A son of mine, I’m not saying which one, borrowed from my desk a credit card and — quick like a bunny — bought over $200 worth of in-game weapons, tools, etc. for the Steam game platform from steamgames.com, which is owned by Valve Corp. Needless to say, the kid is busted, but the more important point for this column is how easily he for a time got away with his crime.
I would have thought that vendors like steamgames.com would not want children to be buying game stuff without the consent of their parents, yet they made it so easy — too easy.
When I use a credit card to buy something online it seems like they always ask for a billing address or at least a billing zip code, but not at store.steampowered.com. My kid didn’t know the billing address for the credit card because it isn’t our home address and isn’t (or wasn’t, I should say) even in California. It was a business credit card and the business was based in another state.
I asked about this when I checked with the bank to see who had been using my card and they told me all those security functions like asking for the billing zip code and the security number on the back aren’t required by the bank or the credit card issuer at all, but by the merchant, to minimize fraud.
In light of this, it only makes sense that steamgames.com wants kids like mine to buy stuff using whatever means they have available. Maybe their parents won’t notice.
Under U.S. law, since my son is under 18, I can probably call and get the charges reversed. I’ll try that tomorrow. But in a culture where bad guys seem to lurk everywhere trying to steal our identities and worse, it’s pretty disgusting to see a company (Valve Corp.) that doesn’t appear to give a damn.
What do you think?
I think they would like to sell in-game stuff to kids with major-label gift cards, which don’t come with billing addresses.
Perhaps you should hate the US payment card industry for not going chip-and-PIN across the board by now, like every other First World country. Not that there aren’t trillions of other reasons to hate them.
“Perhaps you should hate the US payment card industry for not going chip-and-PIN across the board by now, like every other First World country”
Actually, it’s not for want of trying. I mean, who controls chip & PIN in Europe? Visa. MasterCard. It seems slow uptake in the US is actually more down to merchants not seeing any need to upgrade their systems. But don’t worry: you’ll catch up to us soon!”
“Actually, it’s not for want of trying. I mean, who controls chip & PIN in Europe? Visa. MasterCard. It seems slow uptake in the US is actually more down to merchants not seeing any need to upgrade their systems.”
Actually there’s another important distinction: in the US the burden of security is placed on the merchant. In the Europe it’s been placed on the banks. This has led to very different situations.
In Europe, a bank is likely to outright refuse a charge if the billing details don’t match what’s on file. Even if they don’t, the transaction is flagged and it’s very easy (almost expected) that the owner is going to ask for a reversal. Often (if the sum is large enough) the bank will be proactive and call you directly to confirm that everything is ok. Same goes for POS payments where the merchant has failed to secure the relevant customer details (either correct PIN or physical signature) or other mistakes (eg. double charging due to POS malfunction). Payment reversals are very fast (almost instantaneous in many cases, 1-2 business days at most). Banks have in place all kinds of additional security measures (2 factor authentication, 3D secure, instant SMS notification for any money movement (in or out) exceeding certain amounts – I think I can set mine as low as 10 euros).
Thanks to all these measures, the merchants are almost completely covered and worry-free. The banks are also ensured and can streamline losses and protection measures. It has also benefited everybody in other ways: banks offer complete, high quality internet banking interfaces; the banks issue and pay for the POS hardware for the merchants, not the merchants. Basically all a merchant has to do is to tell a bank “I want to process card payments”, they get a POS machine, that’s all, no expenditure, no headaches. This has led to secure card payments being available in even the smallest street corner shops.
Last but not least, the consumer protection laws in the EU make it so the customer is almost never liable for miss-charges. The burden is placed on the bank or the merchant to prove that a transaction took place and was initiated by the rightful owner. And even so, the customer has sensible window periods (up to one month) where they can return the products and get their money back – in full. Granted, this applies mostly to physical products, a case such as Bob’s (software, even shrink-wrap software) is not covered; but then again it might if it was sold as service access instead of a product (cancel the service, get the money back) – this is another aspect of the law, you cannot charge for a service you haven’t delivered.
Jonathan, how would Pin-and-chip helped with an **online** purchase? I’m not sure where Cringely’s son would have inserted a card on the web site?
The issue here was spelled out in Bob’s own post – it is up to the merchant to raise the bar to the level of security that protects them. I’m sure Bob won’t be the first angry parent calling them about reversing charges, but they are willing to tolerate that level of disruption to get the money they get. If too many parents/fraudulent charges came in, they’d surely tighten their security measures.
BTW – for my kids, I have them buy their own iTunes and Google Play cards. They never get my credit cards, and they learn they have to save their money to buy games, music, movies, etc. (or they ask Grandma for cards for Christmas/Birthdays).
Because the online purchaser wouldn’t have had the PIN, so couldn’t complete the transaction. We’re unlikely to get chip and PIN in the US because it takes a second longer to process transactions. We’re going to get chip and sign, so there won’t be any change to the security of online transactions.
I think we should explain to our US friends that the European Chip & PIN system is only for when you are present making the purchase, say at a restaurant or store.
.
When you make a transaction in person, rather than signing a slip, you are directed to enter you PIN code in to the merchant’s credit card machine. Once verified that is the transaction complete.
.
When you use your card on-line you don’t enter your PIN number at all. You are often, but not always, asked to enter three digits from the back of the card, but that’s not your PIN number. It just means that you’ve seen the back as well as the front of the card.
However, my German bank uses Two Factor Authentication for online purchases: valid card and a one time use validation code. The bank sends me a validation code via SMS ( or I could optionally use a hard token ), which I then have to enter back into the online payment form in order to have my purchase actually deduct funds.
As long as you can keep your phone or token away from an unauthorized person, this should protect you from unauthorized purchases.
The problem with Bob’s post is it is factually wrong. Steam does in fact ask for billing address and phone number when you make a credit card purchase.
Apparently, Steam, like all other websites, asks for a billing address when entering in the credit card information. However it’s unclear how often, if ever, the address is verified as correct with the card company. Someone else has posted that as a merchant, he tried to verify the address and was told that the only thing they can verify is whether there are sufficient funds to cover the charge. I hope more merchants will chime in and share their experiences about their ability to verify more than “balance sufficiency”. See Dr John October 9, 2014 at 5:03 am
Steam, Like all other websites, verifies the billing address at the time of adding the payment method. However, If you type the correct information in, there’s no reason that you would need to see that you passed a test.
