Hacker News new | past | comments | ask | show | jobs | submit login
Facebook Let Kids Rack Up Charges on Parents' Credit Cards (revealnews.org)
422 points by DamnInteresting 3 months ago | hide | past | web | favorite | 172 comments

The issue is Facebook denying refund requests after children were suckered in to make large in-game payments using their parents' stored credit cards.

It's not just that this whole scenario is slimy. It's that Facebook was fully aware of it, had a nice in-house term for it ("friendly fraud"), and not only chose not to approve refunds but also chose not to implement the most basic measures to prevent it.

[edit: as a commenter pointed out, the term “friendly fraud” predated Facebook]

This is symptomatic of a corporate culture that is toxic to to the core.

The money quotes are in the 2 paragraphs below:

"In 2011, Tara Stewart, a risk analyst for Facebook, studied the issue and suggested that the company begin requiring users to enter the first six digits of a credit card used for payments on certain games. Stewart ran a survey of Facebook users and found that many parents were not aware that Facebook stored their payment information after entering it one time. They also found that the kids weren’t aware of what they were doing. “It doesn’t necessarily look like ‘real’ money to a minor,” Stewart wrote.

She ran a test to see if the entering the cards first six-digits would reduce these unwanted charges and the results were encouraging. She also said it would “make sense to start refunding for blatant FF-minor.” The abbreviation “FF” stood for “Friendly Fraud,” the term Facebook used to refer to these fraudulent purchases which were made without malicious intent. Despite this obvious solution, Facebook decided that it would harm revenue and elected to continue fighting refund requests for the foreseeable future, the documents show."

> “It doesn’t necessarily look like ‘real’ money to a minor,”

This is intentional.

In many games, some things cost "gold" earned by playing the game, and others cost "gems" bought with real money. Or maybe "gold" is the one that costs real money. It's designed to be confusing and hide the distinction between in-game points and real money.

At some point the game companies should bear some of the responsibility for deceiving children.

> At some point the game companies should bear some of the responsibility for deceiving children.

I hope a reckoning is coming in this regard. Many games include mechanics that are hard to distinguish from video slot machines and should be regulated the same way gambling is (rated 18+, audited for "fairness").

Unlikely. Society shifted and gambling is stigma free.

My son is old enough that arcades are interesting to him now. I was pretty shocked to see how they have declined into shitty skinner boxes and games of chance to win tickets. That was always a factor, but is much more prominent today.

The casual acceptance of sports betting is another example of that shift. There’s probably some free marketeer who will opine that teaching children about gambling is a good thing!

Well sports betting has been around forever, but dark patterns and intentional deception in mobile games leads to children being manipulated. Not consenting adults, CHILDREN.


Yeah, I wonder where the parents are when kids do this. Kids don't earn their own money. But I guess expecting parents to actually parent is too much nowadays.

> Society shifted

Nah. Some people in it shifted, dragged a whole lot of fools with them, didn't experience a reckoning right away, and now think the air's clear. The main punishment for what they've become is being what they've become, that stigma remains whether they can see it or not. They might find themselves scratching at closed doors for undiseased sources of nourishment at some point.

I wouldn't exactly call it stigma free to let (much less encourage) kids gamble. There's a difference between acceptance, and anything goes.

Well, i went to the local arcade with my 9 year old last weekend. It is fully licensed, has games where you drop a ball (at a cost of about 2 bucks) to win tickets ranging in value from 10 to 500 points and redeem them for prizes like candy and video game themed toys.

I'd say that's stigma-free.

Legislation is stuck at the money-in-money-out mechanic.

That's because gambling, by definition, requires money to change hands.

honestly I think gambling could be a good thing for a child if they use money they've worked hard for themselves. sooner or later they will suffer a bad loss and have no new toys for a while. maybe give them some "margin" too to really get the point home.

Gambling companies aren't stupid. You only ever lose what you stake, and gambling machines aimed at kids always return a small win, but usually smaller than the stake. That difference is what funds the larger wins (and company profit), but it's the small wins that keep kids playing. When a kid gambles away all their money and all the small win returns that's just "bad luck", and next time they might get a big win and walk away.

Letting kids gambling is a parental choice, but if you think it's teaching your kid a valuable lesson you are dead wrong.

I'm not really talking about just letting children open fifty loot boxes back to back. the kid doesn't necessarily understand they are losing in that scenario.

I'm thinking more about games like roulette, poker, dice with chores money. maybe it would need to be in a more controlled environment, like family game night.

not exactly gambling, but I learned a great lesson from my father this way when I was about eleven or twelve. I really wanted some expensive Lego so I begged my dad to lend money to purchase it. at first he wouldn't do it, but eventually he decided it might be a good learning experience for me. I had a blast playing with that set for a month or two, but after a while it was just one more toy that I owned. it took a lot longer than that to pay him back, so I had ample time to reflect on how much it sucked to be in debt. I never asked my dad for another toy loan, and I've basically never considered borrowing money again for anything other than college.

Why do you expect a child to learn a logical lesson that millions of adults don't understand?

Because the adults didn't learn when they were impressionable children?

When I followed the Valve game CS:GO a few years ago, I was pretty disgusted by the gambling done in that game. It made up an insane % of players, many of them children, who would bet weapon skins on third party websites based on ESports games. Valve shut those third party sites down but continued to market different kinds of skins such as gloves, music, etc. I wonder how much money moved to and away minors during that period.

I believe it was Belgium that banned unboxing as a form of gambling, leading to it being disabled across Valve games, afaik.

Candy Crush is litterally a slot machine on smartphone at least thats how I see it.

I've been playing Candy Crush casually for the last 4 years, I'm at a ridiculously high level and have never spent a penny on it.

I don't think calling it a slot machine is fair.

Except it is exactly like a slot machine, well akin to an evolved version actually.

It is designed to be addictive with compulsion loops and reinforcement, exploiting brain mechanisms you are not aware of such as disproportionate feedback coming directly from slot machines. Candy crush is a sort of glorified skinner box.

Same as gambling machines, candy crush makes use of "illusion of control" by congratulating the player for being skilled for things that actually happened by chance (or were made to happen by the game itself).

The comparison does not stop here, similar to gambling machines candy crush makes money not on the vast majority of people but on a limited few that will spend lots of money the "whales". The fun thing with candy crush is that as long as you never pay the game plays fair but once you've become a paying customer the game starts to play tricks on you to nudge you into paying more, it will become harder or impossible to win without the use of bonus you have to pay to get. The game actually adapts to you to maximize profit it can squeeze out of you.

There was a detailed article about all this mechanism a few years back when I did not shaarlize[0] all my interesting findings so I can't link it here, but everything I just written comes from memory of what was described in this article.

[0] : https://shaarli.readthedocs.io/en/master/

>It is designed to be addictive with compulsion loops and reinforcement, exploiting brain mechanisms you are not aware of such as disproportionate feedback coming directly from slot machines. Candy crush is a sort of glorified skinner box.

So, in your opinion what makes something a slot machine is which psychological effects it tries to use?

Do you know where else all of these same psychological effects come up? Human interaction. Candy Crush is basically somebody trying to sweet talk you and wrap you around their finger. Do you consider that to be a slot machine too?

So, in your opinion what makes something a slot machine is which psychological effects it tries to use?

I'm not OP, but to me it's the triggered randomness with occasional wins that makes it a slot machine. The intentional psychological effects and engineering to persist the desire to subject oneself to those effects are how King and Zynga are evil companies and deserve to have their corporate charters dissolved. IMHO.

This whole idea of storing a payment token that a company can charge at will (as opposed to a fixed top-up with cash) and then for me to be unable to deny those charges, I find it all unacceptable and refuse to allow it ever.

After providing such a payment token there should be no proof and dispute involved, just a single click in a web interface "I refuse to pay for that and I revoke the token". The user of the token should make sure I am happy so he can continue to charge the token.

This is in sharp contrast with user initiated payments for a fixed amount, that should be carefully secured, require strong authentication and should almost never be reversible, unless actual fraud can be proven by the payer.

The problem with cards on the internet and their high abuse and chargeback rates, for which we all pay, is that they conflate these fundamentally different use cases into a single set of static numbers.

This is in my opinion the core problem with credit cards: that the information to authorise payment is sent through the vendor, who can store it and reuse it without the customer being aware of it. That's just a broken payment system.

A good payment system should require explicit authorisation through your own bank. That's how for example the Dutch iDeal system works. I never use a credit card for a site that accepts iDeal, and the only reason I have a credit card at all, is that many foreign sites don't specifically cater to Dutch customers, and therefore haven't implemented iDeal. I wish they did, or that there was a similar international payment standard that went through banks rather than merchants.

>A good payment system should require explicit authorisation through your own bank.

This would basically make sure I would almost never spend any money online, because going through a bank authorization is annoying enough that I'd rather just go do something else. Forget microtransactions, I wouldn't even buy most games.

The way the system is implemented in Spain (not all sites use it sadly) is simply like 2FA, when you attempt to make the purchase the bank sends a sms or notification through their app with a code you need to input to confirm the order. Or is 2FA annoying as well for you? I know some people hate it.

I would have no problems with 2FA of the kind you described for banks. But such a system is not available here. You have to basically do a full login authentication here.

I do hate 2FA. I like it, but I hate using it. I've stopped posting on some forums/using services. I didn't actively quit them, but when the service had logged me out and it asked me for the 2FA code, I winced and went to go do something else. Over time this happened enough that at some point I just didn't visit the site anymore.

Really? What makes you so opposed to your bank? If their authorisation system is stupid, you can switch to a better bank.

Personally, I find this system a lot less painful than having to type in my credit card number. And it's a lot safer.

In my country every bank has the exact same authorization methods available.

Single use cards like privacy.com provides might be the solution you’re looking for

With all these good recommendations on this thread, I have decided to create a privacy.com account for my family. I have given privacy.com our address, my cell phone number, my email, and our bank information (they require the actual username and the password). All very vanilla, US, SF Bay Area, never had any problems with any other financial websites.

Not enough! My account activation is incomplete until I link my privacy.com account to my Facebook account!!! I thought this is so funny in the context of this privacy/Facebook spying thread.

Quote from my privacy.com account page: "Sometimes, the information provided at signup isn’t enough to verify someone’s identity, and activate their Privacy account. Connecting your Facebook account is a quick and easy way to provide extra identity verification. Okay"

P.S. I am now feeling uneasy about the whole thing. I have changed my bank login password and I am trying to cancel/delete the privacy.com account -- but there is no such option in the website menus.

Isn't privacy.com US only?

According to their website you need either a US checking account or debit card, so for all intents and purposes, yes.

If you're in (certain parts of) Europe, Revolut will offer you one-time use virtual debit cards if you're on one of their paid plans. However, I have no personal experience with them. Being limited to one transaction each makes them a lot less interesting in my opinion, since I can't set up my subscriptions through different cards.

You can have a virtual CC ( or more but didnt check ) with Revolut that can be one time use or multiple, its all up to you for how long You want to use it.

I recently looked into them. You can have up to 5 on their premium plan. But these are still "normal" debit cards with no limits beyond the funding of your account.

The service that privacy.com offers is different in that it allows you to control very precisely what kind of charges are allowed on any of your virtual cards (and allows you to have more than five). If I used a particular card only for Spotify, I could put a $10/month limit on it, for example. This is more akin to the one-time card offering, but it's not quite the same since it doesn't support recurring payments.

On that note: if anyone is aware of a service like privacy.com available to users in mainland Europe, I'd be very interested to hear about it.

AMEX is what provides that solution, and fine the merchant as a bonus. It's called disputing a charge. Other cards have the option too, but AMEX will fight for you the most. I've literally had merchants issue a partial refund, disputed the original charge, and ended up with bonus money, multiple times.

