>Tesco Bank initially refused a refund but reconsidered and apologised after BBC Radio 4's You and Yours took up the case.
I wish customer service didn't depend upon whether you complain to HN/Twitter/BBC. This disadvantages those who don't want to tell the whole world about their personal issues
I don’t get why it was the bank’s fault/responsibility here? I would understand if we were talking about Apple or Roblox or something, but why the bank? It’s not like the bank got the money back from Roblox/apple.
I don’t think the bank refunding the money is, or should be, an admission of guilt. It was a “pay this amount of money to make this (wrongly directed) bad press go away”.
So in the end the public complaint was used as a cudgel to take money that wasn’t owed (from the bank).
The bank could be liable because they’re supposed to authenticate the customer making the transaction. Either they did the authentication and the kid passed it (banks fault for bad auth) or they didn’t do authentication for a better UX and it’s still their fault.
Since when is authentication UX inside of a game the responsibility of the individual bank? That would be super crappy if every bank had their own auth ux in every digital platform.
Most banks have a 2FA system involved, especially for transactions that fall outside the trend. It's used primarily to combat identity theft. It's no different in the case a kid does it (conceptually, can't speak for legalities).
> It’s not like the bank got the money back from Roblox/apple.
You know in a chargeback (what the mother most likely did)...the bank claws the money back from the company right?
Additionally, why would their fraud algo not detect "hundreds of transactions" back to back. That is instantly a red flag to almost every bank I've known.
Ha, I managed to block my credit card after three premium purchases from war gaming. Took me three days to reach someone at the bank to get it activated again. So yes, I think the bank could have caught those transactions. Hard to tell so without details. Still, those transactions should fall under the easy to cancel category.
I didn't comment on whether it was the bank's fault or not, I merely wish there wasn't a difference in outcomes depending on whether you complain to the media or not.
To be fair the Bank did nothing wrong. A refund means a net loss on their books, and they did not have any obligation. Marketing-wise it makes sense, but only if this does not become a trend of opportunistic scammers.
I really feel sorry for the mother, but ultimately is her responsability to raise her daughter. I haven’t used Roblox so maybe there is a case for going after them, but not the bank. Might as well sue the ISP that made the internet connection possible or the utility that allows charging her iPad…
Having fraud detection that didn't catch a £2500 outlier without freezing the card and contacting the owner to ask if it was a legitimate purchase could be considered doing something wrong.
Fraud detection is a constant balancing of false positives and false negatives. You basically can't travel these days without multiple credit cards in case one is randomly flagged for something.
> You basically can't travel these days without multiple credit cards in case one is randomly flagged for something.
You can, you tell your bank that you're about to travel so they can relax whatever system flags it. Happened a few times that my card got locked when I went to South America, so started telling my bank before leaving and hasn't happened since.
I asked my bank to do that in one case, they basically said "there is no way for us to do that". So instead the only way they can do it is to try calling me on my phone when said transaction is made to confirm, my phone whose SIM won't be compatible with the network halfway across the planet you stupid fucks.
Honestly the only fool proof way is to travel with cash, banks are incompetent.
One of my banks told me that entering travel information wasn't necessary any longer (and in fact there's no way to do it). In fairness though I've had zero issue with overseas charges for years at this point with that bank.
That said, I almost always have local currency as well. Which post-pandemic and much-reduced travel unfortunately means I have baggies of all sorts of foreign currency for places I may not travel to again at this point.
I've still had trivial domestic purchases flagged though fairly infrequently in recent years. I've had $200 in groceries in the US declined. I'd still advise anyone to carry two credit cards from two separate banks. It also helps if you leave a card at a restaurant or otherwise lose.
You are making the assumption that that would be an outlier of an expense. Perhaps the mom also spends equal if not more amounts on Roblox and those transactions are a large part of the balance sheet, and legitimate. The illegitimacy only came when the daughter did the spend. ASSumptions are fun.
If you read the article, it's clear the mom wasn't familiar with the game let alone spends money on it herself. She said the game looked "innocent" and "very basic."
> "We'd just seen hundreds of transactions, these payment confirmations, so then the panic set in - oh my gosh, whose card is this on?," said Georgina.