Bs they ask for that information. My pin credit card without my address was used to fraudulently purchase 700 dollars of games without any repercussions to the perpetrator.
SHUT STEAM POWERED GAMES DOWN AND MAKE THEM ACCOUNTABLE!!!!!
I mean dear god try a little.
http://gyazo.com/49f73fb71c3f818967b8ae14b257e42f
It is first and foremost a parenting failure, the issue of credit card is really secondary.
As a kid, I’d never ever think of stealing money from my parents and buying stuff. Either I had my own money or asked nicely.
I quite agree. By the time I had any idea what a credit card was, I was abundantly aware that to do something like this was miles beyond the boundaries of acceptable behaviour. I can’t understand why Bob’s nipper either thought he could get away with it or, more importantly, wanted to.
Sure, let’s blame the parent. Or the merchant. Or the bank, or the card processor. Hell, we can blame the kid (I expect he won’t be able to sit for a week, right Bob?)
Or we could accept the fact that mistakes, child shenanigans, security breaches, identity theft, customer changing her mind, and so on are a fact of life and they WILL happen; and we move to a system where these things are easy to undo. No blame, no recriminations, just fix the problem and move on.
Or maybe nip the problem in the bud and make Steam Powered Games ACCOUNTABLE for allowing fraud to take place!!!
I think you need to be a better father, Robert. Your son stole a credit card and committed fraud. That’s your fault.
As much as I am a fan of Cringely, I absolutely agree with you. This is a failure on his part and not a minor one. This is every bit as big a deal as children of our generation stealing from Mom’s pocketbook. Let’s face it; no matter how bad we were, there were always those kids that would do that sort of thing and even the ‘bad kids’ in the neighborhood would be shocked about it. Blaming Steam doesn’t absolve you from raising a child that doesn’t respect basic boundaries. Got in trouble often as a kid, but I never would have even considered stealing from my Parents.
Let’s back off the “your child did something wrong so you are a bad parent” thing. (I’m guessing many people making this statements aren’t parents…) Kids do bad things despite their parents best efforts. Now if Bob let this go unpunished and it happened multiple times, then he deserves some blame. But let’s not jump to a conclusion that someone is a bad parent because his kid doing something wrong.
Agreed “A Dad”.
There is no need for casting blame.
Kids learn by doing things right – and wrong too.
Bob is just highlighting how easy it is for others to steal in our modern connected world and how poor security systems and attitudes towards it are.
Companies surely know that if 10-cents is stolen no one is going to report it or think pursuing it worthwhile, but if it happens a hundred-thousand times the profits are worth the blind-eye.
There is no need to insult Bob – unless those casting the mud are perfect themselves…
Roman, you are correct, this is a parenting fail. And ranting about that it’s Steam’s fault just makes Cringely look worse. Shifting blame!
This is clearly a parenting fail. Not a kid fail, not a Steam fail.
I think it is disgraceful and what is more …
My son wanted a credit for an online game, his Mother kindly stepped up to pay using PayPal and the online gaming company set up a recurring direct debit automatically without making this clear or even, as I understand it, asking.
Yes, we did spot it eventually and manually cancelled but this is another example of luring people onto hidden commitments without being decent enough to ask.
A bad taste and takes away the possible pleasure of a game …
Another very valid comment. I once bought some well-known family-tree making software which was shipped with a free three-month subscription to their online genealogical database. I forgot about it, of course, and then found I’d been billed for over £80.
It’s perfectly obvious that these companies operate this scam with the absolute intention that you should forget. If they were scrupulous and honest they’d send a simple e-mail inviting you to renew, yes please, or no thanks. Hell, they could even include a “don’t remind me again” checkbox. It’s not complicated and should be mandatory.
Even Disney does the recurring charge trap, in their Club Penguin kids game. Kids can play for free, but getting some goodies (hats, pets, etc.) is only for subscribers. Kids love it, but lose interest fairly quickly, and then want it again months later, etc.
.
It used to be that you could buy one month (or year) of subscription and be done. Then they changed it so that it could not be done without agreeing to the recurring charge. If you just want to buy one month, you must subscribe and then cancel (the first month is billed and valid).
.
There must be a scumbag somewhere at Disney hugging the bonus he got for milking extra money out of customers, who now despise his company. Good going.
Years ago subscriptions for a specific amount of time had to be renewed. No longer. Now “subscriptions” go on forever and must be cancelled. I suspect this is because it’s free and easy to use a website to cancel a subscription. Even Amazon offers subscriptions to many products, and the price isn’t even fixed. You get the item delivered at whatever the current price may be, until you cancel.
I’m on your side, Bob. I think the company has a responsibility to verify to the extent reasonably possible that they are dealing with an authorized user of the card. In this case they did not. But why should they care? They have to balance the convenience of the transaction with the risk of having it reversed. Since it is just in-game purchases, it actually costs them absolutely nothing. Even a huge risk is totally worth it to them. You should easily get your money back, either from the merchant, because they realize this, or by complaining to the credit card company. It is awkward that it was your own son, but they should still refund the purchases (and take back the in-game items, if possible).
They do, you have to enter the billing address and phone number when you enter the card number. I don’t know what Bob’s talking about, but he’s wrong.
At least in my region (Australia) , Steam certainly does require a billing address to purchase games. It’s saved with the credit card details so you don’t have to enter it each time.
Many other fraudulent charges against cards (e.g the, “I’m from Microsoft scam.”) suggest that the card companies are complicit in the deceit if only because they must get a fair rnumber of complaints of the, “I’ve been scammed.” variety. They simply take the money and don’t care. As Don says there is no cost to them.
I mostly agree with you, but this sounds like you’re having a whinge to me. *Your* son steals *your* credit card, and it’s *their* problem. Laugh.
Steam is awesome.
This little stunt was pretty irresponsible of Bob’s son, but it’s also pretty irresponsible of Bob to claim that Steam is somehow at fault for accepting a valid credit card (one which hasn’t been reported as stolen).
