My iTunes Account Was Hacked for $375 — By My Own Kids

30 Comments

UPDATED: As this past weekend included the Fourth of July holiday, I expected to see plenty of red, white and blue. Unfortunately, all I experienced was red when, on Saturday, I noticed three unfamiliar iTunes (s aapl) transactions totaling more than $375. Nobody in the house claimed responsibility for such sizable purchases, so I assumed the worst — amid recent web reports of wrong-doing, my iTunes account had been hacked.

I quickly changed my iTunes password, and unlinked my credit card from the account to stave off additional unauthorized purchases. Immediately following that, I opened three inquiries with my credit card company — one for each transaction. As of Tuesday morning, my credit card account has been credited back for all three. By the afternoon, I realized I would have to ask the card company to add those charges back on. It turns out my step-daughter made the transactions, courtesy of three in-app purchases, which touched off fireworks in my house rivaling any you might have seen over the holiday.

Clearly I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set up, along with the kids’ understanding of in-app purchases. Not only have I learned some better ways to manage iTunes, but this experience also shed light on what kids actually think about virtual goods and currency.

The free game that generated the costly transactions looks fun and harmless. It’s an aquarium on your iPhone that requires you to take care of your fish. You feed them, clean the tank and so forth. But you only get a few fish to start. If you want more or need additional items for your tank, you purchase them by spending real money to buy virtual pearls — or with gold coins accumulated through gameplay. And here’s where my step-daughter stumbled: She figured it was a free app and that both the virtual pearls and gold coins were freely available. So $375 later, I’m now the proud owner of a few thousand virtual pearls.

I’ll admit it can be confusing to have both free coins and paid pearls in a single app for purchases, and we’ve now discussed, as a family, the difference between virtual and real goods with the kids, so this sort of situation doesn’t happen again. Perhaps the most interesting development in all of this was my actual word-for-word reading of the Apple iTunes store terms of service. For privacy reasons, I’m not divulging my step-daughter’s name or age, but an iTunes account requires you to be 13 years old. Yet some of the games that support in-app purchases are rated for ages four and up. Again, I can’t blame anyone but my step-daughter on the $375 charge, but Apple’s age rating seems a bit inconsistent, no?

Preventing a similar situation may be common sense, but let me leave you with a few of my, ahem, pearls of wisdom gleaned from this experience:

  • Don’t link a bank account, PayPal account or credit card to an iTunes account your kids have access to.
  • Consider using the iTunes Allowance system that places $10 to $50 in an iTunes account on a monthly recurring basis.
  • Give your kids iTunes Gift Cards to spend on apps, music or add-ons for their games.
  • Explain the difference between virtual goods and real currency.
  • Update: Set restrictions using the iOS4 parental controls found under Settings, General — you can limit actions such as in-app purchases or buying content over a certain age rating. Thanks to Lava for pointing this out.

Related content from GigaOM Pro (sub req’d):

A Mobile Payments Glossary

30 Comments

christine

This article has relieved me slightly. As of recent my 7 yr.old son has been purchasing .99 apps. and he will ask me to put in my password, of course myself verifying, this one is .99, right? “yes Mom”. Until I noticed the invoice receipts moments later in my email, the 1st one stating $99.99!! I thought certain that was an error and should have been .99. To my surprise there were 3 invoices totalling over $300 for trunks of coins for this zoo application. I am truly disturbed by all of this and am now awaiting a response back. I certainly hope this gets credited back to my account so I can pay my rent! Be very leary of this and learn from others mistakes. I had no idea a childrens app. has the ability of purchasing $100’s of dollars worth of coins!

Cyndy Aleo

Late to the party, as I only saw the post today. Gah on the $375, but it could be any parent, at any time, no matter how careful you are.

