RWarehall: Wouldn't the credit card token be client side, on one's own computer or mobile device?
Thus, this is a non-issue for someone who accidentally is logged into one's account.
Nonetheless, this is a serious issue, not only for privacy concerns and potential mischief, but as I pointed out, if one has Wallet Funds on one's account.
Your cc information is always stored server side. Putting it client side is 100% a PCI 3.0 compliance violation.
Note all it does is aleviate the need for vendors to store your cc information. This allows them to dodge potential issues if their servers are compromised. As they don't have your actual cc information, but instead just a 'token' which really can't be used for anything nor can your cc information be extracted from it. Essentially its a tactic of "you cant steal cc info if we dont store it". the token introduces a layer of obfuscation in the event of a server compromise.
But this is easily solved via requiring ccv input on checkout. Though there seem sto be conflicting reports as to whether GOG does this.
This of course doesn't alleviate issues with stored wallet value
But as I've said in previous threads, there's not a whole lot of value in stealing a gog account and using it CURRENTLY. There's no market for GOG games on third party resellers, nor for selling gog accounts either. This will become a bigger issue once Cyberpunk 2077 comes out for pre-order, and then there is actual demand for such things. Better to sort this kind for thing out now, rather than figuring it out when accounts get hijacked by the truckload trying to sell off copies of the game on shady cd key websites
RickyAndersen: Will we hear back from you after the investigation?
I often use wallet funds, I want to know if it's not safe!
Fate-is-one-edge: Hi RickyAndersen.
Wallet funds cannot be transferred to another user, so at "best" if someone else logged in your account, by mistake, they would be able to buy games you wouldn't like and download them for themselves.
The games would stay in your library of course, while I am not sure if your refund request would be granted if you wanted your wallet funds back.
Either way they couldn't steal any funds from your wallet, or buy a game that wouldn't remain in your library afterwards.
Cheers.
You can gift games to other people
https://support.gog.com/hc/en-us/articles/212804445-How-do-I-buy-something-as-a-gift-
Which is why GOG had to shutdown Gifting of the witcher 3 because of rampant credit card fraud being used to sell GOG copies of the witcher 3 on shady websites
GameRager: Was it after a period of not buying? I ask as it doesn't ask me every time for such info, and I feel that they should(as others said) each time.
DebbieL: Yes, it was. I just tested it out again by buying a cheap game in my wishlist from the sale, and it didn't ask for the CVV or a confirmation. And you're right, it should.
Note that some systems will require the CCV on initial checkout, but subsequent purchases may not require it ifyou do them on the same day. Usually they time out after 24 hours and the CCV is required again. This is mostly to make purchases have less friction other than the initial one, so you can buy lots of gifts in a single session. Though each vendor may or may not implement such strategies.