Security features like asking for the code on the back of the card are completely pointless if the card has been stolen; if a thief has your card, they can just turn the card over to see the security code on the back. Asking for an address is also generally pointless if your wallet has been stolen, since your wallet probably has your address clearly printed on your driver’s license. If the thief lives with you (as in this case), it’s usually doubly pointless since the person obviously knows your address. The only way this could be a useful security feature is in cases like this where the billing address happens to be different from your home address (and thus unknown to the person using the card), but those are a minority of cases. Even if the card was registered to a business, I would typically expect one’s family to know the address of the business.
In some cases, “security features” can actually have the opposite problem, presenting an impediment to legitimate users using the card. Speaking for myself personally, I go through a lot of SIM cards; I usually have 2 or 3 active phone numbers at once, and they shuffle in and out from month to month, so when a purchase site requires me to type in my billing phone number, I can never remember which of the half-dozen phone numbers I’ve had over the past year is registered on my bank account. This reduces the purchase to guessing which phone number I happened to pick at the time I registered the account, which often means that I can’t use my own credit card if I can’t guess which phone number they expect me to type in. The address is more fixed, but it’s not very useful as a security measure.
Ultimately, it seems like Bob might as well complain that a bricks-and-mortar store sold something to his son with cash which the son stole out of Bob’s wallet without verifying that the kid was the rightful owner of the cash. A credit card is a purchase medium, readily used to buy things; you should protect it the same way you’d protect cash. If your card or wallet is stolen, all these measures like asking for the 3-digit card verification code or the billing address are largely useless and easily defeated by any savvy thief. If you can’t trust the people whom you live with, that’s a household and family problem, not something you can expect Steam to solve for you.
The reason for asking for the number is not to guard against physical theft – that’s the reason for chip-and-PIN, discussed above. The extra number guards against trashpicking and other forms of theft that involve stealing physical paper on which the card number is printed. It’s archaic and generally useless online but remarkably effective against the kinds of widespread petty theft one still sees.
It seems like your circumstances are so unusual that they are not at all relevant to this discussion. It is usual to optimize a system, particularly its failure modes, to cope with the most common use cases.
As for this being Bob’s “fault”, parenting is not an exact science and kids will be kids. That makes events like this common enough for companies like steam to rely on. Wow! Not often I stick up for Bob!
I’m reminded of a story a friend told me. They had an old xbox that they lent to a friend’s kid. Only they had forgotten that it still had a xbox live account and their credit card details on it. The kid ended up buying stuff from the xbox live store, racking up a couple hundred dollars of expenses.
As for steam… I’m curious if your kid actually bought it through the website, or the client? Because actually doing it through the browser seems a little weird. I pretty much never use the website. As for the security stuff itself, I’m afraid I have to side a bit with Valve on this side. They should be paranoid about their customers trying to pay with money that isn’t theirs? It’s not some website that you can just buy stuff on and never see again, you have to have an account and actually have their client installed on your computer to buy stuff from them. I suspect that the majority of steam client users are actually adults and not kids after all. On the other hand, it would be fairly easy (as far as software features go) to put in some kind of ‘parent permission to buy things’ feature in that password protects the purchase features, or some other kid proofing of the client, and I couldn’t find anything like that. So they could be doing a little more to guard against this type of thing.
There are plenty of reasons to not like Steam or Valve, but I don’t think this instance is one of them. Now, if they are bothersome about getting the charges reversed, that would be a reason to get annoyed at them.
Good Luck in getting the charges reversed!! They probably won’t do it unless you take them to court, oh – try calling a support number if you can find it… All correspondence is done through email, at lease that’s been my experience with them.
I’ve dealt with Steam for many years & I can’t tell you how annoying it is if you ask for a refund..Well – They don’t give refunds at all. Maybe you will have a better chance because you are a well known tech celeb.
Obviously, none of the previous commenters has children, and they don’t remember their own childhoods very well. Every parent has to deal with every child’s attempted theft at some point. If your kid doesn’t have the imagination to try stealing at some point, he or she doesn’t have the imagination to do anything else, either.
The point here is that Steam is acting like the tobacco companies: trying to get children – by which I mean pre-teens and especially the under-10 crowd – to play their games rather than games on a console and to start early. Microsoft requires a parent account to buy all that crap they sell via Xbox to decorate your avatar or, of course, the games. I don’t believe the story about the friend’s old Xbox unless he was foolish enough to give away the details of his account or, worse, had no password on his account at all. If your business practices aren’t living up to Microsoft standards, then you have no standards. But I will admit that their customer service has dramatically improved since Apple became bigger than Redmond.
I am opposed to unmonitored child use of anything with a screen – but I have yet to devise a way to monitor the kids 24/7 without help from the NSA.
Agree about parenting 100%. I had great parents, and ended up turning out to me a fine upstanding citizen (IMHO). But I made a brief attempt at stealing (baseball cards) in my youth. Fortunately for me, I was caught red handed on my first try and my parents made it pretty, um, uncomfortable for me. Never did it again.
In the UK we have Consumer Contracts Regulations (which replace the previous Distance Selling Regulations) which give you a right to cancel orders made online, by mail order, over the phone or through a shopping channel until up to 14 days after the order was placed. Is there not something similar in the US?
Only if! In the US consumer protection laws have been getting repealed in the deregulation fever that’s consumed our law un-makers. It’s quickly becoming a complete “buyer beware” environment. The population of the US has been converted into a giant ATM for the “real citizens” aka corporations.
Corporate theft goes unpunished and is therefore encouraged.
Yes, orders can be cancelled or returned in almost all cases in the US. We don’t need specific laws for this. If a company did not make it clear that returns or cancellations were not allowed, customers would quickly learn to use a “buyer beware” mentality. Even eBay has a form of buyer protection, that encourages all their merchants to bend over backwards to please an unhappy customer. I suspect the danger is far greater that a merchant would be ripped off by a dishonest customer.
Bob I sympathize. I and my kids both use Steam a great deal, and we’ve had instances where the kids purchased things without our permission.
The problem exists not just with Steam but with many systems. Lots of games are using this “freemium” model where the basic game offering is free or low cost and the game company makes its money on upgrades, and various premiums. Most places I’m familiar with (including Steam and Android OS) will warn you on installation that software comes with the ability to make in-application purchases. As parents we need to be vigilant for these things. It’s part of teaching kids the “rules of the road” for Internet.