There is a cost to using credit cards. One of the main reasons to use them is this protection against bad actors, and punishment of those actors by fines.

Reversing the charges doesn’t work with Facebook because they will block your account and for most people that’s not an option. And Americans Express is not going to fine Facebook or suspend their merchant account. That’s for small merchants.

Why do people put their cards on Facebook then? It is absolutely not safe to do, especially if you have (young) children.

I doubt even a company like Facebook is very big by credit card processing standards. Visa and Mastercard constantly run a huge amount of money through their systems. If your fraud rate goes above a certain level they give you a warning. If it stays too high they'll cut you off.

Yeah, a company that stored your credit card number and charged it w/o your permission - don't want to get blocked by someone like that. Definitely never an option for most people.

>I've literally had merchants issue a partial refund, disputed the original charge, and ended up with bonus money

...why is this ethical?

As an European who rarely sees credit cards, I always wonder if this is USA only? How do you dispute a charge?

My web banking platform has options for almost everything, but not much credit card related. Do I contact my bank, or do I go straight to VISA?

You should usually contact your bank and dispute one of the charges on your bank statement (that's how it seems to work in the UK, at least.)

You can dispute CC charges in Europe as well. All of my cards specify that I should do this as soon as possible, but no later than one year after the charge.

I have never needed a chargeback, but I had a peek at MasterCard's policy just now and it looks like you need to contact the issuing bank. I would assume it works the same for other four-party schemes such as Visa.

I click dispute in my online statement, check a couple of checkboxes to verify type of transaction, and write 1 line of why. Takes 30 seconds. Visa is not good for this, so I never use a Visa.

You're right, but I don't think this is quite what the quote is referencing. If payment details are stored and kids are merely presented with a colourful popup confirming they want to spend $99 for 2000 gems, it doesn't seem like a real transaction to them (putting aside the fact most kids have no appreciation for the value of money).

I wish Apple would crack down on this. Especially annoying are the games that let you pay to remove ads but then force you to watch a video ad (or buy real money gems) to get another play. So I paid to remove ads but I still get ads. And all of these in app purchases and ads are a really frustrating experience for games that would otherwise be fun. Not to mention they've all effectively turned into pay to play with a slot machine like experience.

The ads and IAP are annoying but Apple does have a way to get a refund for this kind of ‘purchases’:


I agree that it would be nice for Apple to clean up this type of transaction, but I've never found that a game containing them was particularly fun to play.

I have seen cartoonish green notes as in-game currency, parallel to gold, but much more scarce and can be bought with real money.

Kids don't stand a chance.

How much of this is the result of parents allowing children to play games unattended with games they themselves have not played to vet? With all things parenting, it ultimately falls on their shoulders on what they allow their kids to do. Not shilling for the slime balls preying on kids knowing parents are lazy, but parents are not blameless.

>parents allowing children to play games unattended with games they themselves have not played to vet?

So, I'm not telling anyone else how to raise their children... but the fact that society has attitudes like this contributed to my own personal decision to not have any children of my own.

Playing every game your child plays seems... really excessive. I know when I was a child in the '80s and '90s, I had a lot of alone time on the computer, and got to explore a lot of things without my parents; I think it was good for me? I mean, unquestionably, it contributed to my income later on, but I think it might have been good for me in other ways, too?

I think it was probably good for my parents, too.

But then, I super want to reiterate that I am not telling others how to raise kids; I've worked with a few people who kept their kid with them almost 24x7, and that was what they wanted. And it seemed to work out ok? I've totally opted out of that whole thing. I'm just saying, I don't expect anyone to be with their kid 24x7.

> How much of this is the result of parents allowing children to play games unattended with games they themselves have not played to vet?

None of it. You can try it. You can have a million parents leave a million children alone for most of the day, and not even a bitmap image of one cartoon coin or anything will magically be created, much less the code and distribution channels for a whole game. It doesn't make existing "wholesome" games automatically devolve into other games either, the code and assets don't change at all.

The people who actually do make these things, who do exploit some parents having a lot on their plate: where were their parents then, and where are their peers now? The crime of "not paying enough attention to what your child is doing, which results in a person you love being harmed, and you paying money", is tiny versus the crime of "ruthlessly preying on children for financial gain". Looking away when your child plays such a game is nothing compared to looking away when people make and distribute them.

I don't have children so I'm hesitant to point fingers at parents. I have the ability to make derpy things to sell to children, and I'm not doing that also because in my mind, only a.) children and b.) very careful, well trained and aware adults should make entertainment for children. So unlike parents, I judge those "creators" mercilessly. I cannot even stand the overly "hyped" streamers and youtubers who makes sure they don't swear to be "family-friendly" and not get "demonetized", but otherwise talk crap 24/365 that is fit to turn any brain to mush... but apps and games pushed onto kids directly is yet another level of depraved.

Where is society making an effort to warn parents, that you get to call them lazy for maybe not even considering some people would be so sick and morally bankrupt? What effort was made since Elsagate to warn anything about that stuff? That there's millions of dollars on the line has nothing to do with it, just lazy parents?

Lazy, deplorable society, is what I'd call it.

> In my mind, only a.) children and b.) very careful, well trained and aware adults should make entertainment for children.

I absolutely agree with the thrust of your post, but this strikes me as a little extreme. I don't believe J.K. Rowling, for instance, had any specific training on child psychology or the like when she began writing Harry Potter.

Creating non-exploitive content targeted at children is not rocket science.

I agree, but not based on Harry Potter or Rowling (never read Harry Potter), but maybe Astrid Lindgren, and countless others. Strike the "training", but keep the awareness, the thinking about what one is doing, which I feel is sorely missing from many youtubers. You're right, it's not rocket science, but some people who woulnd't be able to spill a bucket if you handed them one, can still find someone to setup a camera, mic and "gamer chair" or them, and click upload on their behalf.