My ex and I were all set to upgrade our iPhones, pull the cards, and hand them over to the kids as elaborate iPod touches. That is, until the oldest, who is probably the most supervised child on the Internet ever, managed to get herself a Facebook account and a faked Gmail account. Whether it happened at a friend’s or somewhere else when one of us was still asleep is anyone’s guess (our laptops are both password-protected, but kids have ancient one at his house that isn’t, as do grandparents), but it did. Needless to say, we learned the lesson that she’s not ready to have an Internet-enabled device yet, and she won’t be getting anything she can hold in her hand as a result. But you were right; even the kids who are always supervised and have had everything explained to them are still going to test limits.

Sam

I know I’m late to the conversation, but needed to add my experience. I am an iPhone developer with 2 apps in the store, so I’m no beginner, yet my daughter just spent $200 on in-app virtual goods.

The comments before mine are absolutely wrong. Apple has a real flaw in their system, an the current implementation of parental controls does not fix it.

When you disable purchases in parental controls, it dies NOT force a password when Pochards are attempted. It simply deletes them from access altogether my daughter uses MY phone, which means if I want to restrict use, I’m restricting my own use.

To make things worse, Apple only forces you to enter your password once, then allows several transactions in a row after it’s been entered. My daughter doesn’t have my password. If she wants an app, she asks me, and if I approve it, I enter my password, install the app, an hand the phone back to her to play.

Now comes the bad part. My password has just been entered, so she can purchase things within that app for a window of time without having to redbuds it.

PS- call me a bad parent to my face, in real life…

Cheryl Hanna

Yeah, I have a little problem with the repeated, careful identification of the child in question as a “step-daughter.”

Apple is 50% at fault for allowing this. Also 50% you for not having things locked up tighter. Kid is the last to blame–and there seems to be no percentage left to assign to her.

Goobi

You can blame the application for its deceptive nature.
To a lesser extent you can blame Apple for approving this. Remember, for every in-app purchase, it throws up an iOS notification with the exact amount, and requires a password. It couldn’t get clearer than that.
You can mostly blame yourself, for not being careful with your virtual money.

But you cannot blame your daughter — yes, I said daughter, not ‘step-daughter’, is that so bad a thing? — for this error.

I do appreciate you writing about this though, so others can be a bit more careful with their kids.

Tim Bursch

Same thing happened to me recently and I blogged about it. I can’t blame Apple or the developer, but some games have a very vague user experience for making real (vs. virtual) purchases.

Fortunately Apple refunded me.

Awesome Annie

In my opinion this app is intentionally deceiving, it’s a game aimed at kids and they don’t know the difference. Just recently Paul Thurrott (of Windows Weekly podcast) shared a story of his kids doing the exact same thing.

Jotex

“Again, I can’t blame anyone but my step-daughter on the $375 charge…”

“Again, I can’t blame anyone but /myself/ on the $375 charge…”

There. Fixed. You even admitted she didn’t know the difference.

George

We have to take care of our account user names & passwords.
So take care of your account from every one..those games are really nice..but
Chris says is a real scenario.
“I can’t blame anyone but my step-daughter on the $375 charge”) sounds like the real problem here. If you leave a juicy steak unattended where your dog can reach it, and the dog eats it, can you really blame the dog?

Eric

Step 1: Teach your children & yourself to pirate music & games.

Step 2: Stop linking your banking / paypal info with iTunes, which in lieu of recent events has become a gigantic security risk.

Step 3: Stop supporting DRM music that bankrupts, fines & incarcerates innocent people.

cak

Surely she has to enter in the itunes password to complete these transactions? Why do you give the kids the itunes password for purchasing, unless you want them to buy stuff from the itunes account?

