It seems that you're using an outdated browser. Some things may not work as they should (or don't work at all).
We suggest you upgrade newer and better browser like: Chrome, Firefox, Internet Explorer or Opera

×
Community
General discussionStore Your Card For Later Use(7 posts)(7 posts)
(7 posts)
Pages:
1
This is my favourite topic
Posted March 17, 2016
You can now store your card for later use.

When making any purchase with a credit or debit card, you can now select the option to save your card for later use.



If your payment is successful, that card will be remembered for later use. You'll be able to select it during your next checkout without retyping the info every time. Simple, straightforward, and probably very familiar.


We're taking advantage of tried and tested industry-standard solutions used across the world today. Among other things, this means your entered payment data isn't actually kept anywhere on GOG.com. Once your bank approves the purchase, your entered card number is replaced with a unique, encrypted token that can be used only by us to process your future payments, and which cannot be reverse engineered to resolve your card number and data. From time to time, we'll also ask you to verify your information based on a number of security factors, like if you haven't used that card in a long time.

While it's not required, we also strongly recommend enabling Two-Step Login before saving your payment details.

Keep in mind that you can easily remove your saved payment method through the My Account / Orders section. We'll also automatically invalidate all payment tokens for any account that hasn't been used in a long time.


We hope the feature turns out to be particularly useful soon, when you may just feel compelled to click really, really fast.
Posted March 17, 2016
high rated
avatar
de_Monteynard: I seem to distinctly remember a bluetext saying that GOG will never implement such as system, as it would be too much of a security risk.
Believe me - it's safe as f***. :)
Posted March 17, 2016
high rated
avatar
Martek: How ironic I was <i>just saying</i> the other day that one of the things I like about GOG is they DON'T store that information.
We don't save the credit/debit card details. See the OP and other comments. :)
Posted March 17, 2016
high rated
avatar
Martek: Just like passwords that are stored as salted hashes, if that hashed table gets out - then systems can be hacked into even without the actual password.

Just like biometric fingerprint readers, "your actual fingerprint isn't stored - just a computed number". IF that number gets out - it's as good as your fingerprint. A MITM attack could inject it.

Same here - the so-called unique-token could get stolen and then used to make purchases. Same thing as having your card info. A MITM attack could possibly use it.
I understand your concern, but nope - we don't store hashed card data. Again - read the original newspost carefully please. Man-in-the-middle won't do too. You don't have access to this "token" anywhere on the website or AJAX calls either (which is not hashed card data). I guess Barefoot_monkey or adaliabooks could check that for you if you don't trust me. :)

edit:
avatar
Martek: They can be hacked - just like any number of other companies and sites that get hacked all the time.
If we even, speculating, theoretically, got hacked (no we won't! :P ), only thing that hackers could do with those tokens is make GOG.com payments, nothing more. :)

update: he wouldn't be even able to do GOG.com payments. So no payments for hackers.
Post edited March 17, 2016 by Johny.
Posted March 17, 2016
high rated
avatar
muntdefems: Wait a minute... If GOG has just recently implemented HTTPS throughout the site, does that mean that everytime that those smug I-will-never-store-my-details-on-a-website and no-matter-how-secure-the-system-is-the-website-could-be-hacked folks have been transmitting their CC numbers out in the open? :D
Checkout was always HTTPS only.
Posted March 17, 2016
high rated
avatar
Martek: Meanwhile, as I mentioned, I'll do what I do for other sites that store that info (whether it's via an option or not - if the mechanism exists it might get used by accident with no outward sign) - I'll gen up a virtual credit card number. Now if your site ends up being unable to use that - that will be a problem. We'll cross that bridge on my next purchase..
That's entirely up to you! :)
Posted March 19, 2016
avatar
IFW: Two questions to GOG staff BEFORE I tick the store card option,,,
1, Can I store more, than one card?
2, Is there any way to remove an already stored card? (other than it's expiring after a few years...)
Yes and yes.
Posted March 20, 2016
avatar
eiii: Even when this is the most secure way to store payment details there's still the risk an account gets compromized. And while a hacker in the past has been lucky when he got an account with a lot of games he now may even be more lucky when he gets an account with a stored credit card to purchase all the missing games.
"Cracker" would be asked for security code of that card. And he would have 3 tries only (counted on GOG.com side).

If he would use your card either saved or not saved (keylogger for example) - you would get this money back either way.

avatar
eiii: I would prefer when GOG would change their two step login so that it does not require persistent cookies and more people could use it (seeing how many people complained about that). Without more secure accounts storing credit cards for later use only means increasing the risks.
How would you store info about 2-step then, if not in cookies? Based on IP? Then, if you would log in at - let's say internet coffee - in private mode, other person in that place (or local network) wouldn't be asked for the second step of verification. Did you encounter better solutions?


P.S. Still, you have all the rights to not save your card details. :)
Post edited March 20, 2016 by Johny.
Pages:
1
This is my favourite topic
Community
General discussionStore Your Card For Later Use(7 posts)(7 posts)
(7 posts)