Maybe we were weird, but from my childhood, I remember how even kids 2 years older or younger might as well have lived in an entirely different world, much less adults or parents. Now I can't find a let's play for a game I'm interested in without coming across what is basically 20-40+ people showing off to 10+ people. This wouldn't be possible without the distortion of "virtual reality" I think. Imagine a 25 year old person coming by a bunch of 13 year olds and lifting a trash can or doing $any_other_stupid_shit, so the kids can be their "fans" and "supporters", and maybe sneak them some cents out of mommy's wallet. That's what I see when I look at a lot of youtube.

When 'society' keeps getting worse, the only advocate remaining for the child is the parent.

I agree that those who make these apps are worse than the parents who are too busy to catch/prevent such incidents before they happen, but those sorts of people have been with humanity for a looong time and aren't going anywhere any time soon. I have been somewhat surprised and saddened to see comments suggesting so in this thread turn gray.

I'm not saying we should give up on improving society and trying to eliminate this sort of crap, but this is always what parenting has been about. If you have the attitude that everyone else needs to responsible for preventing these issues and it's okay for parents not to take any of that responsibility, I'm sorry but you are wrong. We need to do both.

> We need to do both.

I agree completely with that.

I vet all of my kid's games, but this particular pattern was not a deal-breaker for me. However, I've set my Google Play Store to require a password for each purchase. When my kid gets confused, he gets negative feedback in the form of a frustrating dead-end. Hopefully that'll help learning.

Thats some valuable time to be wasting to disciver dead ends in video games. Maybe there is a better way?

At some point parents should have to take some responsibility for parenting their children. Absolutely everything seems to be somebody else's fault, except for the parents.

Kids don't earn their own money. If kids are spending real money in a game then the parents had to okay it.

I would imagine that in a lot of cases parents just don't understand how these apps work. Something like this happens the first time, and then they figure out how to put those controls into place.

I used to think it wasn't nefarious unless your gameplay mechanics essentially coerce you to pay for in-game currency to progress or otherwise fully enjoy the game. But it seems like it's enough just to sell cosmetic enhancements, because kids will be just as caught up in that as they would be in actual gameplay progression.

All that said. It's your kid, your card and your money. Kids a mischievous, but the blame isn't entirely on games companies.

I'm not sure which class at business school is teaching everyone that "If you can get away with it do it! Have zero shame!" because it's probably time to remove that one from the Harvard curriculum.

No, no, no. This isn't taught in college. It's taught in Elementary School when students learn about the world leaders and take two seconds to discover their actual backgrounds and where their power and wealth truly came from. It's learned while watching movies like Wolf of Wall Street where the beautiful protagonist fucks everybody else, living a lavish and perceivable happy lifestyle, before getting "caught" and suffering virtually zero consequences for his or her actions.

Then, after being learned at an early age, it is reinforced time and time again in the stories of entrepreneurs who make billions immorally and similarly suffer zero consequences.

The fact that people watch Wolf of Wall Street and read it as an example to be emulated is very telling. By the end of the movie he’s in a hateful, bitter relationship, crashing cars into shit because he’s strung out on quaaludes and yet this is called “virtually zero consequences” because the consequences are not coming from an external authority. It’s the substitution of paternalism for morals and money for happiness.

I agree with you but I would like to point out that this is not Elementary School's fault. It's society's fault and Elementary School is when we first see the effects of this phenomenon, also some (most?) people will only get out from their caves at a later point in their lives.

Agreed. Local relevance outweighs global arrogance.

"They also found that the kids weren’t aware of what they were doing. “It doesn’t necessarily look like ‘real’ money to a minor,”

Seems a way to create the best consumer ever: someone who gets the benefits while having no connection with the costs. It may seem stretched, but I see some parallels with military drone pilots.

Are you really surprised ? To me this seems exactly as intended and expected from facebook, this is fully in line with how facebook thinks and works. Everything facebook is designed to maximize profit in any possible way out of people not knowing better.

The scheme described in this article is akin to the multiple techniques used by facebook to acquire users, they used and abused the whole black book of dirty tricks, dark patterns and such.

Heck there's even one dark pattern named after the ceo and founder of facebook.

I wonder what logic the first 6 would be, as opposed to the first 4. Credit cards, at least in America, have numbers composed of blocks of four digit numbers.

The first 4 digits are pre-assigned prefixes so it’s very easy to find valid ones; e.g.: visa starts with 4, MasterCard with 50-55 etc (https://creditcardjs.com/credit-card-type-detection).

The remaining digits have an error check built in so you can’t “guess” them.

Back in the offline transaction days, use of fake (generated) credit card numbers as prevalent in computer BBS to get an account for 1 day. Not that I ever did that sort of thing.

The whole number is used in the checksum calculation (the Luhn algorithm). The last digit is basically the checksum.

The first six digits will identify an issuing bank and card type. All Chase Debit Visas will start with the same six digits (unless they've further broken it down), but no Citibank one will use them. It's still plenty guessable-- try the most popular prefixes and you'll probably hit a few percent of the time.

It might be based in PCI regulations. They might be allowed to store or display the first six/last four in plain text, but probably have to encrypt the whole number or store a token in lieu of the actual full card number.

> The issue is Facebook

I agree.

> not to implement the most basic measures to prevent it.

The most basic implement to prevent this behavior is for parents to limit their children's access to Facebook. The consequence for that lack of supervision is spent money. Who should we feel sorry for?

Feel sorry for parents who are struggling to keep up with a crazily fast technology uptake for which they are not prepared but which has many high impact features in their profession, in their spare time, and in their kids' lives.

If you know parents without tech education or a comfortable economic position and lifestyle, try asking them how the deal with all this stuff.

Do you think parents should limit their children's access to porn? In my household we limit social media access no differently. What parent (with Facebook and integrated credit card data) doesn't know what social media is at this point?

> The most basic implement to prevent this behavior is for parents to limit their children's access to Facebook.

Another one would be not to store payment information on Facebook. Even if my child was able to get onto my facebook account, they wouldn't be able to buy anything because I've never stored my payment information on that service.

You are correct, but no chargebacks is a scummy policy that makes Facebook in the wrong here.

"Friendly fraud" is not a Facebook-invented term. It's a term used and understood by card issuers, acquirers, and merchants.

Friendly fraud encompasses:

- Dissatisfied customers who don't find refuge in a refund policy/process

- Customers who are embarrassed by their purchases. This situation is commonly triggered when a significant other reads a credit card statement.

- Customers who spend beyond their means, and then look for a "solution" when the statement comes due

I find it weird the way Facebook seems to be using the term here. These are charges that were never contemplated by the cardholder. There is no "buyer's remorse" dimension.

Friendly fraud is specifically about charges that are agreed by the card holder, but they later change their mind and pretend otherwise.

> Dissatisfied customers who don't find refuge in a refund policy/process

It's dangerous to label such things as fraud. Chargebacks are a consumer protection mechanism of last resort as well as a remedy for unauthorized charges. If a merchant doesn't deliver what they promised and doesn't issue the appropriate refund, the merchant is the one engaging in fraud.

Chargebacks are a mechanism that can definitely be abused and in those cases would be fraud. I don't see that as dangerous at all. Heck, in posts on these forums people brag about using chargebacks to cancel services because they didn't want to call or follow the guidelines set by the merchant to cancel an account. Whether they're in the right or not that's most certainly bordering abuse of the system.

Those merchants don't always have clean hands, either. Lots of services where you can sign up with one click, but canceling requires a lengthy phone call during which they pressure you to stay. And the call has to be during business hours, hope your boss doesn't mind!

Imagine how much worse it'd be if the dispute process didn't exist. "Oops, our only cancellation department employee retired last year and we forgot to replace him!"

I see both sides here, but maybe this is where merchants need to enact stricter rules.

Like services that will gladly let you signup online but then require you call a phone number, with very long wait times and only during certain hours, to cancel. And then be harassed about a cheaper offer while you try to cancel.

I have been a merchant and dealt with erroneous chargebacks, but I have zero sympathy for companies that know exactly what they’re doing — trying to fatigue or confuse the customer into not canceling.

Chargeback fraud is a large issue in the US and not enough is being done by card issuers because it is the consumers who make money for card issuers by spending. There is incentive to please them, as all costs get passed to merchants.

Making it hard to cancel a service is a blatant abuse of the system.

As any seller on eBay can attest, it's definitely possible to deliver exactly what you promise and still have the customer demand a refund or chargeback.

I disagree. Chargebacks are a feedback loop. If you’re taking care of your customers and being transparent about how much and when you charge them, surprise, you won’t have bad chargebacks rates.

If you try to blur that grey area and tilt towards deception (“maybe if we don’t tell them when it auto-renews, our churn will decrease”) then you deserve every single chargeback you get.

My sister-in-law works in a fashion store. They have a 14 day return policy assuming same condition. You be surprised how many people buy a dress, cut all the tags, wear it once to an event, and try to return it.

I don't think Facebook is accidentally misusing the term. They want to redirect sympathy from the cardholders to themselves by framing the situation as if it were just a case of "buyer's remorse", when really they've intentionally built the system to incur these mistaken charges.

Most probably Facebook didn't make the games themselves. And I thought one had to be at least 13 years to use Facebook, but probably some parents are allowed younger kids access.

Average age of angry bird user was 5 the article says

Really? I thought the presence of the brand was bigger (back in the day) than that would allow for. An average age of 5 puts a pretty sharp limit on the number of 30-year-olds who can play. They're not going to be balanced out by one -20-year-old each.

"Average" in this case may refer to mode, not mean.

That’s not how I’ve heard the term used. The meaning I’m familiar with is “person closely known to the card holder incurs a charge that isn’t really authorized”, for example you might have access to their computer but aren’t supposed to use their saved credit card info for purchases. For example, companies ask for the ability for websites to do biometric authentication via TouchID/FaceID to combat friendly fraud. That wouldn’t make sense under your definition.

> I find it weird the way Facebook seems to be using the term here. These are charges that were never contemplated by the cardholder. There is no "buyer's remorse" dimension.

It's my understanding that it's the responsibility of the cardholder to "contemplate" the consequences of delegating charges to others. What Facebook maybe should do in this case is make it painfully obvious that other users of one's Facebook account could incur additional charges without reentering the payment card information.

Wikipedia seems to agree with you:


Exactly. I think chargebacks are a feedback loop, especially because we have percentages to compare to other businesses. And as the article stated, Facebook’s was 10x the norm.

This was not “friendly fraud.” This was straight up fraud, with clear intention by Facebook employees to defraud parents by using children in a disgusting way as their pawns.

Facebook used the term in the same meaning as the rest of the industry, and in the same meaning that you explained. You can read the original doc linked in the article to confirm that.

The article's author lied. They told the readers that FB encouraged fraud, while in fact FB was actually encouraging devs not to fight the chargebacks.

Not that I'm defending FB. They knew the chargebacks were very frequent, so they should have addressed the root cause by adding more verifications before a card can be used. But they were definitely not telling devs to commit fraud.

>I find it weird the way Facebook seems to be using the term here.

In my experience fraudulent chargebacks for payments processed without liability-shifting authentication (3D secure etc) are typically lumped together as "friendly fraud". Regardless of origin. With digital purchases, especially fungible ones like game credits, there exists quite a lot of organised fraud exploiting "one-click" checkout chargeback SOPs.

Could the similar name be a coincidence?

1. Company is on the record as being aware of unauthorized use of parents' credit cards.

1a. Company is aware of channels particularly prone to unauthorized use of credit cards (with Ninja games being presented as the archetype).

