It's not just that this whole scenario is slimy. It's that Facebook was fully aware of it, had a nice in-house term for it ("friendly fraud"), and not only chose not to approve refunds but also chose not to implement the most basic measures to prevent it.
[edit: as a commenter pointed out, the term “friendly fraud” predated Facebook]
This is symptomatic of a corporate culture that is toxic to to the core.
The money quotes are in the 2 paragraphs below:
"In 2011, Tara Stewart, a risk analyst for Facebook, studied the issue and suggested that the company begin requiring users to enter the first six digits of a credit card used for payments on certain games. Stewart ran a survey of Facebook users and found that many parents were not aware that Facebook stored their payment information after entering it one time. They also found that the kids weren’t aware of what they were doing. “It doesn’t necessarily look like ‘real’ money to a minor,” Stewart wrote.
She ran a test to see if the entering the cards first six-digits would reduce these unwanted charges and the results were encouraging. She also said it would “make sense to start refunding for blatant FF-minor.” The abbreviation “FF” stood for “Friendly Fraud,” the term Facebook used to refer to these fraudulent purchases which were made without malicious intent. Despite this obvious solution, Facebook decided that it would harm revenue and elected to continue fighting refund requests for the foreseeable future, the documents show."
This is intentional.
In many games, some things cost "gold" earned by playing the game, and others cost "gems" bought with real money. Or maybe "gold" is the one that costs real money. It's designed to be confusing and hide the distinction between in-game points and real money.
At some point the game companies should bear some of the responsibility for deceiving children.
I hope a reckoning is coming in this regard. Many games include mechanics that are hard to distinguish from video slot machines and should be regulated the same way gambling is (rated 18+, audited for "fairness").
My son is old enough that arcades are interesting to him now. I was pretty shocked to see how they have declined into shitty skinner boxes and games of chance to win tickets. That was always a factor, but is much more prominent today.
The casual acceptance of sports betting is another example of that shift. There’s probably some free marketeer who will opine that teaching children about gambling is a good thing!
Nah. Some people in it shifted, dragged a whole lot of fools with them, didn't experience a reckoning right away, and now think the air's clear. The main punishment for what they've become is being what they've become, that stigma remains whether they can see it or not. They might find themselves scratching at closed doors for undiseased sources of nourishment at some point.
I'd say that's stigma-free.
Letting kids gambling is a parental choice, but if you think it's teaching your kid a valuable lesson you are dead wrong.
I'm thinking more about games like roulette, poker, dice with chores money. maybe it would need to be in a more controlled environment, like family game night.
not exactly gambling, but I learned a great lesson from my father this way when I was about eleven or twelve. I really wanted some expensive Lego so I begged my dad to lend money to purchase it. at first he wouldn't do it, but eventually he decided it might be a good learning experience for me. I had a blast playing with that set for a month or two, but after a while it was just one more toy that I owned. it took a lot longer than that to pay him back, so I had ample time to reflect on how much it sucked to be in debt. I never asked my dad for another toy loan, and I've basically never considered borrowing money again for anything other than college.
I don't think calling it a slot machine is fair.
It is designed to be addictive with compulsion loops and reinforcement, exploiting brain mechanisms you are not aware of such as disproportionate feedback coming directly from slot machines. Candy crush is a sort of glorified skinner box.
Same as gambling machines, candy crush makes use of "illusion of control" by congratulating the player for being skilled for things that actually happened by chance (or were made to happen by the game itself).
The comparison does not stop here, similar to gambling machines candy crush makes money not on the vast majority of people but on a limited few that will spend lots of money the "whales".
The fun thing with candy crush is that as long as you never pay the game plays fair but once you've become a paying customer the game starts to play tricks on you to nudge you into paying more, it will become harder or impossible to win without the use of bonus you have to pay to get. The game actually adapts to you to maximize profit it can squeeze out of you.
There was a detailed article about all this mechanism a few years back when I did not shaarlize all my interesting findings so I can't link it here, but everything I just written comes from memory of what was described in this article.
 : https://shaarli.readthedocs.io/en/master/
So, in your opinion what makes something a slot machine is which psychological effects it tries to use?
Do you know where else all of these same psychological effects come up? Human interaction. Candy Crush is basically somebody trying to sweet talk you and wrap you around their finger. Do you consider that to be a slot machine too?
I'm not OP, but to me it's the triggered randomness with occasional wins that makes it a slot machine. The intentional psychological effects and engineering to persist the desire to subject oneself to those effects are how King and Zynga are evil companies and deserve to have their corporate charters dissolved. IMHO.
