Scam Artists
At this point most of us are aware that G2A.com is a scam website that profits from stolen credit cards. They allow resellers to sell Steam keys (and others) at below retail prices, often because…they’re stolen! They also have an offensive Dark Pattern for unsubscribing from “G2A Shield“, €2 a month insurance that protects you from the very stolen keys G2A knows they’re selling you. Rimworld recently stopped selling steam keys on other markets because Fraud levels on G2A were too high. G2A’s persistent refrain is simply an elaborate “Not our problem”.
All these things are objective facts, so your lawyers can kiss my spiky metal ass, G2A. Please pay $5000 a month for TapTap Shield™ to protect your website from articles like this. (I shouldn’t joke, they’ll probably take me up on it: G2a already offered to make game devs accessories to stolen credit cards before!)
But the point of this article isn’t to explain why G2A is bad; if you’re not sold on that, click one of the many sources I’ve already provided. Lars Doucet recently did particularly good roundup article on why G2A is literally worse than piracy: “G2A, Piracy, and the Four Currencies”. I strongly recommend you read it before continuing if you are not yet aware of the depth of the problem G2A poses.
But the thing is, if G2A weren’t in the habit of profiting off stolen credit cards, my solution doesn’t hurt them at all! Surely they won’t object then.
Keys to the Kingdom
So, the problem is basically, Steam has keys that anyone can redeem with zero authentication. You can give a key to a paying customer on a third-party site, but they could do anything with that key. G2A thieves can’t actually steal games directly through Steam, nor are they actual pirates—keys are more or less their only attack vector.
What if I told you we could do almost everything we do with Steam keys, while generating only a tiny fraction of (exposed) Steam Keys?
Direct Redeem-To-Account
This is actually a problem Valve…already solved, to an extent. Humble Bundle, for little over a year, had a one-click scheme where you could send a key straight to your Steam account, with the end-user never seeing the ugly Steam key itself or having to copy and paste. The one-click method was not only secure from theft, it was even more usable for the end-user! For some reason it was only implemented by Humble to my recollection, but it was there and it worked.
Steam killed this method last year. Why, I’m not exactly sure—Oauth was phased out. But there’s more than one way to skin a Spy. Valve is an extremely rich company with a lot of these “programmers” which I am told can write “APIs” for just about anything these days. If it were a priority I’m sure it could be done on their end; in fact, Itch.io, “Indie Steam” as it’s affectionately called, already has a one-click-redeem for their own system. But more on Steam’s glaring failures compared to a plucky startup later.
First I want to talk about how perfect Redeem-To-Account was.
A Security and UX Win-Win
G2A has three main “attack” vectors: Bundles, Review Copies, and outright credit card theft on third-party stores. All of these currently result in naked, redeemable keys anyone can use without authentication. Conveniently, all of these are perfect for Redeem-To-Account!
Giving out press copies? Why send a naked key when you can just collect a journalist’s Steam ID and redeem a key directly to them? Suddenly press does less work (and you spend less time begging them to redeem), and you know exactly who is going to redeem that Steam key…because you did it for them! Scamming for review keys suddenly is only useful to get access to games and the keys can no longer be sold, which would probably drastically reduce the amount of scam emails developers have to sift through.
Third Party Stores? Many of these already offer to let you log in via Steam. Imagine offering an option for users (or requiring) to log in with Steam (or at least indicate a Steam account ID), then any Steam keys they buy are redeemed directly to that account. Credit card theft for bulk key-buying is no longer effective since you don’t know who’s going to buy your steam key yet.
Bundle sites? Well this one’s boring; like I said Humble already did this and it was great. Log in with Steam, click a button instead of getting a key, easier than copying keys and it kills credit-card stealing scum! It would probably also reduce the incidence of bots buying up the minimum possible price keys to resell with legitimate credit cards too.
Wouldn’t We Still Need Keys?