It was over many transactions, not a single transaction for £2500, and it's probably likely that the parent had previously purchased whatever the heck is purchasable on this game for their daughter, giving the transaction some sort of signal that it's okay.
The bank can ask for an additional validation on purchases like validating a transaction in a mobile app as part of the payment flow. This is part of 3D Secure and 'Strong Customer Authentication' (https://stripe.com/docs/strong-customer-authentication), and it's a legal requirement in Europe. Having every n-th transaction with Roblox require accepting a notification in your mobile app would stop this sort of issue for 99% of customers.
> A refund means a net loss on their books, and they did not have any obligation.
What is the difference in this case between an unauthorized charge on your card?
Example (here):
- Mom enters CC info to allow the child to buy ONE pack.
- Child then, after the fact, buys 100x packs (an unauthorized charge each time).
Example 2:
- Person gives a friend their CC to pay for food on DoorDash.
- Person then, after the fact, continues using their CC to buy DoorDash (an unauthorized charge each time).
These are both unauthorized charges, and an easy case for a chargeback. Additionally the entity out money shouldn't be the bank but Roblox, since the bank will take their money back.
Your friend in this scenario is committing fraud and/or theft. They're obviously not going to be your friend anymore, unless it was a mistake they immediately correct when notified and pay you back the money - or you forgive it. The bank can go after them and sue for the money/file charges otherwise.
Can/should the bank go after your child? Or does it make more sense to say that yes, you are liable for the charges your child makes? Or do you suggest that we simply accept that kids charging money to their parent's account without permission is something society should pay for?
> Or do you suggest that we simply accept that kids charging money to their parent's account without permission is something society should pay for?
I fail to see how the bank taking their money back from a game, that uses virtual currency, is "society pay[ing] for [this]."
Besides, this is a known issue with a known solution.
Most places have a cap (or don't allow) how much anyone can go after a child's parents (typically $5k in the US) over the child's actions.
Going for specific for this case.
> In England and Wales, parents or carers are not automatically liable for the personal injury, loss or damage that the child has caused. However, if a parent was negligent in, for instance, allowing the child’s actions that caused harm or injury, or for failing to prevent the incident – the parent could be held liable.
Add in the mix that in this case the child has Autism...yeah I don't think this is the hill to die on for making parents pay for something like this.
I don't think that particular UK law applies here. Similarly, in the US, that's not how it works. You can absolutely be liable for your children's charges. In the US, it took FTC action and class-action lawsuits for deceptive billing practices to get similar charges reversed. And the only reason they won was because they were able to argue it was too easy for kids to do it without permission - it didn't hinge on them doing it without permission.
In fact, the article uses the exact same term I did: it's a "gray area", and some CC companies may not let it fly.
> "However, some credit card companies define 'unauthorized charges' as charges made after your card has been lost or stolen, meaning that if your kids make purchases on your card without your knowledge, you are still liable for the charges."
>> In England and Wales, parents or carers are not automatically liable for the personal injury, loss or damage that the child has caused. However, if a parent was negligent in, for instance, allowing the child’s actions that caused harm or injury, or for failing to prevent the incident – the parent could be held liable.
But surely someone is responsible? If someone's kid goes on a joyride and crashes into your house, is nobody responsible?
I am probably much more extreme than you on this issue. If I were dictator, tablets would be banned for children and in-game transactions would be illegal. (It isn't just children it takes advantage of.)
But this class of problem is broader in scope - there are all kinds of services and products kids might be using their parents' cards without permission, and in a lot of cases there might be no real material loss to the company if they "eat" the refund. I think it's going to be very hard to sensibly adjudicate anything broad specifying when it's OK for the retailer just to eat the loss and when not. I don't think it's reasonable to simply declare that "your kid used your credit card without permission" is the same class of problem as "your credit card was stolen."
Perhaps the best thing to do is have a mandatory refund policy on electronic products and services within say, 120 days, but this won't be very popular, and while I'd support it, opponents would likely rightly complain that a lot of consumers would abuse it.
I agree with a lot of your comment (including banning tablets/IAPs for children and the mandatory 120 day refund).
I do disagree with your "this is a different situation" though.
In both an entity (unknown person/child) accessed your card details, and used it for a purchase without your authorization. Theft by any other name (aka "unauthorized charges") is still theft. It's just your child doing it in this case.