2. Company creates a method for verifying the authority of purchase (and confirms that it works)

3. Company intentionally does not implement verification method, thus explicitly profiting from known fraud.

Now, I'm very much not a lawyer, but this strikes me as the sort of behavior we would seek criminal penalties for. Has there been any indication that this has been forwarded to the relevant parties for investigation / prosecution?

Well, in TFA:

> The records are part of a class-action lawsuit focused on how Facebook targeted children in an effort to expand revenue for online games, such as Angry Birds, PetVille and Ninja Saga.

They have a strong case, I think. Indeed, the facts are so egregious that punitive (treble) damages are possible. So even if class counsel take ~30%, the class could get ~100% recovery. How much? Well, basically it'd be [number of children]*[amount charged per child]. Maybe a few $billion?

The catch is FB requires that users be 13+, and someone younger than that using FB is a violation of their terms. Some if not most of these kids may be younger than that.

It seems reminiscent of marketing tobacco/nicotine to minors. It's easy to say "well, it's not our fault people are breaking the law/contract" up until it comes out that internal documents show the company was targeting such people.

I don't completely understand why people maintain that something could be innocent while ignoring the evidence that it wasn't.

Maybe parents should have a separate login for their kids that doesn't have the CC info saved?

Leaving that saved in the browser is awful close to authorization since there are reasonable, low-effort steps that could be followed by a non-technical user to prevent it from happening.

It's like leaving your card on the kitchen counter and being upset when they order pizza.

> Maybe parents should have a separate login for their kids that doesn't have the CC info saved?

In at least one case in the article (the 12-year old in Phoenix), the kid apparently did have a separate account; but he asked his mom to let him use her card for what he thought was a one-time purchase, but Facebook stored the card info and behaved like recurring payments had been authorized. (Also the game appears to have been highly non-transparent about when such charges were being incurred.)

So while I agree that the mom would have been well advised not to let the kid use the card for even that one-time purchase, I think that pales in comparison to Facebook's conduct.

I explicitly make spending money online harder for myself as a protection from things like this. (Well, primarily I also don't play any games with micro-transactions for one because they're universally a rip-off designed to exploit addictive personalities. Games based around these shady tactics should never have been tolerated, let alone allowed to become the standard to such a degree where even real AAA $60 video games are now infested with this. It's disgusting.) Very few things and services have my payment information saved -- usually just Apple and PayPal have it saved. I never save credit or debit card details to the keychain so the browser doesn't auto-complete it. I always go out of my way to set payment confirmation dialogues to always appear. Whenever I subscribe to something, I use PayPal or the App Store subscription feature. In case it's a yearly recurring subscription, I always go out of my way to cancel auto renewal. If nothing else, I delete the authorisation from PayPal for automatic renewal. I always go and double-check if some place saved my credit card details or not and if they have then I delete them.

While not completely fool-proof, these steps have made it easier to more carefully manage my online spendings and not to suckered into parting with my money.

I have the same habits. Every month, I have to enter my payment info for phone,car,etc. They always have that little check box for "save payment info for later". Nope. To the point that my car payment is now done over the phone each month because they changed their website to force you to enter a payment (checking/routing). At the rate sites are getting hacked, I will not enter any more information that required to make it work. As with my auto company, if it requires more info than I want to provide, then I don't use it.

Steam / Valve did this for quite a few years until they were taken to court in Australia for their unfair practices. A judge said their refund policy was criminal and intended to deny refunds and fined them a couple million dollars for an estimated 20,000 times. Steam drastically changed their refund policy and evaded fallout everywhere else, but it's probably going to be substantial for Facebook.


These two cases seem pretty different to me. Steam wasn't in compliance with Australian refund laws and got in trouble for it. But the Steam case had nothing to do with minors (mostly very young children) making inadvertent purchases.

The similarity is the intent to refuse lawful refunds, and probably the scale. Steam never optimized to refuse more refunds though.

The same thing happened with Apple in the US:


So, FB not only did this scummy act once, they did it many many times, never tried to remedy it, and never tried to alter the 'pathway' for this to occur, but they had this happen so often that they came up with a nick-name for it?

Like, I knew they were evil, but I didn't think they were stupid too [0].

[0] https://en.wikipedia.org/wiki/Stringer_Bell#Season_three

It's okay guys, the security of your credit card information is important to them! Also, it's a big responsibility, and they "need to do better."


1) If an individual app developer did something like what Facebook did here, then there is a better than good chance that they would be successfully prosecuted with a crime. Why is the criminal justice system so much more lenient on corporations? If it is just money, then we have to accept that arbitrariness can be bought and paid for by those who can afford it. There are a few voices here that advocate for less prison sentences with whom which I agree with, but white collar crime like the kind in the article isn't punished to the same level of severity when the organization at large is at fault. It seems that the incentives for certain kinds of problematic behavior change when your at scale.

2) If you allow this sort of behavior long enough, then it definitely seeps into the culture, the decision-making of management, and the interactions of all those who work there (full-time, part-time, contractors all included). If bad apples can spoil the bunch, then will certain people refuse to interact, do business with, or hire former Facebook employees? Is there / will there be a "blue shield" for Facebook as there is for law enforcement?

Note at the time (2011-2012) there was almost assuredly a lot of incentive at FB to look the other way regarding this kind of fraud, since they were preparing to go public (May 2012). When going public you want to get the best price on your IPO, so I imagine the order from higher up was to push revenue higher and look the other way on these types of issues.

FB's stock dropped 40% in the months after going public, so that incentive to not do anything to impact revenue remained as FB dug themselves out of that hole. It may have even been amplified because internal employees were in lockout period watching the stock drop and wanting to cash out at a good price, and probably were (psychologically) price anchored on the IPO price.

Yep, I think this just shows how the push for ever increasing revenue creates a disgusting environment.

Almost every single bad Facebook decision can be traced to them trying to cut corners for increased valuation.

> But the company had discovered that more than 9 percent of the money it made from children was being clawed back by the credit card companies.

> In comparison, the average chargeback rate for businesses is 0.5 percent, according to the Merchant Risk Council, a nonprofit that helps businesses manage risk.