I’m pretty sure Steam will help you reverse the charges and set up mechanisms so the kids cannot charge things on their Steam account without additional authorization. That’s how we have our kids’ Steam account set up.
Good to know that option exists. But Bob’s problem, as he described it, was not that his kid used a Steam account that was already set up for purchases, but that he “borrowed” his dad’s credit card to buy something. Bob thought he was protected by having an obscure, un-guessable, zip code as part of the billing address.
A lot of sites let you enter credit card information and it’s stored there for easy buying, but it’s not limited to places like Steam. Ubiquitous Amazon does that, too. I don’t even need to log in, really, to buy stuff from Amazon. The login doesn’t have an expiration, as far as I can tell, and I don’t need the credit card handy to complete a purchase.
Something simple like auto-logging out plus required login to purchase makes sense to me, but of course that can be manipulated, too.
Beyond that, there’s always tension between merchant and purchaser as to how easy it is to get a purchase done, versus protecting the purchaser’s information. Push too far in the direction of security and the business loses money (maybe?) from people who back out at the last minute, whereas the opposite leads to easier security breaches or, yeah, tons of DLC.
I’d argue Steam isn’t the worst culprit, as there are many games that have in-game purchasing options. You can sit a kid down with a game and get a bill because they’d bought something in-game, though thankfully most of those have a credit card information wall between you and a bunch of virtual items.
I’d like to throw this out there, though: If you had separate computer profiles and browser profiles, wouldn’t the saved information used to bypass purchase walls not be available for other users? They would at least have to raid the wallet to impersonate you, as well as knowing your password into the system, the proper billing address, and so on. Or does Steam recognize you through other means?
There’s plenty of other things going on with Steam and the like that are worth talking about… you sure you don’t need a games bureau? 🙂
When our card number was compromised in one of the big data breaches a while back we first noticed the compromise through mysterious Steam/Valve charges. The bad guys tools advantage of their policy and I imagine they have many charge backs, but the risk allocation in the credit card Opregs might make that ok from the merchant perspective.
There are lots of opportunities to beat yourself, the credit payment industry and the game manufacturers with a stick here but I think the real issue is societal, or if you like a general moral failing in America. The issues are legion – as are the excuses:
1. Your child thought that this was acceptable behavior
2. The credit payment industry figures a margin into its costs (and your interest rate) to cover fraud so they have no real incentive to worry about fraud.
3. The game company knows that by making it hard for its customers to claim a refund that most will give up and let them keep the money.
In the end, it’s all about money today – and the hell with the consequences tomorrow. We’ve forgotten, as a society, to consider the morality of our actions.
Re: “Your child thought that this was acceptable behavior.” I can understand how this can happen, and yet not involve dishonesty on the part of the child. Suppose the child had seen mom take the credit card from dad’s wallet to make purchases (online, at a store, or gas pump). Perhaps Bob needs to punish Mrs. Cringely. Good luck with that. 🙂
Didn’t you blame the release of nude photos on the women who took them? If you don’t want your cards compromised, don’t leave them lying around.
“Grown to hate” makes it sound like there was a string of mishaps, but that sounds like it is not the case.
The other thing, just as a practical matter, how many parents are really in the same situation as you, where the child can get the card but can’t get the billing address? Among the types of fraud they have to handle, that problem and particular solution are rare, I would guess.
Steam won’t ask for billing address information if the credit card information was previously stored on the account. If you want your son to stop using the card without your permission you need to go into the account and remove the credit card that is on file. Amazon does the exact same thing. So yes, it’s very much all about removing the friction that comes with shopping online. The longer someone takes to make a transaction, the more opportunity for part of their brain to convince them that maybe they don’t need to make that impulse buy 🙂
One thing that Steam does have is a wallet system (much like how iTunes works) where you can put money on the account which can be used to make transactions in the store or directly through a game. That might be a compromise you can work out with your son where you agree to put some money on their account for them and they can spend it however they like without you needing to give them the credit card each time. I believe there’s also Steam gift cards you can buy in stores like GameStop which serve a similar purpose.
There’s also some parental control options that were added in the last year. I don’t know a whole lot about those though, but that might be another tool to investigate.
This was not a credit card on file. There was no credit card on file with Steam.
Several years ago we had a similar problem in our household, Record stores (remember “record” stores.) sold my son some inappropriate music. He knew he wasn’t supposed to buy it. The store knew parents wouldn’t approve of it. Yet the sale was made.
.
One thing I learned as a parent is 9 times out of 10 merchants will accept returns in circumstances involving kids. In the record industry the rule was if you removed the packaging, there’d be no return. We got our money back. (BTW, the 10% of merchants didn’t stay in business long. While it may have been bad business to sell to minors, it is really bad business to anger their parents.)
.
In my example the store merchant could easily see he was selling music to a kid. How does an Internet merchant know who they are selling too? Was the Cringely boy’s purchases age appropriate? If you look at a representative group of web sites you can see great variation in how they screen people. I found only about 1 out of 10 wineries ask for your age first. (Guess what I’ve been doing lately.) Sites can ask for your age and a lot of information on you before selling you something. But is that really enough? Does it really work? Is it really secure?
.
This is the problem with Internet business, it is anonymous. The buyer and seller don’t see each other. Identity checks are weak at best. There is no real way for a merchant to know if the buyer is old enough, or is really who they say they are.
.
Now back to parenting and blame. In 99% of homes a kid will be able to find mom or dad’s wallet, and get access to their credit cards. This isn’t a good or bad parenting issue. It is real life. The parenting starts by setting up rules. ‘You don’t touch my wallet. You don’t remove anything from my wallet without asking and getting permission. When you break the rules there are consequences.’ Life is about making responsible decisions. Oh parents — the rules have to be reasonable and make sense.
.
For years my wallet was the family ATM. The other part of parenting is to support responsible decision making. If you kid needs money for a legitimate reason and asks, you help them. Nine times out of 10 when I heard “Dad, I need some money…” it gave or loaned it. A number of times I’d find a note on my wallet saying “Dad, I needed $10 for gas. You were asleep. I’ll pay it back…” Again that was being responsible.
.