After providing such a payment token there should be no proof and dispute involved, just a single click in a web interface "I refuse to pay for that and I revoke the token". The user of the token should make sure I am happy so he can continue to charge the token.
This is in sharp contrast with user initiated payments for a fixed amount, that should be carefully secured, require strong authentication and should almost never be reversible, unless actual fraud can be proven by the payer.
The problem with cards on the internet and their high abuse and chargeback rates, for which we all pay, is that they conflate these fundamentally different use cases into a single set of static numbers.
A good payment system should require explicit authorisation through your own bank. That's how for example the Dutch iDeal system works. I never use a credit card for a site that accepts iDeal, and the only reason I have a credit card at all, is that many foreign sites don't specifically cater to Dutch customers, and therefore haven't implemented iDeal. I wish they did, or that there was a similar international payment standard that went through banks rather than merchants.
This would basically make sure I would almost never spend any money online, because going through a bank authorization is annoying enough that I'd rather just go do something else. Forget microtransactions, I wouldn't even buy most games.
I do hate 2FA. I like it, but I hate using it. I've stopped posting on some forums/using services. I didn't actively quit them, but when the service had logged me out and it asked me for the 2FA code, I winced and went to go do something else. Over time this happened enough that at some point I just didn't visit the site anymore.
Personally, I find this system a lot less painful than having to type in my credit card number. And it's a lot safer.
Not enough! My account activation is incomplete until I link my privacy.com account to my Facebook account!!! I thought this is so funny in the context of this privacy/Facebook spying thread.
Quote from my privacy.com account page:
"Sometimes, the information provided at signup isn’t enough to verify someone’s identity, and activate their Privacy account. Connecting your Facebook account is a quick and easy way to provide extra identity verification. Okay"
P.S. I am now feeling uneasy about the whole thing. I have changed my bank login password and I am trying to cancel/delete the privacy.com account -- but there is no such option in the website menus.
If you're in (certain parts of) Europe, Revolut will offer you one-time use virtual debit cards if you're on one of their paid plans. However, I have no personal experience with them. Being limited to one transaction each makes them a lot less interesting in my opinion, since I can't set up my subscriptions through different cards.
The service that privacy.com offers is different in that it allows you to control very precisely what kind of charges are allowed on any of your virtual cards (and allows you to have more than five). If I used a particular card only for Spotify, I could put a $10/month limit on it, for example. This is more akin to the one-time card offering, but it's not quite the same since it doesn't support recurring payments.
On that note: if anyone is aware of a service like privacy.com available to users in mainland Europe, I'd be very interested to hear about it.
There is a cost to using credit cards. One of the main reasons to use them is this protection against bad actors, and punishment of those actors by fines.
...why is this ethical?
My web banking platform has options for almost everything, but not much credit card related. Do I contact my bank, or do I go straight to VISA?
I have never needed a chargeback, but I had a peek at MasterCard's policy just now and it looks like you need to contact the issuing bank. I would assume it works the same for other four-party schemes such as Visa.
Kids don't stand a chance.
So, I'm not telling anyone else how to raise their children... but the fact that society has attitudes like this contributed to my own personal decision to not have any children of my own.
Playing every game your child plays seems... really excessive. I know when I was a child in the '80s and '90s, I had a lot of alone time on the computer, and got to explore a lot of things without my parents; I think it was good for me? I mean, unquestionably, it contributed to my income later on, but I think it might have been good for me in other ways, too?
I think it was probably good for my parents, too.
But then, I super want to reiterate that I am not telling others how to raise kids; I've worked with a few people who kept their kid with them almost 24x7, and that was what they wanted. And it seemed to work out ok? I've totally opted out of that whole thing. I'm just saying, I don't expect anyone to be with their kid 24x7.
None of it. You can try it. You can have a million parents leave a million children alone for most of the day, and not even a bitmap image of one cartoon coin or anything will magically be created, much less the code and distribution channels for a whole game. It doesn't make existing "wholesome" games automatically devolve into other games either, the code and assets don't change at all.
The people who actually do make these things, who do exploit some parents having a lot on their plate: where were their parents then, and where are their peers now? The crime of "not paying enough attention to what your child is doing, which results in a person you love being harmed, and you paying money", is tiny versus the crime of "ruthlessly preying on children for financial gain". Looking away when your child plays such a game is nothing compared to looking away when people make and distribute them.