> A chargeback rate of 1 percent is considered high, and credit card companies such as Visa and Mastercard will put businesses on probation programs for rates consistently that high.

> The Federal Trade Commission said in an unrelated fraud case in 2016 that a 2 percent chargeback rate was a “red flag” of a “deceptive” business.

Nine percent chargeback rate. That's just absolutely nuts.

That explains why the security is so lax. The card companies are complicit in the scheme.

The article references this URL: https://ecf.cand.uscourts.gov/cgi-bin/HistDocQry.pl?61603081... However, that is not accessible without an account and possibly payment for the document. Is this content part of the public domain. If so, can/has it been posted elsewhere?

Edit: I should add that I do see some of the documents reproduced and referenced from elsewhere in the article (e.g. https://www.documentcloud.org/documents/5694620-Exhibit-OO-R...), however I didn't see any way to access the full collection.

If true, this seems to be one of the more clear cut recent examples of unethical policies devised by Facebook employees. I suspect certain other policies and programs can be mentally justified, but when it comes to very obvious things like this I would think it would have a bigger impact on whether top employees including engineers would be willing to continue working there. Everyone has their own personal line beyond which they’ll just decide to move one. I have already read about some people moving on lately but don’t know if it’s a trend yet.

" by Facebook employees"

The buck stops where?

A fish rots from the head. But is it just the head that's rotten? No, soon the whole fish is rotten; that's the point.

So yes, Zuck is rotten. And consequently we should expect to find systemic rot through the organization at all but the very lowest levels (the groundskeepers and maintenance guys are probably clean)

None of this is unique to Facebook - it plagues the entire industry. I would even argue that games companies are far more complicit in this scheme than any service provider.

true, but Facebook is an order of magnitude larger, more integrated and more powerful than the others.

They need to Drawn and Quartered publicly to clean them up. Each of these articles adds up to something very scary.

I expect Amazon is due to a truth telling as well.

The game devs are not the ones caching your CC and letting kids reuse it without proof they have parental permission. Come on, not even close in terms of who is at more fault here.

I think this is a lot about “transferring insight”. Like this: if FB knowingly duped kids and their parents, where else have they knowingly duped people? Elections? Data? Etc

It's interesting watching Silicon Valley discover the purpose of government regulations from first principles.

Nothing old applies to us! Until we invent it here! Again. Its magical.

Uhh what the actual fk, the article reversed the meaning of FB emails.

FB encouraged devs to NOT fight the "friendly fraud". "Friendly fraud" is an industry term (just google it). It is when a customer who received goods then calls VISA and asks to refund their purchase.

Anyway. FB told devs "let parents get their money back, don't fight it". But this article says FB told devs "keep committing fraud", which would be just about the opposite.

Obviously, FB should have taken measures to prevent kids from using their parent cards without permission. But just because FB behaved badly, does not mean it's ok for revealnews.org to spread dirty lies.

This type of predatory behavior has been happening for a long time. When I was about 9 years old, my brother and I bought Link's Awakening on Gameboy. On the back of the booklet that comes with the game was a line that read, "Need Help? Call this number" with an 900 phone number listed.

We had access to the home phone and wanted to beat the game. So of course, we called the number a few times to get hints on how to beat hards parts of the game. This was before the internet where you could just lookup a walkthrough online.

You can imagine my mother's shock when she received a $200+ charge on her phone bill for a phone number she had never heard of. Apparently the cost of the call was about $5/minute.

We got yelled at and we weren't allowed to call the number anymore after that. I'm proud to say we still beat the game though.

I still feel guilty about it every time we recount this story. I remember exactly where I was (on the top bunk) when mom shared the bill with me. I think she had me dial into the number to show her how it worked. To their credit, Nintendo did disclose there was a cost to the service but as I'm sure kids ignore notifications these days, I blindly pressed 7 or whatever because I wanted to get through the next level so badly. It didn't seem like real money. I can't remember if mom made me do excess chores to pay off the debt but I'm guessing she did. I should pay her back the $200 with interest.

If Facebook knowingly refused to refund improper transactions, THEY are the ones committing fraud. Plain, old, "screw you, Facebook user" fraud.

Personally I think most of the reporting on Facebook is written to drive clicks and ad revenue. It's usually exaggerating the problems.

This story is truly messed up though.

We so need credit card tech that puts the card holder in control. Like a 2fa message to accept every single charge no matter how small.

Facebook could be run by the Russian mob and people would continue to use it(and Instagram and WhatsApp).

Well, if I had any small amount of trust in FB / Zuckerberg to do the right thing, I just lost it.

These are some super shady and deceptive business practices.

The modern in-game transactions remind me of simpler exploits from years ago: 900 number phone games.

Back in the 80s, children were bombarded with advertisement of phone based games using a 900 number prefix. 900 numbers are unique in that they charge a fee for use. A child who wanted to play the RoboCop phone game would simply pick up a phone and dial the number. Shortly after, they would get to press numbers on the keypad to choose their own adventures. The games were addictive and expensive. [1]

Eventually, enough parents were ripped off and they fought the system, convincing legislators and regulators to stop the exploitation. This put a complete stop to 900 number games.

[1] https://guff.com/15-bizarre-1-900-numbers-from-the-80s-and-9...

It's like facebook are all those evil corporations you see in movies.

facebook as a platform provider is guilty as charged.

there is a special form enforced for storing credit card information. Where was QSA?

Credit card providers and game providers should also take their part in responsibility for storing credit card information.

I do not get how is this still possible with 3D secure protocol out there?

A friendly fraud implies that the refund was actually made to the customer (https://en.wikipedia.org/wiki/Friendly_fraud). The article states:

"“Friendly fraud” is the term Facebook used when children spent money on games without their parents’ permission."

That's incorrect and completely reverses the meaning of the internal FB memo. “Friendly Fraud – what it is, why it’s challenging, and why you shouldn’t try to block it.”

