In April 2019, Epic Games announced a raft of new account security features that were planned to roll out later in the year, including email verification of new accounts and two-factor authentication. At the time, it seemed like a natural (if overdue) evolution of the Epic Games Store, but emails presented today as part of the Epic v. Apple lawsuit reveal that Epic's barebones account system was causing more headaches than we realized.
The email chain indicates that Epic's trouble was twofold: Fake accounts were easy to make, and it couldn't deactivate games on other storefronts—the so-called "clawback" option—which meant that games remained playable through Uplay even when the associated Epic account was deactivated.
"We believe fraud to be due to account re-selling being viable," Epic COO Daniel Vogel wrote at the time. "Fraudster creates Uplay account, uses stolen CC to purchase The Division, and then sells the account. While Epic account gets disabled by chargeback, without clawback with Ubisoft the game is still available on Uplay and sold account works."
He reiterated the point later in the thread in response to a remark from Chris Dyl, Epic's general manager of online services, who noted that concerns about account security come up "when a bad actor attempts to take over another user's account to pay for games with a credit card on file."
"That is not really account security and email verification isn't a bottleneck for that approach right?" Vogel said in reply. "The issue is stolen credit cards working as we don't claw back. That sounds like the core of the issue."
When asked how account security ties into the issue, Dyl explained that it's "super easy to create an Epic account to load it up on everything from free games to fraudulent payment methods for paid games and then sell it. The lack of clawback of the actual game during a chargeback makes it even worse."
Epic's Scott Adams was blunter in his criticism of the store. "Doesn't help that we don't currently verify email address or have good account security," he wrote.
The rate of fraudulent purchases reach a point that in May 2019, Epic was forced to disable purchases of The Division 2 and Anno 1800, and eventually all Ubisoft games.
We are still working through our UPlay integration issue and will be temporarily disabling new purchases for all Ubisoft titles.We apologize for the inconvenience and will provide an update as we have more information.May 11, 2019
At the time, it sounded like a relatively routine technical problem—Epic said it was "experiencing issues with our UPlay integration"—but another email surfaced in the Apple trial reveals that it was driven by "extraordinary" rates of fraudulent purchases of The Division 2 on the Epic Store. The problem was bad enough that Epic CEO Tim Sweeney emailed a personal apology to Ubisoft CEO Yves Guillemot.
"In the past 48 hours, the rate of fraudulent transactions on Division 2 surpassed 70%, and was approaching 90%," Sweeney wrote on May 11, 2019, the same day Epic halted purchases on Ubisoft games. "Sophisticated hackers were creating Epic accounts, buying Ubisoft games with stolen credit cards, and then selling the linked Uplay accounts faster than we were disabling linked Uplay purchases for fraud.
"Fraud rates for other Epic Games store titles are under 2% and Fortnite is under 1%. So 70% fraud was an extraordinary situation."
Sweeney said Epic would restore Ubisoft game purchases as soon as possible, but warned that it would likely take at least two weeks to implement the systems required to make that possible. As Epic did in the tweet, he also took full responsibility for the problem, and promised that "all of the minimum revenue guarantees remain in place to ensure our performance," effectively guaranteeing that Ubisoft wouldn't take a loss because of the problem.
The legal slapfight between Apple and Epic is a big one, with potentially major consequences for the way programs are bought and sold online. But it's also revealed some entirely unrelated but still very interesting facts, including that Walmart was (and maybe still is) working on its own cloud gaming service (opens in new tab), that Epic spent more than $11 million (opens in new tab) over nine months on free games, and that in the grand scheme of things that amount was chump change because Fortnite, all by itself, earned more than $9 billion (opens in new tab) over 2018-19.