Now were my kids perfect angels? Of course not. Rules were broken. Irresponsible decisions were made. Consequences resulted. For the rebels in the family texting on their cell phones mysteriously stopped working. At some age most kids decide it is best to start making responsible decisions. When they act responsibly, reward it. I will never forget the look on each of my kids faces when I first let them do something special because I trusted them.
.
Welcoming to parenting Bob. You have many years of excitement ahead of you.
I would check the details on Steam more closely. If the purchases were for an account on file and it was, as described, for accessories, it makes sense to me and is as it should be as the purpose in part is to enable it to be easy to make these purchases quickly, during a game, for existing customers. If I were an online gamer like my friends or making a repeat purchase in a similar realm I am accustomed to, further barriers, especially because parents have trouble with kids and credit cards, would be justifiably upset.
On the other hand if Steam allows a prior unused card on an account without address verification or authorizes initial game purchase/account creation without address verification, big problem, very wrong.
Re: “if Steam allows a prior unused card on an account without address verification or authorizes initial game purchase/account creation without address verification, big problem, very wrong.” That was the impression I got form Bob’s comments. But I can’t recall ever using my credit card on a website for the first time, without having to include the billing address. I wonder if it’s possible Bob used that card on Steam some time ago, and Steam saved it without asking or providing any warning. Bob said only that tools and weapons were purchased, not specifically that a new account had been set up, although his post gave us that impression. I once had a problem with Walmart.com, where some stranger in a different part of the country, guessed my password, and placed an order for “in store pickup”. Now whenever I place an order on the Walmart site, I go back later to remove my credit card, which they continue to save without asking or warning that they do that.
Reminds me of this Daily Show segment about an even more egregious case:
http://thedailyshow.cc.com/videos/5acu1n/tap-fish-dealer
I think what is more telling in the piece is revealing that the credit card companies don’t require the security measures before allowing charges, leaving it up to the merchant. This is hardly good business practice and does not protect their users/customer clients. This is where the changes should be made globally. Get after all the credit card companies, banks, etc and put the onus on them. It would help circumvent a lot of this.
If the boy is below age seven, the presumed age of reason, he should be shamed and trained.
However, if he is seven or older the responsibility for the transgression must be shared by the parents who have failed in their duty. Punishment in this case is more complicated but in any event it needs to be centered around morals and intellectual argument.
Dan Kurt
You are obviously not a parent. Have you ever heard of free-will? No amount of morals and teaching will insure a kid, or an adult of any age will make the right decision. The age of 7 has nothing to do with it. Many teenagers when they can drive will push their limits. When they start drinking they will again make poor decisions. No matter how much you tell a kid obey all traffic laws, let us know where you are going, be home by xx PM, don’t drink, … many of them will do the opposite. Kids make their own decisions all the time. They make choices whether to follow their parents instruction or not. The may their own decisions on what is right and wrong.
.
Every kid is an independent minded person with free-will. Every kid is different. There is no one formula on how to raise and trains a kid. The guidance a parent gives must be customized for the needs of every child.
.
If the parents never taught a kid the morals and teachings needed, then and only then can you blame the parents. When a kid does something really wrong, you can’t assume the parents were at fault. I have known many troubled kids. Only one time could the parents be blamed. In that case the young man was 19. He knew he was making poor choices. He knew his parents had made poor choices that had ruined all of their lives. Yet he too made the choice to do the same. He had people willing to help him. He chose differently and is now living out of his car.
John,
I am a parent. My wife is a traditional Catholic. We both were raised in the Church before Vatican II “reformed” doctrine.
I stand behind my comments.
On reading further comments, I can only hope the parents can help the boy.
Dan Kurt
p.s. My son was precocious but never to my knowledge acted out. He expended much energy in team and personal sports. He still at age 35 rides a road bike alone or as a club member. He was also self directed to gain a PhD in Mech Eng with Fellowships so he has no educational debt.
Don’t ascribe to “good parenting” what can also be ascribed to good luck. I have three kids I’d label as pretty damn close to model citizens, but I’m not foolish enough to belive that is entirely my doing. I’ve seen perfect parents have troubled kids, and I’ve seen perfect kids come from parents I wish I could take the kids away from. It just isn’t that easy. Kids are people too. As pointed out above they have free will, and are being influenced from sources not entirely within your control. Bob may or may not be a good parent – but there is nowhere near enough information here to make that judgement. Ditto for the kid. One mistake does not a “bad” kid make. Let’s dial back the judgment just a little bit, OK?
Thumbs up.
All kids are unique, and even within the same household you’re going to find a variety of behavior that can’t be explained by parenting. If you haven’t known a family where the parents did fine work but the kid did wrong then you need to meet more people.
Fallon Cringely is age 8, and has a history of software download payment issues. He is also known as “precocious”. Cole Cringely is age 10. Channing Cringely is age 12. So all are older than 7, and I guess that Fallon reached “the presumed age of reason” well before then. My guess is it’s Fallon, and it’s not a matter of what’s “right and wrong” it’s more “what can you get away with”? I would not be surprised if he has been filching Bob’s wallet for several years, and it was just bad luck he got caught this time. Whichever son, let’s hope they find a way to succeed in life using their intelligence by legal means rather than criminal ones.
Of course they want to make it as easy as possible for kids to buy. This is not unlike the Obama campaign making it as easy as possible for foreigners to donate. They disabled all the merchant verifications as well, so even cards issued by foreign banks could be used, and no need for the card to match the name on the donation. One site was able to donate as Osama Bin Laden from Abbottabad.
I have to wonder how the CC info got associated with your son’s account in Steam to start with. Did he take the card and enter the info, or did you enter the card info when the account was created and then assumed it would be only used for the creation of the account.
Just a fair warning, if you reverse the charges through your bank there’s a fair chance Steam will ax your account in its entirety, losing access to whatever (legitimately purchased) games you already possess. I think it’s part of their ToS.
ah, that sounds like a POSITIVE. “little guy, the game company bounced you. you’re dead to them. that’s what happens from doing bad things.”
pray for it.
Good points Bob. It’s time to start demanding better security on all sides–vendors, credit card processors, and banks. In this case, Valve gets to be irresponsible with your credit card, but the bank will actually eat the loss for any fraud on your card. That’s what happened at Target and Home Depot.