(Disclaimer: I work at Facebook but wasn't there at the time.)

Probably an unpopular statement, but man does this happen a lot with fortnite. They even have a section in their help pages specifically for unauthorized purchases by family members. Also, they don't seem to care at all about who's payment method is associated with an account. You even get kids taking pictures of their parent's credit cards and passing them around.

So they can just return money to all the wronged people now? Or did they already? How about people outside of US?

I mean there would have to be some criteria for deciding who to return money to, but I'm sure they can come up with something less arbitrary than the original decision making that's hinted at in the article.

When are you all going to delete your Facebook accounts?

I got 9 friends to install Signal yesterday to help them away from WhatsApp. I'd love to see widespread campaign to encourage people to ditch these parasites we're addicted to.

Sad to see that so many smart people in our industry lend themselves to work for Facebook. There are great tech innovations that come out of Facebook, but that doesn't weigh up to the damage they are doing to society.

Sam Harris has released two great podcasts that discuss how Facebook, and other companies like them, choose to earn money from, amongst other things, radicalising and polarising people in our societies:

https://samharris.org/podcasts/146-digital-capitalism/ https://samharris.org/podcasts/145-information-war/

and to some extent: https://samharris.org/podcasts/144-conquering-hate/

I recommend these highly.

And this guy (Zucker) was talking running for US president? Whhhoooah

Well, the solution is simple -- don't give your kids your credit cards...

Who is giving Facebook their credit card? Why?

Parent gave the CC to Facebook in order to make one purchase. It isn't always transparent that this payment option is then stored indefinitely, and can be charged on user input without re-evaluating that the charge was initiated by the holder of the CC. This is not necessarily a bad thing, and can be viewed as a convenience-feature. But it has downsides, which Facebook not only seems to be aware of, but seems to welcome.

Why is this submission marked as a dupe?

Hmm, that's an earlier story from the same site announcing that the documents are expected to be released, whereas this link is about what the released documents actually revealed. They are related links, but not quite the same.

Ok, we'll de-dupe it.

With all due respect, I think his was plainly obvious to someone who even glanced at the submitted story, and shouldn't have had to been explained to mods.

Different things are obvious to different people!

I agree. This post is a follow-up, not a duplicate.

Is anyone surprised that 11 year-old Johnny "didn't realize" he was spending money? Sounds like parents looking to blame anybody but themselves.

That's odd, the article I read did contain specific instances of parents retracting the steps of their spendthrifty offspring which confirmed there was no indication of actual money being spent, e.g.:

“I saw all these $19 charges from Facebook,” she said. “It added up to nearly $1,000.”

She asked her son why he would do that. But he was flabbergasted by the charges too. So Bohannon asked her son to play the game so she could watch what he was doing wrong.

As he played, he occasionally clicked on a corner of the screen that gave him more abilities, such as magical items, or new ninja attacks for his character. It didn’t ask if he wanted to pay for it, or let him know that his mom’s credit card was being charged.

“There was no indication he was spending money,” Bohannon said. “So, 20 minutes later, I rechecked my credit card statement online. And sure enough, there was another $19.99 charge from Facebook.”

Holy cow, that's frightening. Mobile games with in-app payments are clear about "These cost gems {or some other bought-with-real-money mcguffin)", but refilling those gems nearly always makes it clear that you're going to have to pay.

Facebook payments platform was always far behind Apple & Google Play in terms of transparency.

Source documents are linked throughout the story.

Just don't save payment card information in your Facebook account which you share with an irresponsible minor. If you primarily blame Facebook for this problem, you are failing as a parent.

The fact that it is technically possible for Facebook to validate some purchases and prevent some instances of this problem does not make it Facebook's responsibility not to do something practically equivalent to handing your wallet to a toddler at a carnival.

Ah yes, blame the parents.

A 9% chargeback rate on payments identified from minors is an awful lot of careless parents. The real fraud rate would be a lot higher as plenty might write it off to experience come credit card bill. Quite often these things are remarkably difficult to cancel too (no idea if that applies to Facebook).

The fact is many of these ongoing payments, and the use of separate game currencies rather than simple $1.99 are deliberately unclear, even to fully clued up adults. That's rather the whole point of them.

> The fact is many of these ongoing payments, and the use of separate game currencies rather than simple $1.99 are deliberately unclear, even to fully clued up adults. That's rather the whole point of them.

Well, so are amusement park tickets. That doesn't mean you are absolved of responsibility for controlling your cash when you go to an amusement park.

If your toddler tried to use your credit card at an amusement park to buy $500 worth of cotton candy I imagine the person at the counter would not process it.

That is a perfect illustration. Facebook is the cornerstore that will sell your kid 500 in toys and comic books, only to upsell them a pack of camels from my checkout display. It's cool, we already have your daddys credit card from last time, and he said we could use if for his future transactions. And because you are clearly a young child, lacking agency, I will bill him. Yet I will refuse to refund it when dad comes in later. Did I mention I am selling access to your data, also webcams!? Its goddamn terrifying we let it get this far.

It's obviously fbs fault that you can't educate your kids or even control them. Fb did not put a phone in your kid's hands to shut him/her up, you did.

If my child takes the money that I left on the desk, goes to the shop, buys candies and eats them...can I go to the bank and ask them to give back my crisp bills? Or maybe go to the candy store and whine there?

Let me give you an analogy that actually fits the truth:

You went to the candy store with your child and paid via CC. The candy store saved your CC by default, and due to deceptive UX, made it difficult to figure out that you needed to opt-out of the saved CC.

The next day, your child was walking past the candy store and the candy seller runs outside and says, "hey kid, you want this candy? its super good and you can have it for 5 dollars! just take it, its yours!"

kid takes candy, you get charged $5.

and in reality, even the "you can have it for 5 dollars" part is generous. facebook did not require the game developers to make it obvious when things cost real money or not.

In many jurisdictions that's not a valid contract, so yes, the store has to reverse it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact