After finding more than $375 of iTunes transactions on my credit card this weekend, I thought I was hacked. It turns out the “hacker” was my step-daughter who was understandably confused between virtual goods and real currency for in-app purchases inside a free iPhone application.

UPDATED: As this past weekend included the Fourth of July holiday, I expected to see plenty of red, white and blue. Unfortunately, all I experienced was red when, on Saturday, I noticed three unfamiliar iTunes transactions totaling more than $375. Nobody in the house claimed responsibility for such sizable purchases, so I assumed the worst — amid recent web reports of wrong-doing, my iTunes account had been hacked.

I quickly changed my iTunes password, and unlinked my credit card from the account to stave off additional unauthorized purchases. Immediately following that, I opened three inquiries with my credit card company — one for each transaction. As of Tuesday morning, my credit card account has been credited back for all three. By the afternoon, I realized I would have to ask the card company to add those charges back on. It turns out my step-daughter made the transactions, courtesy of three in-app purchases, which touched off fireworks in my house rivaling any you might have seen over the holiday.

Clearly I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set up, along with the kids’ understanding of in-app purchases. Not only have I learned some better ways to manage iTunes, but this experience also shed light on what kids actually think about virtual goods and currency.

The free game that generated the costly transactions looks fun and harmless. It’s an aquarium on your iPhone that requires you to take care of your fish. You feed them, clean the tank and so forth. But you only get a few fish to start. If you want more or need additional items for your tank, you purchase them by spending real money to buy virtual pearls — or with gold coins accumulated through gameplay. And here’s where my step-daughter stumbled: She figured it was a free app and that both the virtual pearls and gold coins were freely available. So $375 later, I’m now the proud owner of a few thousand virtual pearls.

I’ll admit it can be confusing to have both free coins and paid pearls in a single app for purchases, and we’ve now discussed, as a family, the difference between virtual and real goods with the kids, so this sort of situation doesn’t happen again. Perhaps the most interesting development in all of this was my actual word-for-word reading of the Apple iTunes store terms of service. For privacy reasons, I’m not divulging my step-daughter’s name or age, but an iTunes account requires you to be 13 years old. Yet some of the games that support in-app purchases are rated for ages four and up. Again, I can’t blame anyone but my step-daughter on the $375 charge, but Apple’s age rating seems a bit inconsistent, no?

Preventing a similar situation may be common sense, but let me leave you with a few of my, ahem, pearls of wisdom gleaned from this experience:

  • Don’t link a bank account, PayPal account or credit card to an iTunes account your kids have access to.
  • Consider using the iTunes Allowance system that places $10 to $50 in an iTunes account on a monthly recurring basis.
  • Give your kids iTunes Gift Cards to spend on apps, music or add-ons for their games.
  • Explain the difference between virtual goods and real currency.
  • Update: Set restrictions using the iOS4 parental controls found under Settings, General — you can limit actions such as in-app purchases or buying content over a certain age rating. Thanks to Lava for pointing this out.

Related content from GigaOM Pro (sub req’d):

A Mobile Payments Glossary

  1. yeah, we should be aware of those Game as Apps on Websites

    fun can be a blend of the harm
    just like ads and content

    funnier the game, harmer it is :)

  2. Kevin, I feel your pain. This approach of “free” micro-transaction based games is all the rage and it does generate confusion for kids. Couple that with the ease of “1 click” ordering and I can see how it would be easy to rack up quite the bill.

    We were fortunate enough to arrive at the a similar set of household rules for somewhat less than $375. Definitely good advice.

  3. Check out the Windows Weekly podcast from a couple weeks ago where Paul Thurrot talks about the same thing happening to him. He was able to get the charges reversed through iTunes support.

  4. Hey Kevin, Paul Thurrott also had the same problem. He called apple and had the transactions reversed. He mentioned all this in a recent Windows Weekly podcast http://twit.tv/ww162


    1. It’s funny how there is all this gnashing of teeth and a “blame Apple” mentality when Apple has already created a solution for this. It’s called Parental Controls. It’s been there since iOS 3 (maybe even longer).