So the economics of the situation are that the parties responsible for paying for the fraud (you and your bank) are not the ones with the ability to stop the fraud (vendors, or in this case Valve). Somebody might say, “Well then stop shopping at Valve and such vendors with poor security measures in place.” And while that is a good strategy in general, it did not help in your case where your card was taken without your knowledge.
On a side note, I believe the only information that is truly needed to charge your card is your cc number. The rest of the information is extra and will lower the transaction fee for the vendor, which is why I guess most of them collect that information too. Somebody please correct me if I’m wrong.
Credit card security is laughable. There are plenty of regular stores that I use that don’t even ask for a signature now for purchases below (usually) $50. Even when they do, my signature is a scrawl that looks like a three year old did it.
My wife has written ‘Ask for photo id’ on here cards and they (the merchants) still don’t ask for it.+
I’m not sure who is more to blame for this lack of any form of checking, the banks, the vendors or us.
The vendors don’t care because the bank will absorb the loss so not asking for id speeds up the purchase process and ‘offends’ us less’
The banks don’t seem to care because the ‘loss’ is just part of the cost of doing bussiness as far as I can tell.
We don’t want it because it inconveniences us.
And the bitch and moan when someone uses our credit info illegally and no one challenged them.
Seems to me we just have ourselves to blame.
A lot of you guys are being pretty hard on a kid who might not have been old enough to understand the situation. Having no jobs and little need to handle money, young kids don’t have the same understanding that people do who have to earn the money to pay for what they need. Maybe Bob routinely pays for his kids’ online purchases and the little guy was trying to save him the aggravation. I remember plenty of time getting hollered at for “heating the outdoors” before I ever understood that it costs money to keep the house warm.
Bob:
I don’t think Steam is at fault. If my one of my sons gets a hold of my PC, he could buy anything he wants at Amazon without needing any credit card information. All he would have to do is hit the “One-Click” button for anything he wants. (My youngest son is 22 and is in a University several states away. My other two sons are older and have their own damn credit cards. I think I’m pretty safe on that issue).
Steam doesn’t need any security against fraudulent charges. If anyone calls and claims their credit card was charged without their permission, Steam can easily return the money. After all, they’re not out of inventory, and they didn’t even have to pay postage. Returning money to a customer is easy and practically cost free.
I don’t have Steam, so I don’t know for sure, but I bet they could even reverse your ability to play a particular game. Your son bought a game on your credit card, you call up, they give you back your money, and take back the game — all at almost zero cost.
What they want to do want is to make it as easy and simple as possible for users to buy a game. The easier it is, the less friction there is, the more likely someone will buy. If Steam starts to play 20 questions, there will be a certain number of users who’d get second thoughts.
Cool down. Call Steam, explained what happen, and they’ll probably apologize for the inconvenience and refund your money. You won’t even see it on your credit card statement.
I hope Bob realizes his child has just passed the first of a three part test used to identify a person’s suitability as a military procurement specialist; and the military may attempt to contact his son at any moment.
People blaming the credit card companies should know that this is the default for merchant software. SteamGames would have had to disable the verifications from the default settings.
Why would you reverse the charges and waste such an excellent parenting opportunity?
.
Let the purchase stand and make your son work off the debt. (I assume you’re not hard up for funds). By the time he’s worked the 20 or 30 hours to make it up, he’ll have a very good understanding of the value of money. Just maybe he won’t bug you as much to pay for useless crap too.
.
Am I being too optimistic here?
Sabyr, older dads tend to be more lenient with childhood behaviours. Add to that, modern times and I’d be worried the house could have been re-morgaged for games right under dad’s feet. So all-in-all, not so worrisome.
Namaste and care,
mhikl
Didn’t Apple have some complaints about some similar prob long while ago? I thought this kind of things wasn’t going to happen anymore.
I don’t understand all the “Blame Bob’ comments. Kids, when they want something, will try to get around the system. It is called learning and growing. We all did something that crossed boundaries. This child (who is actually pretty bright when you think about it) just repeated an action he probably saw. Want something on the internet? Use a credit card. Makes sense.
Dad caught it and the kid has learned a valuable lesson and probably a sore behind. But he learned. That is the takeaway here. Now Valve does have some explaining to do as every web site I visit wants my card info verified with a billing address. That kind of code is not hard to make and the friction on the site would be minimal. The point is either Valve did this deliberately as Bob describes or they were just lazy. Either way, shame on them. As their merchant card vendor I would expect some explanation or they can shop for a new company to provide credit card services.
In then end, Bob has learned, the boy has learned, we have learned and hopefully the people at Valve have too.
I think the fact that his own kid was involved is mostly a red herring.
(1) If some stranger had taken a picture of his card, that stranger would have been able to use it just as easily. There was no verification that the user was authorized.
(2) Because of the way credit card charges are aggregated, there is a pretty good chance that many people will NOT notice unapproved (or even false) charges. (As Bob put it, “steamgames.com wants kids like mine to buy stuff using whatever means they have available. Maybe their parents won’t notice.”)
Not requiring verification is currently a sensible business decision — the loss of sales from too much hassle outweighs the loss of stock from chargebacks. For some businesses — probably including steam — that will always be the case.
A few years ago, theft of copper for scrap sales became enough of a problem that legislators got concerned. Any *single* buyer that asked too many questions would go out business for offending even his legitimate suppliers. But when the law required them *all* to retain ID from sellers of certain products, theft became a bit less profitable.
(A) Is there some level of verification that regulators (or banks) should require for all transactions, even when the vendor is willing to risk a chargeback? What is that level?
Issue two includes a gray area where you signed up for something, but you (or your kid) didn’t realize that the approval was being applied to a purchase, or at least not to a repeated charge.
There are some businesses that get most of their revenue from such unchecked addons. At the moment, this is worse with cell phones than with credit cards, because the cell operator gets a cut, and consumers don’t have the protections (or even the ability to relatively quickly switch providers) that they get with a credit card.
(B) Is that business model sufficiently predatory that positive opt-in (as opposed to opt-out) should be required? At least for recurring charges?
Brian mentions being able to get a text for any charge over ten Euros — if you’re not expecting such a text, then you can react right then, instead of having to read through the whole bill and trying to rack your memory a month later.
(C) Should cell providers be required to send a free text to both the buying line and the primary line when they tack on bonus charges? Is there some equivalent that would be reasonable to require for credit cards?
You want people to be able to buy as easily as possible. I prefer not to authenticate anything when I’m buying something online at a site I’ve saved credit card info on.
I’d suggest a PIN would be a good addition, I require one for ATM transactions, but my kids know my PIN so i’d be screwed either way.
I use Steam all the time, and every time I buy a game it requires me to put in the billing address and phone number for the credit card I’m using. What you wrote is not what I have experienced using the platform for almost 7 years now. You can set it up to keep using the same credit card without entering all that info, but you still have to enter it the first time you use the card. Perhaps your son hasn’t fully come clean to you…
Enough with comments about parenting! Please! Even if I agreed with them (which I don’t)….the issue is that can we please all remember that….
THIS IS A TECH BLOG/FORUM! WHOSE PURPOSE (as stated in the title) IS DISCUSSION “ON TECHOLOGY”
Technology does not involve debates on parenting / sexism / sexio / socio / politico / leftright / liberalconservative / LetMeTellYouHowYouShouldLiveYourLife stream-of-conscousness diaharrea opinions.
We’re here to talk about technology. It’s bad enough that almost every other discussion board that exists in the known universe has been invaded by this crap. This is the second attempt in a few weeks to pervert and corrupt the purpose of this board by attacking Bob personally (“he’s sexist”…”he’s a bad parent”…”he’s liberal” “he’s conservative” “he’s gay”….”he’s straight”….”he’s yada yada”….”he’s yoda” etc. etc.)
– instead of commenting on his technical opinions which is what we’re supposed to be here about.
ENOUGH – LET’S STICK TO THE TOPIC OF THE FORUM. Can we at least keep this as one last bastion of purity?
Please? Thank you.
Being very familiar with all parties involved, I’d like to clarify one thing. Bob is not Yoda.
Bob has moved on to the next column. But the consensus here is that what Bob said happened with Steam is impossible. You can’t set up a credit card on Steam without a billing address, just as is the case with most, if not all, other websites. You can only use a card previously set up properly with the billing address. Perhaps you can shed some light on what really happened.
The Cringely felon gave Steam an address that was not only not the correct address associated with the card, it wasn’t even in the same state. The card was brand new, never used and never even made it into a wallet. Said felon did not try to set up the card for recurring payments, it was used for multiple individual Steam purchases. Steam apparently did not verify the address.
This raises an excellent question, at least in my mind, as to whether this problem is unique to Steam. While it’s true that all websites require a billing address when entering in credit card data, how often is it checked? Someone commented that a merchant, who wanted to verify an address with the card company, was told that all they could do was verify that the balance was high enough to cover the charge.
Steam Powered Games are allowing the fraudulent use of credit cards and should be shut down!
Merchants are, in my opinion, to lax with the security of my credit. I also believe there are things the credit industry could do to improve things generally but won’t until merchants demand them. For that reason I no avoid doing business with Target or Home Depot and hope enough other people do the same so it scares merchants into demanding better credit processes and devices. I don’t want my son, the Russians or the thief down the street to be able to use my credit and if they try I would like the merchants to try and make it hard for them, even if that means I have to remember a number or have a card that takes a few more seconds to process.
To the, off topic, topic. Am I alone in thinking that juvenile delinquent is a bit of an oxymoron? The reason we teach children right from wrong, often repeating lessons, is because they don’t know it and don’t fully understand it. It should be no surprise that they give us opportunities to teach. Having opportunities to teach does not make one a bad teacher.
You may be alone. An “Oxymoron” “juxtaposes elements that appear to be contradictory”: https://www.merriam-webster.com/dictionary/oxymoron. You are making the point that the words are almost synonymous. I suppose it could be said that all juveniles are delinquent at some time, but that could be said of adults as well.
Juvenile delinquent is one who by being juvenile is not legally held fully responsible but to be delinquent one must first be responsible. Realizing that some people would have trouble detecting the opposite intent implied by what may appear to be redundant I prefaced Oxymoron with ” a bit of an.”
Seems like much of this discussion is, like the original column, a little premature.
There’s nothing like enough information to be drawing conclusions about Bob’s parenting. And I don’t think Bob did enough homework before writing this piece.
From my own, direct experience with Steam, making a purchase with an unregistered card (I won’t let them store my card info), you’d need details Bob says weren’t required for his son’s transaction. So something doesn’t add up. And the fact that Bob doesn’t seem to have contacted Steam – well, what’s there side of the story? And a couple of people have already alluded to an allowance system and other parental controls, so I think there is an interesting other side.
I hope Bob follows up with Steam and shares his experience.
Overall, I think that modern parents need to pay attention to what their kids are doing online and make sure they understand risks and parental control mechanisms. Potentially a lot if work, but if your kid was suddenly spending a lot if time over at new unknown neighbour Jim’s house, you’d go over and meet Jim’s folks before too long.
Many years ago I looked at getting a merchant account for my business. It’s what they call it when you ask for the ability to take credit cards.
.
What I was surprised with is that all you get back from the credit card companies is that the card exists, and there’s enough funds for the purchase. You don’t get anything to help prevent fraud. You can’t check the address, or zip / post codes with them. It’s actually really lacking.
.
I asked, because I want to be a responsible trader, how I could ensure that I was selling to the right person and not being defrauded? I was told I’d have to use some other 3rd party list of addresses to verify the address matched the person.
.
Ultimately I opted for PayPal. It was easy to integrate in to my website. I got the funds instantly, not after six weeks with the merchant account. No monthly fees, and similar levels of commission initially and then lower as the volume increased.
.
PayPal worked out much cheaper than getting a merchant account.
.
A web developer phoned me, who was wanting to purchase one of my products, and rubbished that I had opted for PayPal. I then went through the costs of PayPal with him against what he was setting up for his clients. He left by saying he was going to change a number of his clients over to PayPal to save them money!
Steamgames and their ilk are in violation of COPPA, which protect parents and kids from this type of abuse. A complaint to the FTC, which administers COPPA, is in order, and would be appreciated by them – along with thousands of parents that are subjected daily to this abuse.
In the past year, Google and Apple have agreed, under pressure from the FTC, to refund over US $50 million to parents whose children ran up charges through apps on tablets and smartphones since 2011. These apps did not seek parental approval for the kid’s purchases, which violates COPPA. Amazon has chosen to contest the FTC pressure to compensate parents, setting up a showdown with the FTC.
I don’t see what this has to do with child protection or privacy. This should be covered by POPA “Parent Online Protection Act”. 🙂
My 8 year old plays a Steam game called Gary’s Mods and I’ve never seen a better trap to grab unsuspecting parents dollars. On occasion I’ll let my son purchase a small ticket item and in EVERY case the order screen automatically added a ten or hundred place zero once a digit is entered, changing a .50 cent or 1.00 entry into $5, $50, $10 or $100 checkout unless you are really on the ball. What caught me off guard is that it’s able to pull up my PayPal information from previous purchases and doesn’t redirect you to PayPal or ask for any authentication passwords. While I was on a coffee run at Starbucks I got an alert that I just bought $100.00 of Steam Wallet, when I came home and confronted my son he thought he was grabbing a dollar item and nothing popped up alerting him otherwise, which I verified when I ran through it myself.
Once bitten twice shy but Bob and I are pretty sharp and we were both burned by this new stealth robbery method.
I’m not going to punish my Son for liking the games but they’ll never get a dime from me again and I hope Bob’s warning will hurt them in a greater amount than what I’m sure they’ve factored in as far as unhappy users and lost revenue.
Did you get your money back yet?
Paid steam £10 for a game that would not work due to the DirectX version being so old or the graphics card being too new that is needed for the game to work and steam have tried to pass this off and are telling me to contact the company that made the game and to prove this that and the other as if its all my fault.
.
My dad who working in IT spent half a day trying to make the game work and is not going to take a Phd in hardware design just to get this game working but thats seems to be what Steam is asking from us.
In effect they are stonewalling me and will not help or give me my money back and so far as i see it they are little more than scammers who need to be took down a peg or two
I’m not involved in Steam or pc gaming but I suspect they said “contact the company that made the game” to get the tech support required to get it working. The game manufacturer should have a list of system requirements, and if your hardware meets them, they would tell you where to get the proper drivers. It’s rare that hardware or drivers would be “too new”, unless you’re trying to play a DOS game from the 90s.
We cheer innovators without taking into account that “great minds steal”. This happened to me with einen gross kinder and rift. I made a rule to buy not rent and use game cards else “it’s just a game”. The greatest counter was taking them fishing which they proclaimed better than games and they want to go daily now.
This Is not about parenting skills or old fuddy dudies who don’t know technology. It’s about a business model that rewards ruthless and unethical practices. You tube videos praise steam without contradiction.
I must be an old fuddy duddy because I don’t understand this: “The greatest counter was taking them fishing which they proclaimed better than games and they want to go daily now.”
Sorry, I just had to mentally add a few comas, to make the meaning clear.
You know you can tell Steam not to keep your billing information in memory, right? Which, if you hadn’t checked the “Keep this information so that I can be lazy and not have to enter it every time” box, your son wouldn’t have been able to complete the transaction, which is your fault, because you wanted to be lazy and not have to type your information in every time you made a purchase.
Don’t blame this on steam making it too easy. You decided to turn on the “fast track the payment process because laziness” option and your son used it to screw you. Blame yourself.
That’s not what happened according to Mary Alyce. She responded to my post on October 9th (above).
Oh give me a break. Steam Powered Games are stealing and you have excuses for it. Like come on!
Crazy thing happened to me this morning, got a charge from steamgames.com. I did not authorize the transaction nor do I have children so after canceling the card and reporting it to my card companies fraud department I started searching the web and it seems that this is a common practice to use steam as a money laundering front of some sort. (Probably because it is so easy to charge cards)
The cards details gets compromised some how, may even be physically skimmed at brick and mortar shop details get fed into a network of cons and they may only use it months after the fact, obviously the details might also be stolen via online methods too, this is just to illustrate a point.
My card is equipped with chip and pin, and 2 factor protection (verified by visa) but still the transactions went through, I was lucky in the fact that I receive a text message alert on all transactions from my bank and was able to act quickly and also set card limits prevented more transactions, only one transaction could slip by.
This is a serious and far reaching problem.
sources:
https://www.whatsthatcharge.com/STEAMPOWERED-COM-BELLEVUE-WA
http://steamcommunity.com/discussions/forum/1/558756256398853516/
http://mvguam.com/local/news/35548-washington-firm-connected-to-hacked-accounts.html#.VGM95flIFQs
Bob, you’re just jealous of Steams business model. I work for much smaller online video game publishing company. The term for your situation is call “Family Fraud”. If you haven’t called Steam to reverse your charges, then you are just contributing to the problem. I’d be shocked if Steam doesn’t immediately refund your charges and let you kids keep their game subscriptions. You can also call credit card company, but Steam would much rather refund the money directly too you.
seo specialist perth
[…]Sites of interest we’ve a link to[…]
… [Trackback]
[…] There you will find 4726 more Infos: cringely.com/2014/10/07/grown-hate-steamgames-com/ […]
When I went to Jamaica last year I used my credit card at one place. It was at an Iron Shore retail store. It appears that they stole my credit card information and used it to purchase Steam Powered Online Games. They maxed out my credit card.
Why is Steam Powered Games allowing this to happen? Steam Powered Games need to follow up on offenders and have more stringent rules for making purchases.
Actually I should sue Steam Powered Games for the pain and suffering I experienced due to their negligent practices.
I had a $5 amount deducted from my card that is fully chip and pin and I have never bought any applications from steamworks or any gaming company.
The worst part is how Valve Software raised your children to believe that stealing money from their parents is acceptable.
I had this happen to me. I went to Jamaica and voila they maxed out my card.
It seems that the moment you use your card in Jamaica you are almost guaranteed to be ripped off.
Often its a store, a hotel, or airport duty free employees that grab a person’s number.
After all the complaints about Steam Powered Games I’m confused as to why they haven’t been shut down. It’s not like they have even attempted to change their policies to curcumvent theft.
Maybe the bigger question is when a gamer trades in their gold, or gems, or whatever the game is giving as a reward, are the thieves losing purposefully to their friends so they can collect the gift cards, etc. A little money laundering perhaps?
What do you think?