It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionStore Your Card For Later Use(230 posts)(230 posts)
(230 posts)
Pages:
1
3
4
5
6
7
10
16
This is my favourite topic
Posted March 17, 2016
You can now store your card for later use.

When making any purchase with a credit or debit card, you can now select the option to save your card for later use.



If your payment is successful, that card will be remembered for later use. You'll be able to select it during your next checkout without retyping the info every time. Simple, straightforward, and probably very familiar.


We're taking advantage of tried and tested industry-standard solutions used across the world today. Among other things, this means your entered payment data isn't actually kept anywhere on GOG.com. Once your bank approves the purchase, your entered card number is replaced with a unique, encrypted token that can be used only by us to process your future payments, and which cannot be reverse engineered to resolve your card number and data. From time to time, we'll also ask you to verify your information based on a number of security factors, like if you haven't used that card in a long time.

While it's not required, we also strongly recommend enabling Two-Step Login before saving your payment details.

Keep in mind that you can easily remove your saved payment method through the My Account / Orders section. We'll also automatically invalidate all payment tokens for any account that hasn't been used in a long time.


We hope the feature turns out to be particularly useful soon, when you may just feel compelled to click really, really fast.
Posted March 17, 2016
avatar
Martek: I expect at some point, card data will be saved even for those that never turn on the option to do so. Worse, there may not even be any indication it happens. How would we even know of the system saves the data starting right off; even though we are told, and we "think" it isn't? How would we even know?
avatar
Zeyes: If you guys are that distrustful of what GOG will be doing with your payment data, why were you doing business with GOG in the first place? Seems rather strange to assume nefarious actions for the future but not assume them for the past. For all you know, GOG could have quietly saved and abused your payment data without you being aware of it all along.
QFT
Posted March 17, 2016
high rated
avatar
Antoni_Fox: Yes, but then you are giving GOG free access to take money from you via PayPal whenever they want 24/7 with no questions asked ... Even if it's not to purchase a game. It's the same as giving somebody your debit card and PIN number. It can easily be abused and is unsafe. Hackers would love you for that too.
If that's your attitude towards GOG, maybe you shouldn't be making purchases on GOG in the first place. I mean, if they really want to take money from you, does it really matter whether you store your CC details or not? They could easily copy them whenever you enter them manually...

EDIT: d'oh, ninja'd!
Post edited March 17, 2016 by muntdefems
Posted March 17, 2016
low rated
avatar
BKGaming: Technically their not storing your card number, they are storing a unique token that allows you to make purchases. So it's kind of impossible for someone to get your card numbers because again it's not actually stored. Second it, why is it like everything GOG does anymore turns to fear mongering. It's optional, this "OMG it's going to be stored even if we don't enable it" paranoia is a little absurd.
Not absurd at all.

Just like passwords that are stored as salted hashes, if that hashed table gets out - then systems can be hacked into even without the actual password.

Just like biometric fingerprint readers, "your actual fingerprint isn't stored - just a computed number". IF that number gets out - it's as good as your fingerprint. A MITM attack could inject it.

Same here - the so-called unique-token could get stolen and then used to make purchases. Same thing as having your card info. A MITM attack could possibly use it.

Of course, you'll say - HOW WILL THEY DO THAT?

I don't know.

But I know this - I remember when signed certificates became a thing - I opined that they would get hacked and used for nefarious purposes. Of course, all the techies I knew said "HOW WILL THEY DO THAT?". I didn't know. Hence, the them, that obviously meant it could not happen. After all, if I thought something like that could happen, but didn't know the details on how it might - then of course it could not actually happen.

Right? Now it happens basically all the time. That very thing I thought could happen that other techies thought could not.

Déjà vu hits me now. Here are the techies telling me no way, no how can it happen.

Yeah right. I'll trust my own council on this. Thanks anyways.
Posted March 17, 2016
I'm happy to keep entering my details every time. I know my card number off the top of my head, having made so many GOG purchases: it's 43... Wait, you're not supposed to know that.

Question, though: if an account is compromised, and purchases are made by a third party, what happens? Will the terms of service be amended to account for this?
Posted March 17, 2016
avatar
Zeyes: If you guys are that distrustful of what GOG will be doing with your payment data, why were you doing business with GOG in the first place? Seems rather strange to assume nefarious actions for the future but not assume them for the past. For all you know, GOG could have quietly saved and abused your payment data without you being aware of it all along.
You don't have to distrust GOG. You don't have to think GOG will do the nefarious things.

They can be hacked - just like any number of other companies and sites that get hacked all the time.
Posted March 17, 2016
Won't be using this, but providing more options for people is (almost) always a good thing.

As for the last part? That's kind of adorable. I've punched my info in manually so many times that I'll be 85, unable to remember my own name, and still be able to spit that crap out from memory within two seconds.
Post edited March 17, 2016 by CarrionCrow
Posted March 17, 2016
high rated
avatar
Martek: Just like passwords that are stored as salted hashes, if that hashed table gets out - then systems can be hacked into even without the actual password.

Just like biometric fingerprint readers, "your actual fingerprint isn't stored - just a computed number". IF that number gets out - it's as good as your fingerprint. A MITM attack could inject it.

