Wonder if this story will get blacklisted
Interesting to keep tabs on it.
A California woman is suing Google, alleging hackers exploited the ad giant's inadequate security to run up thousands of dollars in charges on her Play Store account. Susan Harvey, of Orange County, also accuses Google of refusing to reimburse her, and then after backing down and agreeing to refund the missing money, has not …
Well according the court document, it would seem: Google Play Services!
The relevant sentences being: "After powering on her phone, Plaintiff was asked to provide a Google e-mail address or sign on using a Google e-mail address; she signed on using her prior Google e-mail address. Subsequently, the Android operating system prompted Plaintiff to provide payment information in order for her to receive updates regarding her phone. " [page 3]
I regularly get prompted to enter a payment method (card/paypal) when accessing Google services (gMail, Play Store). The pop-up does strongly imply that you must enter details before continuing, so I can see that normal people may be fooled/tempted into entering payment details when none are actually necessary.
So I suspect one of the key issues is whether having associated payment details with your Google account, should Google have also explicitly asked permission to use those details in the Play Store and secondly whether Google did/didn't should of notified via email all transactions being made, rather than simply bill them using the registered payment details.
What is clear, is once again the only safe payment method (other than none) to have associated with a Google/Apple/Sony etc. online account is a prepaid voucher.
Sounds more like it was the game app masquerading as Google Play when she powered up. I have never had Google Play launch itself at startup or power-up and begin pestering me for user details. Google Play services may be running by default at startup, but it doesn't just begin requesting login info for no reason.
Plus, who the hell takes no notice of 650 bank charges? If even one suspect charge showed up on my account I'd be quite interested immediately.
"Sounds more like it was the game app masquerading as Google Play when she powered up."
According to the court document, it was a new handset, hence yes you are asked to enter or create a Google account etc.
In my case, I suspect the cause of my reoccurring pop-up is that on another device I installed the PayPal app and Google decided they should be linked on all my devices, even though I declined linkage on the original install. Certainly the Lookout scanner hasn't reported anything being amiss...
"could not have been obtained in any way other than a compromise on Google's end"
Yeah right. It couldn't possibly be that she uses the same password for everything because its her dog/cat/child/partner's name/birthday and there is a keylogger on her computer from that time she opened that funny looking email attachment. That's just crazy talk.
> But even if a client-side compromise, was it effected via an app from (approved by) Play Store?
Or it could have been one of the cheap-arse landfill phones made on the sly in China, pre-infected with data-stealing software to run on boot, instead of an actual "approved" app.
Well according to the court document (points 9 to 13 on pages 3 and 4), it is an open question as to whether the account details actually left Google. It would seem that Google did all the billing, naming the recipient (I assume this is in a similar way as other intermediaries such as Digital River and PayPal name transactions). However, it seems that no one can point to an audit trail that links these payments to actual online transactions nor to monies paid to the recipients named by Google, which is what I take it that point 13 is alluding to.
Evidently plaintiff Susan Harvey used her Bank of America debet card without checking her account and/or changing her PIN when she found an unauthorized withdrawal.
See https://www.bankofamerica.com/deposits/manage/faq-debit-card.go:
"How is a debit card different from a credit card? You can use a debit card just like a credit card wherever Visa or MasterCard cards are accepted. However, when you use a debit card, the purchase amount is deducted from your Bank of America checking account."
"Where can I use my debit card to inquire about account balances, transfer funds or withdraw cash from my account? You can get these services at any Bank of America ATM across the country and at many ATM networks worldwide. Some services may not be available at non-Bank of America ATMs. Fees may apply for the available services at non-Bank of America ATMs."
Susan Harvey may not be the brightest pencil in the drawer, (and you all know how much I just lurve CA) but if the facts bear her out, then she was still robbed.
Since bait and switch, self service, default opt in and usury have become legal in the US, blaming the victim, instead of realizing these news laws are crooked as hell, seems to be the standard response.
She mentions, apropos of nothing in particular, a couple of games that she had on her phone, then goes on to talk about the transactions she disputes, without explicitly saying that they were (or were not) in-app purchases or what the relevance of the games to the situation is or what exactly the transactions were purportedly for at all.
I smell a rat.