Originally posted by BDK:

https://store.steampowered.com/account/

Right side should list whatever is saved. I haven't purchased anything on steam for ages so I forget if they automatically store your payment credentials.

Is it even possible to store PayPal credentials? After all, from PayPals point of view, Steam is merely some third party website. They really shouldn't publish account credentials anywhere.

Originally posted by BDK:

Well I would expect a login is required before a purchase, anything else would be a security flaw. Pretty sure steam also saves the security code on your credit card, which is another security flaw.

A security flaw, if they get hacked you mean? And that's assuming *you* let them save your credentials.

As for Paypal, it's an outside portal. If you buy something here, it sends you to the paypal portal. If you don't have to log in there, I'd assume it's a setting in paypal that's covering that, not Steam.

Originally posted by BDK:

Well I would expect a login is required before a purchase, anything else would be a security flaw. Pretty sure steam also saves the security code on your credit card, which is another security flaw.

I always have to input the 3 digit code whenever I puchase a game even if the cc information is stored. This information is not saved.

It appears that steam client stores passwords locally. This can be resolved by going to Settings>>View Account Details and removing paypal as a payment option. Next time you want to buy something, uncheck the box that says "Save my payment information". This should fix the issue.

hey all!


solution:

- go to your PayPal account (note: I translate from german, maybe menus are named
differently)
- go to "my profile"
- go to "bank data"
- go to "payments via dealer direct debit" (again, translated from german. might be named diff.)
- click on the linked name of the dealer (steampowered of course)
- and cancel the ♥♥♥♥ out of it

~

I was suprised that I didn't have to login anymore one day, so I contacted paypal. apparently I *agreed* to the direct debit at one point.
I didn't notice that - and will be more careful about what I agree to in the future.

~

hope that helps
best,
Mikey 8)

I know for a fact I never agreed to direct debit. And yet yesterday a purchase went through without requiring login. thanks for explaining how to remove this big security hole.

I think the click of doom is called "make checkout easier next time", or similar.

best,
Mikey

Just to give the English version of what Mikey has given us:

- PayPal Account Screen.
- "Profile" (Top menu under "My Account").
- "My Money" (Left menu).
- My pre-approved payments, click "Update".
- Will list all your pre-approved payments.
- Click on the Merchant's name.
- Choose "Cancel" to cancel that ability.

Thanks everyone for the info etc. Good to know.

Yea, never save payment info when making a purchase on Steam, or any other site that does it too. I have brought this issue up on Steam forums in the past and have said it should be opt in to save payment info and not opt out but Valve just ignores what I say. Twice I have had my CC# stored when I don't want it stored because I forgot to uncheck the option box.

Even PayPal I have removed my payment info and just use xxxx as CC details. If I ever need to use PayPal (have only used it twice in the past decade) I just go enter the CC/bank info, go make the purchse then go back to PayPal and remove the info.

This happened to me yesterday and freaked me out.

Unfortunately, the problem is worse than just "saving payment info."

The worst part of it is that I use a PayPal "Security Key," which is a plastic device that displays a six-digit code each time I press a button on the front. In order to log into PayPal, I have to have the current, correct code.

Steam never asked me for my PayPal credentials OR the one-time security code that is supposed to be required by PayPal.

In other words, for those who understand security lingo, I no longer have two-factor authentication.

This is an ENORMOUS security hole.

To the best of my knowledge, I didn't change anything or check any new check boxes. I am careful when I make online transactions, and I read everything before I click on it. Of course, we all make mistakes.

Of course, even if I did tell Steam to "remember my payment info," there should be no way for it to log into my PayPal account without the one-time security code. That code CHANGES every time I log into PayPal, and therefore there is no way to "remember" it. What it is doing is BYPASSING it, not storing / remembering it.

Thanks to Miqueye and leadbman for the PayPal instructions. I will look into that.

UPDATE: I followed the above instructions and it seems that Valve was added to my "preapproved payments" list in my PayPal account on June 15th, the same day I bought 2 games on Steam. I guess I must not have paid attention to all the "please lower my security" check boxes like I normally do.

As convenient as it is, I will cancel it. There is a reason I carry a two-factor solution around with me. Thanks for the info here.

P.S. Also found out that TigerDirect has been on the same preapproved list since October 2009. DOH!! ROFL

Hi, this thread helped me a lot, I was worried about it and I didn't realize to look into paypal and cancel pre authorized sellers. Thanks!!

yea is is somoe serious stuff

I think the system was that you had to tick the "make my checkouts easier" box before June, but now it automatically ticks the box when you go to make the purchase.

Good info. I went to the pre-approved payments screen on Paypal and found *several* stores had snuck themselves in there over the years. A couple were valid but most were not and some were places I would definitely not give carte blanche access to my money. Very sucky of Paypal not to make this stuff more clear.