| PSA: The New Backend for the GW Store Kinda Sucks Posted: 26 Jan 2022 07:16 AM PST As I mentioned elsewhere, my latest experience with the GW store really sucked, and I resolved to write up a PSA to help others avoid the same hassle once I'd learned all I could learn about the situation. So, without further ado: - A-Net's new payment processor is "Braintree, a division of PayPal." (reference) Thanks to bsoltan for the link.
- Aside: You might think that A-Net, as a matter of principle, wouldn't do business with a company that made it big by enabling the birth of the RMT industry. But apparently that isn't so.
- Braintree employs some overzealous fraud-prevention measures. I'll talk about one in particular in a minute.
- As per my conversation with A-Net support, A-Net has no control whatsoever over which fraud-prevention measures Braintree uses (or doesn't use) for A-Net's transactions.
- As per my conversation with A-Net support, A-Net does not even know what fraud-prevention measures Braintree uses (or does not use) for A-Net's transactions. (Though, apparently they do get a vague description attached to particular transactions.)
- If Braintree's overzealous fraud-prevention measures flag your transaction, instead of getting an e-mail with codes, you will get an e-mail saying "Thank you for submitting your purchase! We are currently reviewing this purchase attempt XXXX and will send a follow-up email as soon as the transaction is processed." Elsewhere, A-Net's website says that "you may experience a delay of up to 12 hours (although it should be much quicker)." This is not true. A-Net never attempted to contact me about my transaction, and some automated system voided it after awhile -- and they didn't notify me about that either. If you receive this e-mail, my advice is to immediately contact support and ask them to push the transaction through. Don't wait for the promised follow-up e-mail, because it's not coming.
- A-Net support ignored several very pointed requests for an explanation of why they didn't contact me to resolve the problem, and why their automated e-mail expressly promises follow-up contact via e-mail, and then they don't do that. So I can't say whether A-Net or Braintree is to blame for this.
- I don't know how long the timeout is before your order is automatically voided. I contacted A-net after not hearing from them for 4 days, and that was too late.
- I did learn a bit about the misguided fraud-prevention measure that borked my order. Braintree runs your IP address through a geolocation database and blocks your order if the geolocation result doesn't match the billing address on your credit card. This leads to a lot of false positives for couple of reasons:
- The assumption that customers will always place orders from their credit card billing address is not warranted because...
- Some people use a mailing address for their credit card billing address.
- Some people spend long spans away from their residence for work, school, or family reasons. (Consider truck drivers, oil field workers, or college students.)
- Some people place orders when they're at work, at school, on vacation, visiting friends/family, or so forth.
- etc.
- IP geolocation is an inaccurate dumpster fire and only getting worse. It's not uncommon for geolocation databases to return the wrong state, or even the wrong country, for a given IP. Keeping up with every time an IP block changes ownership has always been a fool's errand, but it's even harder now that the world is basically out of IPv4 addresses so blocks must be bought from someone else rather than allocated by a RIR.
- [Edit: As per Asterdel, Braintree checks the local time reported by your browser (probably via the javascript Date API) against the time zone obtained by geolocating your IP address, and blocks the transaction if they don't match. Two problems here:
- Some people spoof their browser's identifying information for privacy reasons.
- IP geolocation is, as I said above, an inaccurate dumpster fire.]
- GW does not need this sort of aggressive, false-positive-prone fraud-prevention measure. In fact, it likely needs no fraud-prevention measures at all. A rational way to approach credit card fraud prevention is to weigh the sum cost of lost sales from legitimate customers frustrated and discouraged by false positives against the sum of the chargeback fees the fraud-prevention measure prevents. (Vendors of physical goods also have to consider the cost of replacing inventory lost to fraud; but A-Net can simply conjure more inventory from thin air. They can also disable fraudulently purchased keys.) How much fraud is being prevented depends upon how much fraud is being attempted. In GW's case there's reason to believe it's near zero.
- Generally, credit card fraud only happens with goods that the thief can readily resell for cold, hard cash. That's why there's so much fraud relating to gift cards, for instance. But there is, so far as I know, no secondary market whatsoever for the keys sold by the GW1 store. At this point, demand is very low because the GW community is relatively small, and nobody trusts that secondhand keys aren't already used. One simply couldn't launder very much money this way.
