back to article 'Hackers racked up $$$$s via the Android Play Store, and Google won't pay me back'

A California woman is suing Google, alleging hackers exploited the ad giant's inadequate security to run up thousands of dollars in charges on her Play Store account. Susan Harvey, of Orange County, also accuses Google of refusing to reimburse her, and then after backing down and agreeing to refund the missing money, has not …

  1. knarf

    Wonder if this story will get blacklisted

    Interesting to keep tabs on it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wonder if this story will get blacklisted

      One of the many things to become ungoogleable!

  2. Ragarath

    App Name

    More importantly, what app do we need to avoid?

    1. tmTM

      Re: App Name

      Candy Crush Saga

      Total guess..........................

    2. Roland6 Silver badge

      Re: App Name

      Well according the court document, it would seem: Google Play Services!

      The relevant sentences being: "After powering on her phone, Plaintiff was asked to provide a Google e-mail address or sign on using a Google e-mail address; she signed on using her prior Google e-mail address. Subsequently, the Android operating system prompted Plaintiff to provide payment information in order for her to receive updates regarding her phone. " [page 3]

      I regularly get prompted to enter a payment method (card/paypal) when accessing Google services (gMail, Play Store). The pop-up does strongly imply that you must enter details before continuing, so I can see that normal people may be fooled/tempted into entering payment details when none are actually necessary.

      So I suspect one of the key issues is whether having associated payment details with your Google account, should Google have also explicitly asked permission to use those details in the Play Store and secondly whether Google did/didn't should of notified via email all transactions being made, rather than simply bill them using the registered payment details.

      What is clear, is once again the only safe payment method (other than none) to have associated with a Google/Apple/Sony etc. online account is a prepaid voucher.

      1. Anonymous Coward
        Anonymous Coward

        Re: App Name

        Sounds more like it was the game app masquerading as Google Play when she powered up. I have never had Google Play launch itself at startup or power-up and begin pestering me for user details. Google Play services may be running by default at startup, but it doesn't just begin requesting login info for no reason.

        Plus, who the hell takes no notice of 650 bank charges? If even one suspect charge showed up on my account I'd be quite interested immediately.

        1. Roland6 Silver badge

          Re: App Name

          "Sounds more like it was the game app masquerading as Google Play when she powered up."

          According to the court document, it was a new handset, hence yes you are asked to enter or create a Google account etc.

          In my case, I suspect the cause of my reoccurring pop-up is that on another device I installed the PayPal app and Google decided they should be linked on all my devices, even though I declined linkage on the original install. Certainly the Lookout scanner hasn't reported anything being amiss...

  3. Anonymous Coward
    Anonymous Coward

    cf.

    Sony tells hacked gamer to pay for crooks' abuse of PlayStation account

    1. Anonymous Coward
      Anonymous Coward

      Re: cf.

      Yeah, look over there!!! Nothing to see here.....

  4. Reading Your E-mail

    "March 2013 and August 2014"

    Probably should check your bank statement once in a while.

    1. Anonymous Coward
      Anonymous Coward

      Yes, that's a good idea but doesn't excuse money being fraudulently taken.

  5. Gio Ciampa

    Dumb question...

    I assume she didn't change her Play settings to "ask me every time"...?

    1. Cliff

      Re: Dumb question...

      I assume she didn't think she'd need to - and if it was data obtained from Google rather than her phone, perhaps that wouldn't have made a different anyway if payments were presented multiple times backstage.

  6. Irongut Silver badge

    "could not have been obtained in any way other than a compromise on Google's end"

    Yeah right. It couldn't possibly be that she uses the same password for everything because its her dog/cat/child/partner's name/birthday and there is a keylogger on her computer from that time she opened that funny looking email attachment. That's just crazy talk.

    1. Spleen

      If she fell victim to a keylogger then it wouldn't have mattered if all her passwords were different and totally random strings including numbers and punctuation marks, as I'm sure yours are.

      If you're going to be smug and techier-than-thou, at least be consistent.

      1. Anonymous Coward
        Anonymous Coward

        Also seems a little odd that this key-logger only used the data to buy purchases from one app........

  7. lansalot

    hmmm

    "nearly all" without any notification or permission from Harvey herself

    In other words, she got carried away...

  8. Argh

    The real story

    Isn't the real story here that account credentials have been leaked from Google, according to the suit?

    I'd have thought that if there was any evidence of this, it would be a huge story. As Irongut says, more likely to be a compromise at the users end.

