[stcredzero]

If you suspect an order is fraud, don't go out and say to the criminal "hey, I declined your super suspicious order!". Instead, play dead. Pretend they got you. Tell them "thank you for your order", behaving exactly the same way as if it really was a successful order.

The name of the game is to make things cost more for your enemies than they cost for you. Removing instant feedback is key. Instant feedback is great. Delayed feedback is costly.

This is in large part why most DRM and anti-cheat failures happened. Companies and developers need to think about the economics of what's going on. It's not the side with the trickiest mechanism that wins. It's the team with economics on their side.

(Amateurs: tactics, pros: logistics)

[_gfrc]

Blue Byte did something along the lines of your suggestion with the copyright protection of Settlers III. When the game detected that the DRM was broken, iron smelters would only produce pigs instead of iron.

https://en.wikipedia.org/wiki/The_Settlers_III

[viggity]

reminds me of "Game Dev Tycoon", where if it detected it was cracked, the player had a hard time progressing because their virtual company kept getting ripped off by crackers.

http://gameological.com/2013/05/inventory-9-games-with-creat... (it is the first one)

[hellbanner]

More specifically, the player's simualated video game company goes bankrupt, "due to piracy", according to the game.

More details & discussion from Game Dev Tycoon's developer blog: http://www.greenheartgames.com/2013/04/29/what-happens-when-...

[Symbiote]

For a much older example, Sim City gave continual disasters after about 10 minutes if the version was detected as pirated. This was 1990 or so.

[stcredzero]

Not bad, but even that reads like a bit of an FU from the devs. ("Pig Iron?") The best thing to do is to make it definitely seem like it was a bug introduced by the crack. (Maybe James Bond villains giving their secret projects suggestive code names and telling their entire plan isn't unrealistic?)

[kderbe]

It's important not to disguise any anti-piracy measures as bugs, because pirates (or even reviewers playing pirated copies) will loudly proclaim that the game is buggy, and discourage legitimate buyers. This may have contributed to the closing of at least one development studio (Iron Lore, developer of Titan Quest)[1].

[1] http://www.quartertothree.com/game-talk/showthread.php?42663...

[eps]

This must be specific to the games, because they do tend to be buggy on their own.

With non-gaming software the situation is completely different. When a cracked version craps out the prevailing sentiment is always that it was a bad crack. Always.

[stcredzero]

It's important not to disguise any anti-piracy measures as bugs, because pirates (or even reviewers playing pirated copies) will loudly proclaim that the game is buggy, and discourage legitimate buyers.

I'm wondering why there isn't a service that lets you search for people encountering your crack-penalty. A really sneaky company would disguise itself as a hacker group, then offer a copy of the game that doesn't have that "bug." (But has another one.)

[sleepychu]

Green Heart Games did basically that. http://www.greenheartgames.com/2013/04/29/what-happens-when-...

[jldugger]

Well, if you want to convert a pirate user into a sale, you need to convince them that the bug isn't present in the retail copy.

So you're balancing making it hard for crackers to detect, and easy enough for players to encounter that shift behavior.

[stcredzero]

So have a web search that finds people talking about the fake bug, then take appropriate action.

[Kephael]

Bohemia Interactive have their games "degrade" if they detect they are pirated. Weapons become increasingly inaccurate and your character turns into a bird.

https://en.wikipedia.org/wiki/FADE

[optimiz3]

This also applies to customer service. Nice customers get fast response times. Toxic entitled customers (especially of the free plan) wait 2-3+ days before getting a response.

[josu]

I'm not disagreeing with your point, but I love it when I get great customer support as a free/low value customer, and it definitely increases my chances of conversion.

[Matt3o12_]

Maybe op was referring to free customers that are rude, and impose big costs to you (way above the average support ticket).

But agreed, if I get bad support as a free customer, how can I know that the support will get any better if I start paying (except for services that sell support). When I get an instant response to a question from a friendly support, I would say that I'm far more likely to upgrade to their paid server.

[optimiz3]

The point is that toxic customers tend to sap your bandwidth. If you impose a time cost on them it throttles their ability to do so.

One way or another the problem works itself out, which lets you focus on the paying (i.e. actual customers).

[SilasX]

Yeah I was just talking to an employee of a CC fraud prevention company and that was my thought: they proudly talk about how they can identify fraud and refuse the transaction, when my question was, why not just look like you're approving the order and then follow it right to the fraudster?

Better to reliably catch the humans behind this and impose stringent legal penalties than allow them to keep guessing without a cost for being wrong.

[kyle6884]

This may work nicely for a subscription business where you have 2 weeks to identify problematic orders. But what about everyone else? Should we silently fail on orders where a customer accidentally mistyped their CC#? Imagine all the extra work involved when you could have had them fix it on the spot.

[pjc50]

You can report "failed checksum" or "not a valid account" to people, although you should rate limit - the problem is data that is valid but stolen.

[occamrazor]

Mistyped card numbers can be identified client-side (CC numbers have a checksum digit). If the number is valid, but the transaction is declined, then fail silently (and possibly send a failure email after manual review of the transaction)

[tomp]

It could also be declined because of mistyped expiry date or address or name. Or simply declined because the customer is over their credit limit. In all of these cases, timely feedback is useful for genuine customers.

[pc86]

Which is why it says in the article that these countermeasures almost always come at a cost to customers as well. It is a trade off.

In some instances it is worth it to make the experience marginally worse for customers because the savings by preventing a percentage of fraud are so large.

[duaneb]

Nonetheless, this doesn't contradict the "failing silently" for chargebacks. It's not fraud if they enter the data poorly or there's no credit left so the charge is never made.

[fweespee_ch]

> Yeah I was just talking to an employee of a CC fraud prevention company and that was my thought: they proudly talk about how they can identify fraud and refuse the transaction, when my question was, why not just look like you're approving the order and then follow it right to the fraudster?

You can get disposable physical addresses as well.

It is part of why some companies flag a mailing address I use as a fraudulent order. I primarily use it to avoid handing out my RL address on domains that don't allow whois protection.

[brightball]

100% agree. They care about ROI also.

At my last company I build systems specifically designed around wasting the time of people that we "caught". We used to keep a dashboard with the top abusers on a wall in the office once they'd be caught to show how much of their time we were wasting. It was therapeutic.

[Lavel]

Valve will sometimes delay banning CS:GO hackers to confuse them about just what triggered the ban.

[groaner]

What happens if you have a very small false positive rate for fraud, and end up stiffing the customer? You could easily land in deep trouble with consumer protection laws after falsely satisfying their order.

[paulpauper]

that why every social network does ghosting to trick spammers and trolls