I don't have children so I'm hesitant to point fingers at parents. I have the ability to make derpy things to sell to children, and I'm not doing that also because in my mind, only a.) children and b.) very careful, well trained and aware adults should make entertainment for children. So unlike parents, I judge those "creators" mercilessly. I cannot even stand the overly "hyped" streamers and youtubers who makes sure they don't swear to be "family-friendly" and not get "demonetized", but otherwise talk crap 24/365 that is fit to turn any brain to mush... but apps and games pushed onto kids directly is yet another level of depraved.
Where is society making an effort to warn parents, that you get to call them lazy for maybe not even considering some people would be so sick and morally bankrupt? What effort was made since Elsagate to warn anything about that stuff? That there's millions of dollars on the line has nothing to do with it, just lazy parents?
Lazy, deplorable society, is what I'd call it.
I absolutely agree with the thrust of your post, but this strikes me as a little extreme. I don't believe J.K. Rowling, for instance, had any specific training on child psychology or the like when she began writing Harry Potter.
Creating non-exploitive content targeted at children is not rocket science.
Maybe we were weird, but from my childhood, I remember how even kids 2 years older or younger might as well have lived in an entirely different world, much less adults or parents. Now I can't find a let's play for a game I'm interested in without coming across what is basically 20-40+ people showing off to 10+ people. This wouldn't be possible without the distortion of "virtual reality" I think. Imagine a 25 year old person coming by a bunch of 13 year olds and lifting a trash can or doing $any_other_stupid_shit, so the kids can be their "fans" and "supporters", and maybe sneak them some cents out of mommy's wallet. That's what I see when I look at a lot of youtube.
I agree that those who make these apps are worse than the parents who are too busy to catch/prevent such incidents before they happen, but those sorts of people have been with humanity for a looong time and aren't going anywhere any time soon. I have been somewhat surprised and saddened to see comments suggesting so in this thread turn gray.
I'm not saying we should give up on improving society and trying to eliminate this sort of crap, but this is always what parenting has been about. If you have the attitude that everyone else needs to responsible for preventing these issues and it's okay for parents not to take any of that responsibility, I'm sorry but you are wrong. We need to do both.
I agree completely with that.
Kids don't earn their own money. If kids are spending real money in a game then the parents had to okay it.
All that said. It's your kid, your card and your money. Kids a mischievous, but the blame isn't entirely on games companies.
Then, after being learned at an early age, it is reinforced time and time again in the stories of entrepreneurs who make billions immorally and similarly suffer zero consequences.
Seems a way to create the best consumer ever: someone who gets the benefits while having no connection with the costs.
It may seem stretched, but I see some parallels with military drone pilots.
The scheme described in this article is akin to the multiple techniques used by facebook to acquire users, they used and abused the whole black book of dirty tricks, dark patterns and such.
Heck there's even one dark pattern named after the ceo and founder of facebook.
The remaining digits have an error check built in so you can’t “guess” them.
Back in the offline transaction days, use of fake (generated) credit card numbers as prevalent in computer BBS to get an account for 1 day. Not that I ever did that sort of thing.
The first six digits will identify an issuing bank and card type. All Chase Debit Visas will start with the same six digits (unless they've further broken it down), but no Citibank one will use them. It's still plenty guessable-- try the most popular prefixes and you'll probably hit a few percent of the time.
It might be based in PCI regulations. They might be allowed to store or display the first six/last four in plain text, but probably have to encrypt the whole number or store a token in lieu of the actual full card number.
The most basic implement to prevent this behavior is for parents to limit their children's access to Facebook. The consequence for that lack of supervision is spent money. Who should we feel sorry for?
If you know parents without tech education or a comfortable economic position and lifestyle, try asking them how the deal with all this stuff.
Another one would be not to store payment information on Facebook. Even if my child was able to get onto my facebook account, they wouldn't be able to buy anything because I've never stored my payment information on that service.
Friendly fraud encompasses:
- Dissatisfied customers who don't find refuge in a refund policy/process
- Customers who are embarrassed by their purchases. This situation is commonly triggered when a significant other reads a credit card statement.
- Customers who spend beyond their means, and then look for a "solution" when the statement comes due
I find it weird the way Facebook seems to be using the term here. These are charges that were never contemplated by the cardholder. There is no "buyer's remorse" dimension.
Friendly fraud is specifically about charges that are agreed by the card holder, but they later change their mind and pretend otherwise.
It's dangerous to label such things as fraud. Chargebacks are a consumer protection mechanism of last resort as well as a remedy for unauthorized charges. If a merchant doesn't deliver what they promised and doesn't issue the appropriate refund, the merchant is the one engaging in fraud.
Imagine how much worse it'd be if the dispute process didn't exist. "Oops, our only cancellation department employee retired last year and we forgot to replace him!"