If, for example, you give your card to a bar and they charge your your bill, then charge someone else's bill to your card because they skipped on their bill, it's still theft even though it would be called an "unauthorized charge" in the banks eyes.
Besides, a lot of this is why there's processing fees (2.9% + $0.30 for stripe for example), chargeback fees ($25 instantly if someone issues a chargeback and more if you escalate after losing once), and interest on CC products. Even if the bank can't get their money back from the company, they will likely still make more on you by giving you that refund than not.
Should everyone be able to get their money back from Apple/Google/Steam/GOG for any digital purchases? After all, the retailer wouldn't lose anything by giving a refund. Only bits changed hands.
I think about this a lot when I think about immoral employers. How do you warn people or signal dangerous behavior to others without airing your dirty laundry?
It's sad that people and organizations can do things that are widely considered immoral until they're caught by others, and then they're only apologizing that they were caught.
If you think of the case of Wells Fargo, where a bank fired employees because they didn't do something almost illegal -- opening an account without the account holder's permission -- then often gave them a record such that they couldn't work in banking. They did it for years and eventually did get caught, fined and are very regulated now. But that they got away with it so long should give everyone pause.
What can you do? Look at people's credit ratings, job histories, etc. like a human being and know that sometimes people are taken advantage of. Don't hate all regulation because the bigger organization really does have a lot of advantages dealing with customers and employees.
The companies have a financial incentive to keep things as they are. Maybe we need one of those "get you out of your timeshare" style companies, pay a small fee and they argue on your behalf.
The design of these sorts of transactions in games are really insidious.
I suspect most payment providers would immediately flag single 2,500 transaction as suspect and prevent it, but breaking it up into small chunks prevents that.
That some breaking up of cost makes it hard to feel like you are actually spending money. A few 5 pound packs and suddenly you're talking about real money.
It seems like the various app stores should have some sort of preventative measures in place to stop kids from spending money (especially large sums), as it seems obvious these sorts of games are targeting them to spend money. Many even engage in dark patterns to get them to spend without realizing.
I don't really know why in-app microtransactions, and especially in-app currencies, like this are even allowed in apps targeted at children. The worst example I saw was when my son was playing a mobile game based on a TV show for pre-schoolers. The developers had added an entire in-app currency, complete with prompts to buy packs of it when you game over, to a game explicitly targeted at children who can't even speak yet. I considered it a £60 lesson in better screening which games I install, but I'm still pretty pissed at the whole thing years later.
> I don't really know why in-app microtransactions, and especially in-app currencies, like this are even allowed in apps targeted at children.
Because they can. Corporations will engage in any behavior that is not forbidden by law and makes a profit independently on how immoral it is.
The only reason that 5 years olds are not working in mines is because it is forbidden by law, nothing else. Corporations are not people nor have any human moral values.
How are pre-schoolers even able to pay? My 10 year occasionally begs me for micro transactions in these rando games she installs even though she knows it's useless. She can't actually buy anything herself because 1. kids don't have credit cards and 2. I just don't give her mine.
Maybe I am guessing too much here, but I got kids, and one iPad, and my kids use the iPad.
The fact that there is no multiple accounts set up for iPad is on Apple and their greed so that we have to buy multiple devices. Imagine doing the same with a Mac.
Some parents don't use a separate profile for kids and have their app store purchase settings set to the low friction mode that lets you click and buy on the main payment method without any additional confirmation when the phone is unlocked.
I did this once with a game called FlyFF. Dad wasn't thrilled. I think I totaled 1500 USD or so. The form itself had validation on the client side to cap out your total money for the daily maximum (100 USD) but the URL parameter wasn't checked value-wise, only your daily total before the purchase was validated server-side. So I knew enough at 10 or 11 to change the URL parameter to get loads more.
Then I got a very, very angry knock on the door at about 7am about a week later when the bank statement came through.
Not sure what lessons I learned there (aside from the obvious) about software design, micro-/in-game economies, or children using your services, to be honest. On the one hand, these sorts of services need to make money. I get that. But it's also super enticing and unreasonably easy for kids to do this, and I'd imagine it happens a lot more than what makes the news.
