While I'm sure many people are aware of people's accounts being hacked, and even getting invites from anonymous, private accounts that claim to be someone random you may know and forwards you some link based on a false story of some sort.
But, what shocked me was the fact that 77,000 accounts are hacked on a monthly basis.
Here's an article from Kaspersky on some of the stats: Steam Stealers Target Thousands of Gamer Accounts
That's an insanely large amount of accounts on a regular basis, maybe a few repeat victims, but still large.
It makes more sense to me that Valve are pushing the whole Steam Guard confirmations now, although not carried out in the most ideal manner.

What are your thoughts on this, and whether Valve has the responsibility to do more to combat such high levels of fraud?

Edit: Can't edit the Poll typo. ( ͠°_ °)

Edit: More info from batler0...All your creds are belong to us

8 years ago*

Comment has been collapsed.

Is Valve responsible for creating a more secure network?

View Results
Yes
No
Maybe
Stupid Vale should know better
Gabe, stop taking our money, do something!

Steam guard is a joke. Dunno how many times I've been on the browser, it's forwarded me to steam guard but when i log in on my phone it also asks for a steam guard code...

8 years ago
Permalink

Comment has been collapsed.

On almost every occasion now I'm required to verify my account when using Steam on the same PC.
So annoying.

8 years ago
Permalink

Comment has been collapsed.

You should have to verify each and every login attempt on every possible platform (client, browser, mobile device). This is kinda the entire point of it.

8 years ago
Permalink

Comment has been collapsed.

Yeah but how can it ask for a code when you log in via your mobile when the only way of getting the code is being logged into your mobile? Pretty silly tbh haha.

I should note, when i mean log in via mobile, i mean the actual app itself, not the phone's browser.

8 years ago
Permalink

Comment has been collapsed.

That can't be right.
If I login on my Firefox browser and approve it, close the browser, and then later open it again to use Steam, it should just login.
There's no need to authenticate again, I didn't restart, my IP remained the same, etc. etc.
Just a little overkill.

8 years ago
Permalink

Comment has been collapsed.

If you log out and back in, it is a new session. Probably could be exploited.

8 years ago
Permalink

Comment has been collapsed.

I don't logout, just close the browser.
But perhaps you're right. Just never had this issue before last week.

8 years ago
Permalink

Comment has been collapsed.

Closing the browser ends the session, which also counts as logging out. If you would remain logged in, that'd mean your entire login info is saved in a cookie, which is about as secure as storing your bank card pin on a post-it in your wallet.

8 years ago
Permalink

Comment has been collapsed.

Hahaha, that's true.
But there is an option to choose when logging in "remember me".
Now point using that now.

8 years ago
Permalink

Comment has been collapsed.

Remember me mostly saves your login name in a cookie or uses the browser's password manager to save your login data. The first one is more or less harmless (there are exploits for knowing the login name of someone, but it is usually super easy to figure out). The second one is as safe as much you trust the browser. Firefox used to store these in a plain text file… Now they have some encryption, but I'd rather put my trust in a free password manager like LastPass. Won't solve the authenticator hassle, of course, but at least it also decreases the actual security risks.

8 years ago
Permalink

Comment has been collapsed.

Strange that they don't make better use of hashing.
I viewed a site not so long ago, and it directed me to view my login info in a cookie.
To my surprise it showed my userID, and some variants of my other credentials. Geez, that's bad.

8 years ago
Permalink

Comment has been collapsed.

Yep, this is why I stick to my LastPass. Sites are waaaaaaaaaaaaaaaaaaaaaay too easygoing on storing user login data. I just pray they have bought some pre-made software package when it comes to storing payment data, although if Sony had these in simple CSV files so any hacker could steal them (which they did… twice…), then what about the poorer, smaller ones? -.-

8 years ago
Permalink

Comment has been collapsed.