Like services that will gladly let you signup online but then require you call a phone number, with very long wait times and only during certain hours, to cancel. And then be harassed about a cheaper offer while you try to cancel.
I have been a merchant and dealt with erroneous chargebacks, but I have zero sympathy for companies that know exactly what they’re doing — trying to fatigue or confuse the customer into not canceling.
If you try to blur that grey area and tilt towards deception (“maybe if we don’t tell them when it auto-renews, our churn will decrease”) then you deserve every single chargeback you get.
It's my understanding that it's the responsibility of the cardholder to "contemplate" the consequences of delegating charges to others. What Facebook maybe should do in this case is make it painfully obvious that other users of one's Facebook account could incur additional charges without reentering the payment card information.
This was not “friendly fraud.” This was straight up fraud, with clear intention by Facebook employees to defraud parents by using children in a disgusting way as their pawns.
The article's author lied. They told the readers that FB encouraged fraud, while in fact FB was actually encouraging devs not to fight the chargebacks.
Not that I'm defending FB. They knew the chargebacks were very frequent, so they should have addressed the root cause by adding more verifications before a card can be used. But they were definitely not telling devs to commit fraud.
In my experience fraudulent chargebacks for payments processed without liability-shifting authentication (3D secure etc) are typically lumped together as "friendly fraud". Regardless of origin. With digital purchases, especially fungible ones like game credits, there exists quite a lot of organised fraud exploiting "one-click" checkout chargeback SOPs.
1a. Company is aware of channels particularly prone to unauthorized use of credit cards (with Ninja games being presented as the archetype).
2. Company creates a method for verifying the authority of purchase (and confirms that it works)
3. Company intentionally does not implement verification method, thus explicitly profiting from known fraud.
Now, I'm very much not a lawyer, but this strikes me as the sort of behavior we would seek criminal penalties for. Has there been any indication that this has been forwarded to the relevant parties for investigation / prosecution?
> The records are part of a class-action lawsuit focused on how Facebook targeted children in an effort to expand revenue for online games, such as Angry Birds, PetVille and Ninja Saga.
They have a strong case, I think. Indeed, the facts are so egregious that punitive (treble) damages are possible. So even if class counsel take ~30%, the class could get ~100% recovery. How much? Well, basically it'd be [number of children]*[amount charged per child]. Maybe a few $billion?
I don't completely understand why people maintain that something could be innocent while ignoring the evidence that it wasn't.
Leaving that saved in the browser is awful close to authorization since there are reasonable, low-effort steps that could be followed by a non-technical user to prevent it from happening.
It's like leaving your card on the kitchen counter and being upset when they order pizza.
In at least one case in the article (the 12-year old in Phoenix), the kid apparently did have a separate account; but he asked his mom to let him use her card for what he thought was a one-time purchase, but Facebook stored the card info and behaved like recurring payments had been authorized. (Also the game appears to have been highly non-transparent about when such charges were being incurred.)
So while I agree that the mom would have been well advised not to let the kid use the card for even that one-time purchase, I think that pales in comparison to Facebook's conduct.
While not completely fool-proof, these steps have made it easier to more carefully manage my online spendings and not to suckered into parting with my money.
Like, I knew they were evil, but I didn't think they were stupid too .
2) If you allow this sort of behavior long enough, then it definitely seeps into the culture, the decision-making of management, and the interactions of all those who work there (full-time, part-time, contractors all included). If bad apples can spoil the bunch, then will certain people refuse to interact, do business with, or hire former Facebook employees? Is there / will there be a "blue shield" for Facebook as there is for law enforcement?
FB's stock dropped 40% in the months after going public, so that incentive to not do anything to impact revenue remained as FB dug themselves out of that hole. It may have even been amplified because internal employees were in lockout period watching the stock drop and wanting to cash out at a good price, and probably were (psychologically) price anchored on the IPO price.
Almost every single bad Facebook decision can be traced to them trying to cut corners for increased valuation.
> In comparison, the average chargeback rate for businesses is 0.5 percent, according to the Merchant Risk Council, a nonprofit that helps businesses manage risk.
> A chargeback rate of 1 percent is considered high, and credit card companies such as Visa and Mastercard will put businesses on probation programs for rates consistently that high.
> The Federal Trade Commission said in an unrelated fraud case in 2016 that a 2 percent chargeback rate was a “red flag” of a “deceptive” business.
Nine percent chargeback rate. That's just absolutely nuts.
Edit: I should add that I do see some of the documents reproduced and referenced from elsewhere in the article (e.g. https://www.documentcloud.org/documents/5694620-Exhibit-OO-R...), however I didn't see any way to access the full collection.
