Humble Gamepages and Widgets are free to build and only cost 5% of each transaction. Learn more.