Hi RickyAndersen.

Wallet funds cannot be transferred to another user, so at "best" if someone else logged in your account, by mistake, they would be able to buy games you wouldn't like and download them for themselves.
The games would stay in your library of course, while I am not sure if your refund request would be granted if you wanted your wallet funds back.
Either way they couldn't steal any funds from your wallet, or buy a game that wouldn't remain in your library afterwards.

*Also read post #93*

Cheers.

Thanks my dude, this was a pretty straightforward read.

Your cc information is always stored server side. Putting it client side is 100% a PCI 3.0 compliance violation.

Note all it does is aleviate the need for vendors to store your cc information. This allows them to dodge potential issues if their servers are compromised. As they don't have your actual cc information, but instead just a 'token' which really can't be used for anything nor can your cc information be extracted from it. Essentially its a tactic of "you cant steal cc info if we dont store it". the token introduces a layer of obfuscation in the event of a server compromise.

But this is easily solved via requiring ccv input on checkout. Though there seem sto be conflicting reports as to whether GOG does this.

This of course doesn't alleviate issues with stored wallet value

But as I've said in previous threads, there's not a whole lot of value in stealing a gog account and using it CURRENTLY. There's no market for GOG games on third party resellers, nor for selling gog accounts either. This will become a bigger issue once Cyberpunk 2077 comes out for pre-order, and then there is actual demand for such things. Better to sort this kind for thing out now, rather than figuring it out when accounts get hijacked by the truckload trying to sell off copies of the game on shady cd key websites
You can gift games to other people

https://support.gog.com/hc/en-us/articles/212804445-How-do-I-buy-something-as-a-gift-

Which is why GOG had to shutdown Gifting of the witcher 3 because of rampant credit card fraud being used to sell GOG copies of the witcher 3 on shady websites

Note that some systems will require the CCV on initial checkout, but subsequent purchases may not require it ifyou do them on the same day. Usually they time out after 24 hours and the CCV is required again. This is mostly to make purchases have less friction other than the initial one, so you can buy lots of gifts in a single session. Though each vendor may or may not implement such strategies.

Ehh...right. Totally forgot about that. Thanks for noting the omission of that possibility, on my part.

In this case, a gift can be recalled.
But I believe it would be required for the receiving part to agree on the recall or dismiss the gift, by contacting GOG.com support.
If something like that happens, while the storefront security is breached, then GOG.com support would surely show a degree of understanding and recall "reported" gifts either way, right?
In the case of money laundering, unconfirmed purchases of games as gifts, would have GOG.com invalidating those codes, hopefully, as long as they are reported by the users.
Another issue, would be finding out whose money was actually stolen, so that they could be refunded, or wouldn't it?

Oh boy, what a mess that would be.

Edit; Indeed, the heist would benefit the anonymous intruders, who committed a gift code scam, even if GOG.com invalidated the suspicious gift codes afterwards.

I mean the scammer just needs to sell the game on the shady cd key site. It doesnt matter if the game is recalled because the scammer already got their money. If they sell something like Cyberpunk 2077 for like 50% off it'll sell almost immediately, and then can just run with the money before the victim figures out they've gotten screwed.

While yes GOG can fix things after the fact, that still generally leaves a bad taste in people's mouths. Its very stressful and you're not really sure what the outcome is. Its better for GOG to prevent such incidents via some security measures such as requiring a CCV, or alternatively for wallet transactions asking for the email 2 factor code would be a deterrent as well.

Still though, the indented scammers could spam dozens of GOG.com accounts if they had money laundering in mind. No need to use a random user's account. Wouldn't it be situational if they did?
But it certainly would be for the best, if GOG.com beefed up their security. So it might just be the right time to do so.

A scammer with GOG curreent security model would by trying to hijack as many accounts as possible to get as many 'hits' as they can.For example 2fA is not mandatory on GOG. this likely means that you could use a standard username/password table from any number of high profile hijack and likely get a lot of hits. Of those, you'd then see which ones have viable credit cards or wallet to steal. Because GOG has several security loopholes, scammers woudl simply employ a shotgun 'hijack as much as you can' approach.

Contrast that with STeam. Note that on steam the account itself is of no use, its the inventory that has value. But on steam to trade you must have 2FA enabled. This means a shotgun approach to hijacking random accounts is useless. That's why all hijackers now are using a phishing model to hijck steam accounts with the lure of "FREE KNIVES" which ensures your targets have 2FA and will give your phishing site the necessary token. Steam doesnt enforce 2FA 'in general' but accounts that dont have 2FA arent raelly targetted because without 2FA the hijacker cant get at what they want, the inventory.

On GOG, currently the really only way you can make money when scamming is to sell a high value game. Which used to be pre-orders for the Witcher 3. And will be in the future preorders for Cyperbunk 2077. Thus you have ot look at the threat landscape as "scammers are wanting to steal copies of Cyberpun 2077 to sell on shady websites, what are viable mitigation tactics"

is it still a thing? Does it affect people who use two-factor auth?
Im kinda afraid to login to my non-forum account :v

What a spooky story, I do hope it will be fix as soon as possible.

While I'm glad to see you have your priorities right, but I'm certain no underhanded trickery is needed! I believe in Cleve, for he has overcome much more adverse conditions - from fighting rioting gangbangers armed with nothing but a jar of baby food to Max Phipps' bathroom. The world's last living neanderthal will crack those 1000 wishlist votes with ease. Surely, this will show gog the error of their ways and glorious incline will finally come here! (and maybe gog will fix some rather severe website issues along the way, who knows...)

Mealy mouth corporate speak if ever I read it. You have PROOF that such a situation has happened and acknowledge it later in the post. So did "no such situation ... ever [happen] to date" or are you going to "contact fronzelneekburm directly to discuss details" of the situation.

how Chinese people reach gog? is there any VPN in place or they are allowed to use it directly? I wonder if this thing happened because of VPN.

It sounds like they misconfigured their Varnish HTTP Cache. I remember reading some caching related error messages and seen a broken user menu on the store pages around the time fronzel had the session switcheroo.

If someone did it/had it happen then how did it never happen? *DOES NOT COMPUTE*

This....if it never happened this is basically calling frozen a liar/wrong and why would they contact someone such happened to if they claim it never happened? :\