How is a website owner is supposed to verify that it’s an adult or a kid pressing ‘buy’ button while being logged into an account with adult’s details?
Consumer protection laws assume that big guys can amortize pains and suck it up. They are just built unfair to counteract the already unfair power gradient between individuals and businesses.
What is the alternative? Have a video call with anyone wanting to make an online purchase? What about deepfakes? It’s effectively impossible to determine that the person clicking “Buy” is not an adult, especially if that person is using the account of an adult with permission.
If the CC is stored in autofill, as is the password, and the child has access to the device (presumably through biometrics), then none of those prove an adult clicked “Buy.”
I'm not willing to test in (I don't buy from Amazon) but almost all the time when ordering online from Denmark, I have to authorize the transaction with the second factor — phone app or TOTP key etc.
It depends on the payment method, but for Amazon for me that means either using the Dutch Ideal system which means I have to use my bank's authenticator (which takes my debit card and asks for a PIN) or my bank's app (PIN plus unlocking my smartphone) to approve the transaction, or to get asked for my credit card's 3dsecure password and (often) a confirmation code sent by text (again requiring unlocking my smartphone).
There is no way to just click 'buy' and have it delivered. Only AliExpress does that for me. Perhaps this is possible in the EU with Amazon Prime? All Dutch online shops use Ideal, so accidentally ordering something there is just not possible unless you give your kid access to your smartphone and PIN.
It is and I would love to know when exactly that is the case. Normally all my online payments require 2FA, but some companies can apparently just transfer my money automatically. I'm guessing they need some kind of agreement with the bank, as otherwise 2FA would be pointless.
Nobody is saying it isn't. Parent was saying the burden is on Amazon because they're allowing this to happen without further verification - so in the EU Amazon wouldn't be able to enforce a "you bought it, you're stuck with it".
I do not think unauthorised transactions are much of an issue, and as an other commented asked: what would be the alternative? Come on now.
The solution (that many people do not want to hear) is very simple: supervise your kid, be a parent.
Edit: I love getting down-voted for saying "be a parent". Laughable. We are on HN and you do not know how to prevent this from occurring? Read the other comments, there are lots of suggestions. You have absolutely no excuse.
Or just log out of your accounts when your not using them. Seriously, I do believe that I'm the only person I know who uses the Logout functionality of websites.
Or let your kids use a different user account on the computer.