There’s a few situations where Redeem-To-Account doesn’t work so you still need old fashioned keys. Retail boxes (sorta) need them, giveaways aren’t practical to do without them, and Kickstarter probably needs them. But these aren’t a big deal either.
Retail boxes are a non-factor due to them being a far-harder target and also being rather rare in the scheme of things (most PC sales are digital these days). Buying a crapton of retail copies with a stolen credit card is a far more complicated and dangerous affair (and if you’ve more or less stolen physical copies, maybe just sell the physical boxes unopened instead of opening them for a Steam key, if it’s even included, eh?).
Giveaways are…not an important part of the industry and I’m honestly baffled as to why “steam giveaway groups” are even a thing. If you don’t want your game resold, don’t give 1,000 keys to “Delux Staem Keyaways (LEGIT).com” to give to their illustrious members. Pretty easy, that one. Personal giveaways on twitter or so where only a few keys are given away are, again, not really a valid vector for attack.
Kickstarters often go through Humble Bundle to redeem keys, so they could just use the direct redemption method Humble uses for most. But even for those Kickstarters that don’t use Humble, using fraudulent credit cards to mass-back a Kickstarter is not remotely as practical as stealing immediately available keys, now is it? The likelihood of an attacker backing a project dozens of times and not getting caught and charged back during the extremely long Kickstarter process is basically zero.
So these few remaining keys the Redeem-To-Account method leaves aren’t really relevant attack vectors for G2A brats.
Why Aren’t Valve Doing it?
Well, no beating around the bush for this one. Valve is an incredibly lazy and inconsiderate company these days. Valve is surely aware of the problem G2A poses and either doesn’t care, doesn’t consider it worth combating, or if they are they clearly haven’t published a solution. The latter seems unlikely as they have never so much as talked about doing this, but hey it’s Valve so zero communication is to be expected, right? I mean it took them getting sued over CS:GO gambling to actually enforce their own Terms of Service.
It’s easy to see why Steam wouldn’t really care too much here, either: G2A doesn’t steal money direct from Steam. Instead, their users user stolen credit cards to steal from third-party stores. Those thieves cut sales of indie games by the thousand. Even when they don’t steal credit cards they pose as Youtubers or other reviewers to steal keys which wastes the time of publishers/developers who want legit reviews and makes it harder for legitimate content creators to get review copies (thanks assholes!).
Everyone’s hurt except Valve, who uh, probably doesn’t give a shit. Realistically, they’re not the ones getting credit cards canceled, dealing with review requests or having their split of the revenue taken (since they get nothing from third party sales). It’s not exactly moral to ignore this problem, but it’s easy to see why it’d be low priority. And considering the glacial pace at which Valve fixes what they admit is a problem, yeah, don’t get your hopes up.
What To Do?
Well, I did my part, which is write this article. I don’t have any ins at Valve so all I can do is raise awareness. I don’t think Valve will fix this unless they consider it a priority (which I obviously don’t think they do), so it seems they must be told it’s a priority, from every possible source.
If you’re a publisher fending off review scammers, a third-party store losing thousands on credit card fraud, a developer losing sales to worse-than-piracy, tell Valve. Let them know this is a serious problem and that we know they can solve it. And no one else can solve it.
If you’ve Valve…make that API! You had one that worked, make a new one system that’s better! Protect your users and your developers!
Great article.
I will comment a couple of things though.
– If I recall correctly, OAuth was used by IndieGala too.
– About Third Party Stores and Bundle sites: As these sites allow customers to gift any key they buy, in addition of using OAuth as one-click Steam key redemption process, they must provide a solution for gifting. They cannot force buyers to redeem every key they purchase from. That’s the main issue I can see there.
– I think OAuth was a really good solution to prevent reselling keys. I too would like to know the reasons why valve killed OAuth.
Nivida for example still uses OAuth for GPU promos. An example of it, http://www.geforce.com/games-applications/pc-games/batman-arkham-knight/bundle/code-instructions