Same here - the so-called unique-token could get stolen and then used to make purchases. Same thing as having your card info. A MITM attack could possibly use it.
I understand your concern, but nope - we don't store hashed card data. Again - read the original newspost carefully please. Man-in-the-middle won't do too. You don't have access to this "token" anywhere on the website or AJAX calls either (which is not hashed card data). I guess Barefoot_monkey or adaliabooks could check that for you if you don't trust me. :)

edit:
avatar
Martek: They can be hacked - just like any number of other companies and sites that get hacked all the time.
If we even, speculating, theoretically, got hacked (no we won't! :P ), only thing that hackers could do with those tokens is make GOG.com payments, nothing more. :)

update: he wouldn't be even able to do GOG.com payments. So no payments for hackers.
Post edited March 17, 2016 by Johny.
Posted March 17, 2016
Wait a minute... If GOG has just recently implemented HTTPS throughout the site, does that mean that everytime that those smug I-will-never-store-my-details-on-a-website and no-matter-how-secure-the-system-is-the-website-could-be-hacked folks have been transmitting their CC numbers out in the open? :D
Posted March 17, 2016
high rated
avatar
muntdefems: Wait a minute... If GOG has just recently implemented HTTPS throughout the site, does that mean that everytime that those smug I-will-never-store-my-details-on-a-website and no-matter-how-secure-the-system-is-the-website-could-be-hacked folks have been transmitting their CC numbers out in the open? :D
Checkout was always HTTPS only.
Posted March 17, 2016
high rated
avatar
Martek: snip
Your never going to be 100% safe. Your information could have been stolen the normal way during the transaction, ie the data not being stored by GOG and they would actually be worse because if that happen they would actually have your card number that could be used anywhere.

With this they get a token that can only be used on GOG.com. So in a way it's kind of safer. Like any sensible person, you use a credit card so the charges can be disputed and you monitor your charges. For example, with my credit card company they send me an email every time a charge is made over a certain amount set by me and anytime an international charge is made.

This is nothing more than distrusting a company that you obviously done business with multiple times and never had an issue with. If they wanted to f*** you over they would have done it by now.
Post edited March 17, 2016 by user deleted
Posted March 17, 2016
avatar
muntdefems: Wait a minute... If GOG has just recently implemented HTTPS throughout the site, does that mean that everytime that those smug I-will-never-store-my-details-on-a-website and no-matter-how-secure-the-system-is-the-website-could-be-hacked folks have been transmitting their CC numbers out in the open? :D
avatar
Johny.: Checkout was always HTTPS only.
Oh, I see. I use PayPal, and I'm aware the PayPal verification step is HTTPS, but I wasn't sure about GOG.
Posted March 17, 2016
low rated
avatar
Martek: Just like passwords that are stored as salted hashes, if that hashed table gets out - then systems can be hacked into even without the actual password.

Just like biometric fingerprint readers, "your actual fingerprint isn't stored - just a computed number". IF that number gets out - it's as good as your fingerprint. A MITM attack could inject it.

Same here - the so-called unique-token could get stolen and then used to make purchases. Same thing as having your card info. A MITM attack could possibly use it.
avatar
Johny.: I understand your concern, but nope - we don't store hashed card data. Again - read the original newspost carefully please. Man-in-the-middle won't do too. You don't have access to this "token" anywhere on the website or AJAX calls either (which is not hashed card data). I guess Barefoot_monkey or adaliabooks could check that for you if you don't trust me. :)

edit:
avatar
Martek: They can be hacked - just like any number of other companies and sites that get hacked all the time.
avatar
Johny.: If we ever get hacked (no we won't!), only thing that hackers could do with those tokens is make GOG.com payments, nothing more. :)
I say - famous last words. Time will tell. :)

Meanwhile, as I mentioned, I'll do what I do for other sites that store that info (whether it's via an option or not - if the mechanism exists it might get used by accident with no outward sign) - I'll gen up a virtual credit card number. Now if your site ends up being unable to use that - that will be a problem. We'll cross that bridge on my next purchase..
Posted March 17, 2016
high rated
avatar
Martek: Meanwhile, as I mentioned, I'll do what I do for other sites that store that info (whether it's via an option or not - if the mechanism exists it might get used by accident with no outward sign) - I'll gen up a virtual credit card number. Now if your site ends up being unable to use that - that will be a problem. We'll cross that bridge on my next purchase..
That's entirely up to you! :)
Posted March 17, 2016
avatar
GOG.com: We hope the feature turns out to be particularly useful soon, when you may just feel compelled to click really, really fast.
... Welp, I guess I should make sure I sleep as well as possible for the next few days. You know, just in case. :P
Posted March 17, 2016
I thought it was a simple hash encryption after reading the op but some of the comments explain the token concept a lot better. This actually look safer (though I do not believe anything is 100% safe in life) than entering the cc number every time. I'm considering doing it and I'm reasonably paranoid about this sort of stuff.
Pages:
1
3
4
5
6
7
10
16
This is my favourite topic
Community
General discussionStore Your Card For Later Use(230 posts)(230 posts)
(230 posts)