      Go to Setting -> General -> Restrictions

      You can not only enable/disable things like Safari and YouTube, but restrict Apps to those rated 4+, 9+, 12+ or 17+, turn In-App Purchases on/off, turn FaceTime on/off as well as a dozen other settings.

      Apple already solved this problem a long time ago.

      1. Oops, sorry, the link above was for Parental Controls on the Mac.

        iPhone owners can look up how Parental Control work by going to help.apple.com/iphone.

  5. You should consider enabling Parental Control – a feature of every iOS device.

    One of the controls is allowing In-app purchases or not. Problem solved.

    1. Lava, thanks a ton for pointing out the Restrictions settings. I totally overlooked them, mainly because I had no need for them when I used an iPhone. But now that my kids are using iOS4 devices, I have a definite need – just wish it hadn’t cost me $375 to figure that out! ;)

  6. Passing off the blame to your kids (“I can’t blame anyone but my step-daughter on the $375 charge”) sounds like the real problem here. If you leave a juicy steak unattended where your dog can reach it, and the dog eats it, can you really blame the dog? Many people would, because they don’t want to take responsibility for the obvious and practically inevitable repercussions of their own choices, but that’s not a rational reaction. Things behave according to their nature, and you can’t “blame” them for acting accordingly. You gave your kids a device that was linked to your credit card, on a system where you know that such purchases are possible (and if you didn’t then you shouldn’t be writing this column) — so who is to blame? This is like parents blaming Hollywood for showing their kids too much violence in the rated “R” movie that they allowed them to watch. Your recommendation not to provide them with access to an account that is able to make purchases is sound, but without taking responsibility for essentially creating this problem then you are really only being self-serving by preventing future expenses for yourself. This article should be about how the Internet has become simply the latest way that parents get technology to engage their kids for them (largely replacing TV), and how one father has learned the lesson that parents need to use this technology responsibly.

    1. Again, all this could have been avoided if Kevin had disabled “In-app purchases” using the built-in Parental Controls. The next time his daughter tries to buy something in an app, the device will simply prompt for a password set at the time Parental Control is enabled.

      Although Kevin is to be commended for calling his credit card companies and reauthorizing the charges. Not everyone would have been so honest, I imagine, nor own up to the responsibility.

      1. Point missed. Sure, parental controls are a great way for parents to limit their financial exposure, and makes it easier to hand your kids an iGadget and say “see you later”, but that doesn’t mean that the problem’s solved. The fact that he is apparently keeping a sharper eye on his credit card statement than on what his daughter is doing on the Internet is the issue here. Kevin’s probably not a bad guy (or a bad father), and this isn’t really directed at him — this is a sort of neo-Luddite reaction to the whole affect of technology on our society. Without increasing levels of care being applied by parents to match the power of what we’re putting into our kids’ hands, we’re in trouble.

    2. Chris, I totally understand your point and agree. However, we also had a conversation with the kids about the iTunes store prior. The agreement was no purchases without asking a parent first — the rule applied to free apps as well. So in that regard, we set the ground rules (which worked for a while). Of course, any kid will test the rules — I know I did when I was younger! — and that’s what happened here. Again, point taken on the bigger picture…

  7. Surely she has to enter in the itunes password to complete these transactions? Why do you give the kids the itunes password for purchasing, unless you want them to buy stuff from the itunes account?

  8. Step 1: Teach your children & yourself to pirate music & games.

    Step 2: Stop linking your banking / paypal info with iTunes, which in lieu of recent events has become a gigantic security risk.

    Step 3: Stop supporting DRM music that bankrupts, fines & incarcerates innocent people.

  9. We have to take care of our account user names & passwords.
    So take care of your account from every one..those games are really nice..but
    Chris says is a real scenario.
    “I can’t blame anyone but my step-daughter on the $375 charge”) sounds like the real problem here. If you leave a juicy steak unattended where your dog can reach it, and the dog eats it, can you really blame the dog?

  10. Don’t have children.

    1. Engineers. Give them a software problem and they already want to change the whole platform.


Comments have been disabled for this post