- I suppose it's possible that some RMT scum might be scummy enough to use stolen credit cards to buy accounts for their bots. However, they would only buy certain types of codes -- NF campaign codes for spambots and campaigns, skill unlock packs, and material storage for farmbots. Other types of codes would still not need fraud-prevention. Also, from the standpoint of fighting RMT, A-Net would be better served to allow the bot to go into service, then disable the account when it receives a chargeback. This would deprive the RMT scum of whatever effort and resources they had sunk into the bot account, plus give A-Net useful intelligence on the RMT operation (e.g., what IP the bot connected from, which other accounts it interacted with while being set up, etc.).
- Braintree permanently stores the credit card information you supply. They do this without advance notice, without an opportunity to opt out, and without an opportunity to later delete the information.
- This poses a huge risk of credit card fraud for A-Net's customers. The number one source of stolen credit card data, by far, is data breaches of merchants and payment processors. That risk is amplified when they keep credit card data longer than strictly necessary. You should never permit an online merchant to retain your credit card information permanently.
- You can get your credit card information deleted by contacting A-Net's support. But it's a hassle and your have to do it again every time you place a new order. Nevertheless, I recommend you do it anyway.
- I'm not an expert on the subject, but I strongly suspect this is a GDPR violation if they're doing it to A-Net's customers in the EU. Can any EU residents chime in about whether you're getting notice, opportunity to opt out (or rather, I believe GDPR requires opt in), etc.? Also, can anyone with GDPR expertise speak authoritatively on whether this is a violation?
- Aside: Note the irony that Braintree is willing to engage in all sorts of ridiculous, theatrical, oversensitive fraud-prevention measures when the hypothetical fraud is coming from you (even though the risk is basically nil). But when the hypothetical fraud is directed at you (and the risk is comparatively large), then they're happy to take the riskiest course and foist that risk onto you with no notice or choice.
- The new store backend requires you to be logged in to an "ArenaNet Account" to complete a purchase. Even if things worked correctly, this requirement would be annoying and totally unnecessary. There's no doubt that A-Net is losing sales because people are discouraged by the hassle of creating an unnecessary account. Then, of course, things do not work correctly:
- I tried to create an ArenaNet Account a couple dozen times, and it just kept silently failing with no error message (just a lonely red triangle with an ! in it), until it finally worked.
- After further experimentation, I discovered a couple things that are guaranteed to make it not work, but solving these issues is not enough to always make it work.
- If you don't check the poorly worded checkbox about your age/mother's permission, you will get the lonely red triangle.
- It appears A-Net is blocking some IP ranges. If your IP is in one of those ranges, you will get the lonely red triangle. (The endpoint of a VPN I use is in a blocked range.)
- Once I finally was able to create an ArenaNet Account, it again took me a dozen tries to actually log in to the account. This time there's an error message, but it's vague and useless.
- On one try, I got a "fetch the 2FA code from your e-mail" prompt after submitting the username & password, and so I input the 2FA code, and then it redirected me right back to the blank log-in page. WTF A-Net?! That's not how 2FA is supposed to work.
- After experimentation, it appears that A-Net is also blocking some IP ranges from logging in. If your IP is in one of those ranges, you get the vague error message. Again, using a different IP is necessary, but may not be enough to allow you to log in.
- Finally, a small annoyance: It's not possible to add multiples of the same item to your cart. Want two storage panes? Then you must do two separate orders. (
I don't recall whether this problem existed before the new store backend. Does anyone know? [Edit: As per bsoltan, this problem has existed since at least 2019.]) So, to recap for the TL;RD crowd: - The new store backend sucks, Braintree sucks, and A-Net really should be doing better.
- If you get an e-mail that says "Thank you for submitting your purchase! We are currently reviewing this purchase attempt XXXX and will send a follow-up email as soon as the transaction is processed," you should contact support right away. That follow-up e-mail isn't really coming, and your order will be automatically voided pretty soon.
- Contact support after each purchase to ask that your credit card information -- which Braintree permanently stored without notice or consent -- be deleted.
- Some IP addresses are blocked from creating or logging in to an ArenaNet Account (which is now necessary to buy anything in the store), but you won't get any useful error message when this happens.
- You cannot create an ArenaNet Account without checking the box about age/parental consent, but you won't get an error message if you don't.
- It may take dozens of tries to successfully create or log in to an ArenaNet Account.
submitted by /u/ChthonVII [link] [comments] |
No comments:
Post a Comment