Not sure what the solution is aside from a very extensive and rich set of parental controls that are mandatory. Not sure if Roblox has that, and if so, I would imagine this kid did what I did when my parents added pins on certain channels - I looked over their shoulder!
Kids seem to be very crafty about bypassing security controls. The OG bad actors, if you will.
Not sure if you included it above but a big lesson there is that even though it's very easy to prevent this kind of thing in software, when the incentives are going in the opposite direction, the software provider will likely do a shoddy job (e.g. the unvalidated URL param). The ole "It is difficult to get a man to understand something, when his salary depends on his not understanding it."
The developers' salaries depended on kids changing url parameters to spend their parents' money? I doubt that. I doubt the developers ever expected this to happen.
I remember FlyFF from my childhood! Never spent money on it, but yeah that was my first experience with a "pay to win" game model, so I can see how kid-you would have done this.
While I feel like these companies could easily implement sensible daily spending limits to help combat this, parents could also do more to make sure their children aren’t charging their cards. I’m pretty sure Apple and Google both have systems in place where parent’s can approve all purchases.
As far as I understand from the article, the parent had some approvals/restrictions in place, but the kid circumvented by changing the password? The article is rather vague in describing what actually happened exactly.
Well, yes its Apple thing, and they do have systems in place to prevent this, though I'd argue they are not very user friendly for non-tech savy people.
The app payments go through the iOS mandated payment system. There are parental controls you can enable on a child’s device to restrict what can and cannot be purchased, notify the parent, etc. The kid just went around that and disabled those controls and/or figure out the parents unlock password.
This is part of why Roblox, Microsoft, and Epic pay Apple 30% of platform transactions to handle things like this.
Except Apple denied the refund. That isn't handling it. I had heard Apple was good about refunding purchases like this though, so it was surprising to read that.
Don’t leave a credit card connected to your children’s accounts ever, period. Set them up to require your approval to purchase or provide them with a balance via gift cards.
I’m sorry this mother had to learn that lesson the hard way.
Gift cards or an in-between like privacy.com where you can set max-spend on a card number are probably the best method for parents. It should probably be on the platform to suggest features along these lines, as we can't reasonably educate all parents on this, and it's against the individual game dev's best interests to show parents to limit spending (moreso than the platform as a whole)
This is great in theory until the developers make it impossible e.g. Microsoft has a convenient bug (for at least the past 4 years) where Minecraft purchases are authenticated against your child's account PIN, not the adults account PIN that holds the card details. (I use a virtual credit card to protect against overcharges so this is annoying but I suspect many parents without this setup have been burned).
My son gave "5" to a channel called annoying orange, he was so proud of himself. Quick look, yup 5 alright, 500, lol. I wasn't even mad, kind of my fault anyways. I reached out to annoying orange, they were super helpful and reversed the charge thankfully.
You would think a company that caters to kids would get it, but Roblox is the same company that allows kids to hang out in strip clubs, or da hood where they can kill each other over gang territory and has blatant racism baked in.
Maybe the secret to regulating Roblox is to put it in front of the same people who are trying to regulate children's attendance of drag shows? This may be a case of aligned interests!
This website loves to rail about dark patterns, but can't see that Roblox (and Apple) have colluded through dark patterns to allow this scenario to happen.
Their Apple Family pay system is flaky and essentially unsupported (do not bother calling for help when it's not working, there is none), doesn't work at all if as a parent you have an Android phone, and in general is designed to obfuscate in app purchases.
They'll even gladly let you buy the same app and DLC that another family member has purchased which is shareable - you just have to search through a completely separate interface to see if someone else has it already.
Roblox takes this up to 11, you can set up recurring purchases on accounts below 13+ without triggering any notification to the "supervising" account, there's no "family" billing history, no ability to set alerts on purchases when you do give permissions, no ability to set monthly limits (Premium is a different kind of joke), and of course the microtransaction / freemium model is designed to frustrate every child who isn't paying to win.
We banned it in our house after 2.5 years of trying to accommodate our kids who at their heart just want to play games with their friends and each other. But these companies are designed to be mini casinos.
