Hacker News new | past | comments | ask | show | jobs | submit login

No, the kid didn't steal anything. Just clicked the button to buy the in-game stuff, and Google deducted it from the credit card tied to my account without requiring any authorization. The fault here was entirely with Google.



Google made it too easy to make in app purchase.

If you don't pay attention, when purchasing an app or anything else the first time, you enable by default the "fast workflow" that doesn't require authorization for the following purchase.

It's also hard to find the setting again in the play store app.

All is made to reduce friction when purchasing... Which doesn't align with the goal of most parents.


Exactly. It's vital that we revert all such payments made without our explicit authorization. This is harmful behaviour from Google, and it's important that they understand that.


it is in their interest to keep that going to the fullest extent possible.

they will nod their heads and put in some controls, but eventually the dark patterns will come out again.


> clicked the button

That was the authorization.


It wasn't. That's not how authorization works. A random game should not control my finances.


Your child was in control of the finances not the game. You gave them the controller so I don’t understand your hostility to the previous post.


No, my child was playing the game. The game is not my banking app, and even my banking app requires authorization on top of clicking a button. Merely clicking a button in a game is not financial authorization, and it's harmful to accept this as if it's normal. It's not.

I'm not hostile, I'm just explaining that playing a game is not the same thing as authorizing a financial transaction. I don't understand why you insist that they are.

An online financial transaction should at the very least require a password or pin code. Preferably a redirect to my bank where I authorize the transaction through my bank's authorization mechanism (which uses 2FA). I go out of my way to disable everything that doesn't do that, including pin-less NFC payments on my bank card. At the time, I'd also set Google Play Store to always require a password (which should really be the default), and yet it executed a payment without it.

To suggest that a simple button click in a game played by children should be enough to access my money is ridiculous.


Sure I mean it would be better if the entirety of online transactions was different. Could be vastly improved. That’s not how it is today though.


It's how most of my online transactions are. When I buy online, I'm redirected to my bank's website to authorize the transaction. That's exactly how I want it. Only Google and Amazon and a few others require less secure transactions for some reason. I don't like that.


Most of your EU/NL transactions perhaps. None of your US transactions. It’s shitty but it’s true.


To my big frustration, yes. I'd like international payments to use a similar system. It's why I don't buy from Amazon and avoid other webshops that don't support this. Fortunately Steam and GOG.com do. As do all the Dutch webshops. But Lego.com unfortunately does not.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: