My iTunes Account Was Hacked for $375 — By My Own Kids

UPDATED: As this past weekend included the Fourth of July holiday, I expected to see plenty of red, white and blue. Unfortunately, all I experienced was red when, on Saturday, I noticed three unfamiliar iTunes (s aapl) transactions totaling more than $375. Nobody in the house claimed responsibility for such sizable purchases, so I assumed the worst — amid recent web reports of wrong-doing, my iTunes account had been hacked.

I quickly changed my iTunes password, and unlinked my credit card from the account to stave off additional unauthorized purchases. Immediately following that, I opened three inquiries with my credit card company — one for each transaction. As of Tuesday morning, my credit card account has been credited back for all three. By the afternoon, I realized I would have to ask the card company to add those charges back on. It turns out my step-daughter made the transactions, courtesy of three in-app purchases, which touched off fireworks in my house rivaling any you might have seen over the holiday.

Clearly I can’t blame Apple or its iTunes Store for the purchases. And I can’t blame those iOS4 app developers reportedly hacking consumer iTunes accounts either. This financial debacle is the direct result of how I have the household iTunes accounts set up, along with the kids’ understanding of in-app purchases. Not only have I learned some better ways to manage iTunes, but this experience also shed light on what kids actually think about virtual goods and currency.

The free game that generated the costly transactions looks fun and harmless. It’s an aquarium on your iPhone that requires you to take care of your fish. You feed them, clean the tank and so forth. But you only get a few fish to start. If you want more or need additional items for your tank, you purchase them by spending real money to buy virtual pearls — or with gold coins accumulated through gameplay. And here’s where my step-daughter stumbled: She figured it was a free app and that both the virtual pearls and gold coins were freely available. So $375 later, I’m now the proud owner of a few thousand virtual pearls.

I’ll admit it can be confusing to have both free coins and paid pearls in a single app for purchases, and we’ve now discussed, as a family, the difference between virtual and real goods with the kids, so this sort of situation doesn’t happen again. Perhaps the most interesting development in all of this was my actual word-for-word reading of the Apple iTunes store terms of service. For privacy reasons, I’m not divulging my step-daughter’s name or age, but an iTunes account requires you to be 13 years old. Yet some of the games that support in-app purchases are rated for ages four and up. Again, I can’t blame anyone but my step-daughter on the $375 charge, but Apple’s age rating seems a bit inconsistent, no?

Preventing a similar situation may be common sense, but let me leave you with a few of my, ahem, pearls of wisdom gleaned from this experience:

  • Don’t link a bank account, PayPal account or credit card to an iTunes account your kids have access to.
  • Consider using the iTunes Allowance system that places $10 to $50 in an iTunes account on a monthly recurring basis.
  • Give your kids iTunes Gift Cards to spend on apps, music or add-ons for their games.
  • Explain the difference between virtual goods and real currency.
  • Update: Set restrictions using the iOS4 parental controls found under Settings, General — you can limit actions such as in-app purchases or buying content over a certain age rating. Thanks to Lava for pointing this out.

Related content from GigaOM Pro (sub req’d):

A Mobile Payments Glossary