    1. vagabondo

      Re: The real story

      But even if a client-side compromise, was it effected via an app from (approved by) Play Store?

      1. MrDamage

        Re: The real story

        > But even if a client-side compromise, was it effected via an app from (approved by) Play Store?

        Or it could have been one of the cheap-arse landfill phones made on the sly in China, pre-infected with data-stealing software to run on boot, instead of an actual "approved" app.

    2. Roland6 Silver badge

      Re: The real story

      Well according to the court document (points 9 to 13 on pages 3 and 4), it is an open question as to whether the account details actually left Google. It would seem that Google did all the billing, naming the recipient (I assume this is in a similar way as other intermediaries such as Digital River and PayPal name transactions). However, it seems that no one can point to an audit trail that links these payments to actual online transactions nor to monies paid to the recipients named by Google, which is what I take it that point 13 is alluding to.

  9. Anonymous Coward
    Anonymous Coward

    So, someone broke into Google's servers and stole her details and then took out several thousand dollars over the next year and a half, which she never noticed. And she was the only person whose details were stolen from Google.

    Sounds plausible...

    1. Anonymous Coward
      Anonymous Coward

      Indeed.

      Makes you wonder why they bother with courts when it's so easy to make your mind up from a couple of hundred words on a news site.

  10. Frank N. Stein

    "Unfair Competition"??

    Did her lawyer just tack that one on to the charges to gain some extra fees, because I don't see how Google Play's dodgy security has anything to do with "unfair competition". This isn't an anti-trust case.

  11. harmjschoonhoven
    Facepalm

    Sue first, ask questions later

    Evidently plaintiff Susan Harvey used her Bank of America debet card without checking her account and/or changing her PIN when she found an unauthorized withdrawal.

    See https://www.bankofamerica.com/deposits/manage/faq-debit-card.go:

    "How is a debit card different from a credit card? You can use a debit card just like a credit card wherever Visa or MasterCard cards are accepted. However, when you use a debit card, the purchase amount is deducted from your Bank of America checking account."

    "Where can I use my debit card to inquire about account balances, transfer funds or withdraw cash from my account? You can get these services at any Bank of America ATM across the country and at many ATM networks worldwide. Some services may not be available at non-Bank of America ATMs. Fees may apply for the available services at non-Bank of America ATMs."

    1. Pookietoo

      Re: Bank of America debet card

      I think we're aware of the concept of a debit card - I've lived a largely cash-free life for years with mine (and the PayPal account it feeds) as I am sure have many Brits. Maybe it's a strange idea across the pond?

      1. Doctor Syntax Silver badge

        Re: Bank of America debet card

        " Maybe it's a strange idea across the pond?"

        Or maybe a debet (sic) card is something different.

  12. ecofeco Silver badge

    I see "blame the victim" is still popular here

    Susan Harvey may not be the brightest pencil in the drawer, (and you all know how much I just lurve CA) but if the facts bear her out, then she was still robbed.

    Since bait and switch, self service, default opt in and usury have become legal in the US, blaming the victim, instead of realizing these news laws are crooked as hell, seems to be the standard response.

  13. Anonymous Coward
    Anonymous Coward

    Complaint is suspiciously light on detail.

    She mentions, apropos of nothing in particular, a couple of games that she had on her phone, then goes on to talk about the transactions she disputes, without explicitly saying that they were (or were not) in-app purchases or what the relevance of the games to the situation is or what exactly the transactions were purportedly for at all.

    I smell a rat.

    1. Roland6 Silver badge

      Re: Complaint is suspiciously light on detail.

      I would assume, given this is a filing and based on filings for patent litigation in US courts, the details will be produced as evidence in court. hence this lack of detail is normal and so nothing can be directly inferred.

  14. Cook942
    Facepalm

    "My phone is more secure than googles servers"

    "the credentials could not have been obtained in any way other than a compromise on Google's end."

    LMAO

    1. TeeCee Gold badge

      Re: "My phone is more secure than googles servers"

      I'm guessing:

      1) Susan.Harvey@gmail.com

      2) Pa55w0rd.

      (I didn't get those from Google either).

  15. 2StrokeRider

    Not absolving the Goog but ...., yes, there are ways for malware to obtain credentials from your device, even more if it's rooted (we don't know if hers was). Going months without reading a bank statement is negligent.

    It's Kalifornia, she'll probably get money for pain and suffering :)

    1. phil dude
      Coat

      that's what....

      the Mary Jane stores are for...

      P.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021