chris

Passing off the blame to your kids (“I can’t blame anyone but my step-daughter on the $375 charge”) sounds like the real problem here. If you leave a juicy steak unattended where your dog can reach it, and the dog eats it, can you really blame the dog? Many people would, because they don’t want to take responsibility for the obvious and practically inevitable repercussions of their own choices, but that’s not a rational reaction. Things behave according to their nature, and you can’t “blame” them for acting accordingly. You gave your kids a device that was linked to your credit card, on a system where you know that such purchases are possible (and if you didn’t then you shouldn’t be writing this column) — so who is to blame? This is like parents blaming Hollywood for showing their kids too much violence in the rated “R” movie that they allowed them to watch. Your recommendation not to provide them with access to an account that is able to make purchases is sound, but without taking responsibility for essentially creating this problem then you are really only being self-serving by preventing future expenses for yourself. This article should be about how the Internet has become simply the latest way that parents get technology to engage their kids for them (largely replacing TV), and how one father has learned the lesson that parents need to use this technology responsibly.

Lava

Again, all this could have been avoided if Kevin had disabled “In-app purchases” using the built-in Parental Controls. The next time his daughter tries to buy something in an app, the device will simply prompt for a password set at the time Parental Control is enabled.

Although Kevin is to be commended for calling his credit card companies and reauthorizing the charges. Not everyone would have been so honest, I imagine, nor own up to the responsibility.

chris

Point missed. Sure, parental controls are a great way for parents to limit their financial exposure, and makes it easier to hand your kids an iGadget and say “see you later”, but that doesn’t mean that the problem’s solved. The fact that he is apparently keeping a sharper eye on his credit card statement than on what his daughter is doing on the Internet is the issue here. Kevin’s probably not a bad guy (or a bad father), and this isn’t really directed at him — this is a sort of neo-Luddite reaction to the whole affect of technology on our society. Without increasing levels of care being applied by parents to match the power of what we’re putting into our kids’ hands, we’re in trouble.

Kevin C. Tofel

Chris, I totally understand your point and agree. However, we also had a conversation with the kids about the iTunes store prior. The agreement was no purchases without asking a parent first — the rule applied to free apps as well. So in that regard, we set the ground rules (which worked for a while). Of course, any kid will test the rules — I know I did when I was younger! — and that’s what happened here. Again, point taken on the bigger picture…

Lava

You should consider enabling Parental Control – a feature of every iOS device.

One of the controls is allowing In-app purchases or not. Problem solved.

Kevin C. Tofel

Lava, thanks a ton for pointing out the Restrictions settings. I totally overlooked them, mainly because I had no need for them when I used an iPhone. But now that my kids are using iOS4 devices, I have a definite need – just wish it hadn’t cost me $375 to figure that out! ;)

Vaibhav

Hey Kevin, Paul Thurrott also had the same problem. He called apple and had the transactions reversed. He mentioned all this in a recent Windows Weekly podcast http://twit.tv/ww162

HTH,
Vaibhav

Lava

It’s funny how there is all this gnashing of teeth and a “blame Apple” mentality when Apple has already created a solution for this. It’s called Parental Controls. It’s been there since iOS 3 (maybe even longer).

http://www.apple.com/findouthow/mac/#parentalcontrols

Go to Setting -> General -> Restrictions

You can not only enable/disable things like Safari and YouTube, but restrict Apps to those rated 4+, 9+, 12+ or 17+, turn In-App Purchases on/off, turn FaceTime on/off as well as a dozen other settings.

Apple already solved this problem a long time ago.

Lava

Oops, sorry, the link above was for Parental Controls on the Mac.

iPhone owners can look up how Parental Control work by going to help.apple.com/iphone.

Matt

Check out the Windows Weekly podcast from a couple weeks ago where Paul Thurrot talks about the same thing happening to him. He was able to get the charges reversed through iTunes support.

sfitts

Kevin, I feel your pain. This approach of “free” micro-transaction based games is all the rage and it does generate confusion for kids. Couple that with the ease of “1 click” ordering and I can see how it would be easy to rack up quite the bill.

We were fortunate enough to arrive at the a similar set of household rules for somewhat less than $375. Definitely good advice.

hokya

yeah, we should be aware of those Game as Apps on Websites

fun can be a blend of the harm
just like ads and content

funnier the game, harmer it is :)

Comments are closed.