Interesting. I logged in and accidentally put in a wrong number for my 2FA code and I was given a warning that after 4 more failed attempts my account would be locked for 12 hours.

Not planning on testing it to see if it works though.

Why, it's only 12 hours and at least we'll all know then?

Lol!!! Well, not during a major sale at least.

I wonder if it affects instances where you are already logged in. Maybe it just prevents login attempts for 12 hours.

You could use a haircut.

Your current connection most likely will not be affected (as your cookie will show you as logged in) but don't you dare too log out ;)

Mom? What are you doing on GOG? You don't even play games!

(No kidding, she has been telling me the same thing for months or maybe a year)

Making sure you eat your vegetables.
Which you haven't done in weeks.

No wonder if you do not thaw them

Ha! Now you've given yourself away, fake mom.

My real mother has given up on that many years ago. :p

Too bad you never noticed she poisoned the rest of your food.

Interesting question is how do you tell that you have been hacked?

And its a good thing I don't save my Card info on GOG, I always write it down every time I buy a ga,e?

Off-topic from the original topic, but here are some related observations.

About three weeks or a month or so, my Mojang account was successfully stolen. Thankfully, Mojang sent an email to my original address with an easy link to revoke that change and get the account back to my control, with a changed password and all.

And for the past few weeks, there seemed to be attempts to successfully log into my Gmail PSN account (which I don't have anything of value on unlike the Mojang account). How do I know this? A successful login sends the same 'change your password' email, which I have been getting for the past few weeks. Out of laziness and lack of value in that PSN account specifically, I changed the password yesterday or so.

The hacker of the Mojang account seemed to be Russian. His email domain was @yandex.ru or something. Of course I changed my other passwords and activated 2FA on everything that has it, made my Enpass (the password manager) master password more secure, and secured OneDrive with an app-based 2FA solution because that's where my Enpass data is stored.

Is there something fishy about all of these hackings? Or is it just me?

Hm, what about implementing two modes:
- active mode
- passive mode

Change between passive to active mode requires answering verification email.

Passive mode allows:
- downloading bought content
- access to forum/website/reviews
- buying games up to specified limit
Passive mode is basically locked down, regular use mode.

Active mode allows additionally:
- specify buying limit (just a value)
- change/add/remove of card information
- changing user information
- add/remove device
- switching between 2FA/regular modes

Regular pattern is like this: a user goes into active mode, fills out profile, adds payment credentials, sets a buying limit value in any currency. then he/she switches into passive mode.

In passive mode, each game he/she purchases deducts correspondingly the limit value. In order to increase it, he/she must go into active mode and set it to anything.

The advantage is: account is useless in passive mode for a cracker. With defined amount and inability to change anything significant without email validation.

This is like having "sudo" in Linux/Mac/Unix, instead of constantly entering credentials.

Uh-oh.
...is now a bad time to complain about how you never send money?

This is a decent suggestion at first, but the devil is in the details. The one thing I am not convinced is a good idea — at least from this description — is the buying limit in passive mode. At first I could see it being used as a limitation to the GogWallet™ , but not to credit cards/paypal. But then again, the very amount you have put in your wallet is a buying limitation, so in this scenario the restriction is completely useless.

But why not put that limitation to the credit cards too? Because it would be very annoying for the individual average user.

Please allow me to explain. First when we're setting the limit we need to make a decent guess. Psychologic studies (citation needed, but bear with me) show that we (humans in a broad sense) are terrible at that. That's problem number one.

Now, if the guess is going to be off the mark what side would we err for? Since it's about money everybody is going to underguess; the focus is to control damage in case of a hacker break-in after all. This leads to the second problem: the regular user will be constantly pestered by this feature because their guess was too low.

There would be another factor leading to the system constantly harassing us: as far as I can tell, most users have irregular shopping habits, i.e. they spend a little now and then, and suddenly a better sale comes up and they have a reason to make a big purchase. When setting the limit they would be thinking of the lower-spending weeks (which certainly are by far more frequent than the high-expenditure times). Which would obviously trigger the limit every time a decent sale comes up.

So we would have the system constantly harassing us for going above our own thresholds. This would cause lots of annoyed users to go to the other extreme: set a limit of one billion dollars or something like that. That would be the problem number three: people defeating the system's purpose for the sake of restoring their convenience. Whenever there's a clash between security and convenience we might put up with an inconvenience for short time, but we tend to choose convenience in the long run unless the inconvenience is too trivial for a decent improvement in security.

Also, there's another problem with this proposal. It clashes with GOG's own goals. Simply put, the more hoops we have to jump through to spend our money here the worse it is for them. They're not going to implement your suggestion unless there's no other alternative.