A classmate made a (13+) Roblox account for our son (under 10yo) behind my back. I wanted to delete it, followed all the steps to contact the company via their support form, and was replied quickly and politely: "We do not have an account deletion request feature for players. You can stop using your Roblox account at any time. Should you choose to use your account again in the future, it will remain accessible to you by simply logging in." [1]
I really think this is deeply cynical, considering that Roblox is also targeting young children. With this decision, I feel like they're consciously hindering parents to protect their offspring from computer gaming addiction -- in 2023. This is extremely sad.
Including a dead-easy-to-find "Delete Account" button should be tacit ethical behaviour and a sign of respect towards users for every web company in 2023. Let alone the ones that target young children and thus make money exploiting their brains which are still in developmental stage.
I always hesitate (that is, almost always avoid) making accounts on sites that hide their account deletion buttons. These days, is an obvious sign of distrust towards the users and it feels like there is some stupid hoax.
Obviously, I can block access to roblox.com on my browser (I did, for good!), /etc/hosts, wireless router, etc. But -- actually having to this kind of user-side fiddling in 2023 feels incredibly silly.
Are they also going to add a button to prevent a classmate from just creating another account (or doing it themselves on any computer except yours at home)? All you do is give it a username, password, and solve a captcha.
I’m confused at what deleting an account would actually solve for the problems you’re encountering.
Well, yeah. Obviously, all of this is true. I asked them to ban my son's school email (which the classmate used) for X years. In that case he would need to first create a dummy email for gaming, which, I hope, he is not capable of at this point. :) But the company refused.
He seems fine with only playing Minecraft (which feels safer to me conceptually), though. Interestingly, our son talks quite a bit about gaming addiction (doesn't mean he can handle it easily, though :), so my reasoning about his brain maybe not being able to handle Roblox addiction seemed to hit home.
I'm not paranoid about gaming, but, hoping to have learned from my own childhood, I do prefer to carefully and thoughtfully limit their choice of games, at least for now. Roblox seemed too intensive and flashy an experience to be on that plate (I'd say our son's classmate launched some 5 or 6 Roblox games in about one minute). Also, as soon as I saw that there's something called "robux" involved, it was an obvious no-no for us.
My daughter plays it and had never asked for money to buy stuff in game. I’ve monitored her playing and it’s a really neat platform tbh. I wish I’d had something fun like that to play when I was younger. It feels very Nintendo in the way it tries to build a safe, fun community for kids to inhabit.
That is the thing, though: you really should be involved if your kid is playing these things, and ensure you’ve setup good stringent limits. All of my device’s purchases are locked behind fingerprint auth. I’ve definitely done the due diligence of going through all the parental controls and locking everything down.
You probably don't have any issues because your daughter is well behaved, but fingerprint auth is probably one of the easiest things for a child to defeat - just wait for the parent to fall asleep!
Granted, this describes most of gaming today. The target audience of most video games today is actual children with their parent's credit cards and adult children, also with credit cards, who value buying skins and decals over actual gameplay.
On a different note, the lack of support for parents of children with Autism is just really really shit, and it seems like where the heart of the problem is here
Can't we at the very least be allowed to easily apply some spending limit on iOS/iPadOS apps to catch this kind of stuff? It would also help serve as a basic allowance system.
On the note about the seatbelt, At some point, I think someone said it _was_ car manufacturers’ faults if drivers didn’t buckle up. Otherwise we wouldn’t have that… oh so helpful chime when we forget to buckle. NHTSA 7.3
There are already systems you can setup to control for things like this. Adding more systems to setup won't help though if the current ones also aren't being used. It's just easiest to setup a kids phone just like how you use it, it's what you know.
"I rang up Tesco Bank and they said, because it was my daughter, they couldn't do anything about it. So I tried Apple again - they just read me their terms and conditions. So that's when I contacted the BBC, You and Yours, consumer programme."
Within a day, Georgina said that Tesco Bank contacted her to say they would refund the full amount.
That's crazy. When an unauthorized user transfers funds, it's the unauthorized user committing a crime against the bank, with the bank having the responsibility to correct the customer's account and the unauthorized user owing the bank the money. When a young child commits a crime it is their parents who are responsible, therefore the person who owes the bank money is the mother whose money was taken in the first place. She doesn't deserve a refund.
I wish customer service didn't depend upon whether you complain to HN/Twitter/BBC. This disadvantages those who don't want to tell the whole world about their personal issues