That's not how secure systems work. A secure system always challenges entry and never makes an exception since exceptions are exploitable. If GOG stops challenging all users, then it become much more appealing to compromise established active accounts for illegitimate uses. We already get enough account hijacks these days, GOG does not need to make that a more popular activity by reducing the already limited security they use.

Clearly your generalist answer does no justice to the specific situation. If you really believe otherwise describe how not requiring a redeeming captcha for said user (logged in, just spent $$$, have never before failed at inputting a correct code) could possibly be abused so badly that it justifies this practice.

knock on wood... i dont see the captcha in FF anylonger at startup.

i did saw another weird thing, i will ask this in a seperate topic, cause it seems someone is making a funny or gamersgate is gone all of a sudden.

Account hijacked, real human user buys something and passes the captcha, then sets a script/bot running that buys multiple codes automatically. Without that extra human challenge, the system is easy (well, easier) to exploit and do a lot of damage.

The topic is not about buying codes. It is about redeeming codes (that you got from buying something else - see GOG front page) into your own account. Basically it is the same as getting a free "Daggerfall" for a purchase of "Morrowind" - clearly that does not justify requiring a captcha for adding the free "Daggerfall" to the account.

The system doesn't care if you are buying codes, redeeming pre-bought codes, getting a freebie or whatever. This is what I mean about exceptions. If you create an exception for a secured system, no matter what that exception is or the reasons for it, the system is no longer secure. So you have to check a box when you cash out, big deal. Small price to pay it it prevents even some fraudulent use of GOG.

deleted

I dont know what exactly you mean with "exceptions".

Obviously you are either wrong or misapplying generalist talk to the specific situation. You failed to give an answer to my request for an example regarding this specific situation - probably because there is no such example - meaning there is no threat other than buggy implementation.

Thats your personal opinion. I do not share it. Furthermore your assumption (you just have to check a box) is also wrong in my personal experience with such systems in general and also this system in specific. Eventually/sometimes it (the captcha system) comes up with some random harassment practices other than "just checking a box".

So how's the captchas for everyone so far? For me they were simply click the checkbox and that's it. Not the more annoying variant where you have to choose pictures containing content X.

yeah ! but the first time you feel a little bit O__o :P

wonder since went the google captcha look like this. On many places over the web I only see the checkbox version ... Affaire à suivre :)

The only scenario you described was this and it only contains "buying" actions and no redeeming actions so clearly it does not apply:

"Account hijacked, real human user buys something and passes the captcha, then sets a script/bot running that buys multiple codes automatically. Without that extra human challenge, the system is easy (well, easier) to exploit and do a lot of damage."

Also: No one (at least not me) is arguing about many consecutive redeems of bought codes. The case here is very clear and very simple: You get a "free" game due to buying other games, you have to pointlessly enter some captcha. I really see no way to argue the sensibility of this captcha check. And considering that (due to autumn sale) this may well be the most frequent redeem scenario it obviously matters significantly and is not some rare exceptional use case.

Or maybe it is because this highly damaging abuse scenario exists only in your mind.

Ah well if this is now a staple of GOG I may very well find myself unable to use it as I don't allow my computer to connect to google directly, I shunt any needed connections to google through a proxy and as I've found when trying to redeem my code from the sale my setup doesn't work. For reasons why I do this I don't like google.

Try redeeming an illegal code a few times (five?). From that point onwards (even days later, even if you give a legal code after that) you will get pictures.

Don't think it's how it actually works. I never entered an illegal code, ever, yet am asked to pick pictures every single time.