The buck stops where?
So yes, Zuck is rotten. And consequently we should expect to find systemic rot through the organization at all but the very lowest levels (the groundskeepers and maintenance guys are probably clean)
They need to Drawn and Quartered publicly to clean them up. Each of these articles adds up to something very scary.
I expect Amazon is due to a truth telling as well.
FB encouraged devs to NOT fight the "friendly fraud". "Friendly fraud" is an industry term (just google it). It is when a customer who received goods then calls VISA and asks to refund their purchase.
Anyway. FB told devs "let parents get their money back, don't fight it". But this article says FB told devs "keep committing fraud", which would be just about the opposite.
Obviously, FB should have taken measures to prevent kids from using their parent cards without permission. But just because FB behaved badly, does not mean it's ok for revealnews.org to spread dirty lies.
We had access to the home phone and wanted to beat the game. So of course, we called the number a few times to get hints on how to beat hards parts of the game. This was before the internet where you could just lookup a walkthrough online.
You can imagine my mother's shock when she received a $200+ charge on her phone bill for a phone number she had never heard of. Apparently the cost of the call was about $5/minute.
We got yelled at and we weren't allowed to call the number anymore after that. I'm proud to say we still beat the game though.
This story is truly messed up though.
These are some super shady and deceptive business practices.
Back in the 80s, children were bombarded with advertisement of phone based games using a 900 number prefix. 900 numbers are unique in that they charge a fee for use. A child who wanted to play the RoboCop phone game would simply pick up a phone and dial the number. Shortly after, they would get to press numbers on the keypad to choose their own adventures. The games were addictive and expensive. 
Eventually, enough parents were ripped off and they fought the system, convincing legislators and regulators to stop the exploitation. This put a complete stop to 900 number games.
there is a special form enforced for storing credit card information. Where was QSA?
Credit card providers and game providers should also take their part in responsibility for storing credit card information.
I do not get how is this still possible with 3D secure protocol out there?
"“Friendly fraud” is the term Facebook used when children spent money on games without their parents’ permission."
That's incorrect and completely reverses the meaning of the internal FB memo. “Friendly Fraud – what it is, why it’s challenging, and why you shouldn’t try to block it.”
(Disclaimer: I work at Facebook but wasn't there at the time.)
I mean there would have to be some criteria for deciding who to return money to, but I'm sure they can come up with something less arbitrary than the original decision making that's hinted at in the article.
I got 9 friends to install Signal yesterday to help them away from WhatsApp. I'd love to see widespread campaign to encourage people to ditch these parasites we're addicted to.
Sam Harris has released two great podcasts that discuss how Facebook, and other companies like them, choose to earn money from, amongst other things, radicalising and polarising people in our societies:
and to some extent:
I recommend these highly.
“I saw all these $19 charges from Facebook,” she said. “It added up to nearly $1,000.”
She asked her son why he would do that. But he was flabbergasted by the charges too. So Bohannon asked her son to play the game so she could watch what he was doing wrong.
As he played, he occasionally clicked on a corner of the screen that gave him more abilities, such as magical items, or new ninja attacks for his character. It didn’t ask if he wanted to pay for it, or let him know that his mom’s credit card was being charged.
“There was no indication he was spending money,” Bohannon said. “So, 20 minutes later, I rechecked my credit card statement online. And sure enough, there was another $19.99 charge from Facebook.”
The fact that it is technically possible for Facebook to validate some purchases and prevent some instances of this problem does not make it Facebook's responsibility not to do something practically equivalent to handing your wallet to a toddler at a carnival.
A 9% chargeback rate on payments identified from minors is an awful lot of careless parents. The real fraud rate would be a lot higher as plenty might write it off to experience come credit card bill. Quite often these things are remarkably difficult to cancel too (no idea if that applies to Facebook).
The fact is many of these ongoing payments, and the use of separate game currencies rather than simple $1.99 are deliberately unclear, even to fully clued up adults. That's rather the whole point of them.
Well, so are amusement park tickets. That doesn't mean you are absolved of responsibility for controlling your cash when you go to an amusement park.
You went to the candy store with your child and paid via CC. The candy store saved your CC by default, and due to deceptive UX, made it difficult to figure out that you needed to opt-out of the saved CC.
The next day, your child was walking past the candy store and the candy seller runs outside and says, "hey kid, you want this candy? its super good and you can have it for 5 dollars! just take it, its yours!"
kid takes candy, you get charged $5.
and in reality, even the "you can have it for 5 dollars" part is generous. facebook did not require the game developers to make it obvious when things cost real money or not.