I haven't thought much of cookies and saving passwords online until today really.
Looking at LastPass, how is it different in the end? Yes it secures your Master key and other saved keys more securely, but once it's autofilled onto the site in your browser, then those logins still create unsecured cookies, etc. as we've discussed.
Or is it more complicated than that?

8 years ago
Permalink

Comment has been collapsed.

It cannot eliminate the cookie problem, but on the other hand, I cannot recall a site from the past 3-4 years that did this to me. LastPass makes sure that your passwords on the sites cannot be stored on the browser itself, and by auto-filling them from a secured vault, you can also use as long ones as you want (many of my passwords are 100-character long gibberish), because the longer the password, the more impossible to crack it.
Think of it as a good service to let you finally stop using that same three passwords everywhere, so even if one gets compromised, no other will be. You just have to remember two: the one for Lastpass and the one for your email.

8 years ago
Permalink

Comment has been collapsed.

That's cool. I'll definitely check it out then.
You reckon I'd have to clear the saved passwords in my browser once I've made the switch?

8 years ago
Permalink

Comment has been collapsed.

Once you install it and set up an account, it will ask to do that for you. :)

8 years ago
Permalink

Comment has been collapsed.

Awesome. Thanks.

8 years ago
Permalink

Comment has been collapsed.

Just saw something very weird. Steam key I recently received started with RE5ET-PW... Didn't notice till after activated (activated fine btw) but no way that's just coincidence so keeping close eye on my account.. Thought keys were created randomly.

Anyway reading that article it sounds more like there's insecurity in way steam authenticates session if it can be copied/fooled seeming easily :-/
"... locates the specific Steam KeyValue file that contains user credentials, as well as the information that maintains a user’s session. When cybercriminals have obtained this information, they can control the user’s account."

Yes Valve should do what it can (& sounds like could do more) to reduce fraud and scams but also try to do it without creating more inconvenience for the users or blanket pass the blame onto them.

8 years ago*
Permalink

Comment has been collapsed.

Yeah, it should be more random than that, unless it comes from a specific group of keys for some event, etc. Don't know myself.
It's a bit tricky to store cached info of your Steam login in the browser or on your PC...and should definitely not be able to be used to login from another PC. That just screams unsecured credentials.

8 years ago
Permalink

Comment has been collapsed.

Is Valve responsible for creating a more secure network?

No. It is a user's responsibility to don't click some random suspicious link like an idiot. No matter how much security Valve implement, people will always find a way to do silly things which will make them lose their account.

As seen by recent changes that Valve have made in a futile attempt at reducing security issues, the more security they add, the more Steam becomes a frustrating and complicated platform to enjoy, filled with community-breaking obstacle, especially for anyone who doesn't own a mobile.

So my take on this? Steam users should be responsible for their own actions. Security should be optional, like Steam Guard before they implemented that mobile bullshit. Disagree if you want, it won't change my view on the situation. :P

8 years ago
Permalink

Comment has been collapsed.

No need to challenge me accepting your opinion, it's yours, whether I agree or not.
But yes, I do agree with some of your comments there in the end.
Surely, though, you can't use words like "doesn't own a mobile". :D
Anyone owning a PC using Steam should have a mobile, maybe not a smartphone.

8 years ago
Permalink

Comment has been collapsed.

Not everyone can afford/care to carry a mobile at all times. This is one thing Valve fails to realize - it isn't that some people don't want to use mobile auth, it's that some people can't use it.

8 years ago
Permalink

Comment has been collapsed.

Perhaps, yes.

8 years ago
Permalink

Comment has been collapsed.

Actually, they probably consider that people who can't afford mobile phone likely have very little disposable income for games either. So they are unlikely to spend very much on steam...

8 years ago
Permalink

Comment has been collapsed.

That's a rather silly assumption from Valve, but then again people rarely believe me when I say that I barely ever spent money on buying games.

8 years ago
Permalink

Comment has been collapsed.

People click on random links. This is Virtual Protection 101. People are stupid, they'll get bit one way or another. Steam has to increase protection, but not this way. A lot of people don't have smartphones that can run the Steam app. I even heard that they'll be moving to IOS 7 soon, a.k.a. Anything below the 4th gen I-Devices will not really run it. People will have to wait for 15(!) days for trades to be completed... no matter how insignificant the trades might be.
Stupid people shouldn't be coddled up like: "Oh dearie, did you not have the common sense of clicking a single button? Well, let's mess with everyone's experience to make sure that a shitstain like you could have a safe experience."
This isn't the freaking Disney website. There are age limits to use the site. If you're older than the limit, then you should have the brain function of one too.
The security measures should be voluntary. The whales that use this site are not the ones being this dumb.

8 years ago
Permalink

Comment has been collapsed.

True, but I imagine it could be a little more secure when it comes to links knowing you have noobs out there.
Perhaps an opt in from the settings to access outgoing links, or warning you before it's opened after you've clicked it.
But yes, users should be a lot more responsible.

8 years ago
Permalink

Comment has been collapsed.

+1
your thought same with mine.

8 years ago
Permalink

Comment has been collapsed.

Valve is a bunch of dickheads. If only EA realises that and improves Origin.

8 years ago
Permalink

Comment has been collapsed.

I actually used Origin before Steam because I had a few EA games.
Just hasn't evolved much over the years, and no community aspect.
Perhaps introducing the community market may make it more susceptible to attacks as with Steam.

8 years ago
Permalink

Comment has been collapsed.

I've used both Origin and Steam years ago. I didn't like Origin because of the white color.

8 years ago
Permalink

Comment has been collapsed.

That's racist.

8 years ago
Permalink

Comment has been collapsed.

Not really, the color used to hurt my eyes and I already have weak eyes. (5/10 in the left one and 7.5/10 in the right one)

8 years ago
Permalink

Comment has been collapsed.

Do you not suffer all the time when browsing websites then?

Unless photosensitivity is a part of the issue with your eyes then you have your screen too bright and/or you need some ambient lighting.

8 years ago
Permalink

Comment has been collapsed.

I wear glasses with some sort of lighting filter? It keeps some sort of rays that come from screens from reaching my eyes. I'm wearing them since 11 years now.

8 years ago
Permalink

Comment has been collapsed.

Nope, Steam is totally safe but because of stupid people with simple passwords and no mobile authenticators these things happen...

8 years ago
Permalink

Comment has been collapsed.

I like how the people like to complain that they don't have money for a smartphone that can run steam mobile .. But to buy games on steam you have money ? you can buy a old cheap mobile phone with android for only 10$ .. i live in a poor country .. the average salary here is about 250$ a month .. but even old 70 years old lady's have smartphone's .. so stop complaining about steam authenitificathor .. sry about my bad english ;)
LE: To be more specific .. The steam auth .. was implemented for your own saftey .. steam dosent's need you number to send you mesages or call you ..

8 years ago*
Permalink

Comment has been collapsed.

I bought my first android phone 2 years ago, for around $140. Still alive to this very day.

8 years ago
Permalink

Comment has been collapsed.

You didn't get my point .. i was reffering that you can buy a cheap phone that can run steam auth .. for only 10$ instead of complaining about trade and other restriction ..

8 years ago
Permalink

Comment has been collapsed.

No, I did get it. I meant that $140 here is pretty cheap price for an android, and particulary a SAMSUNG. The only phones I can find for $10 here are way too old phones, Nokia 3310 style and such.

8 years ago
Permalink

Comment has been collapsed.

I only bought one phone off contract, my Nexus 4.
Was such an awesome phone, and even used it as a second phone when I upgraded.
Sadly, though, I dropped it one day after football game (soccer), and that was the end.
I'm sure just the glass needs replacing, since it looks fine underneath, but not sure I want to pay for that.

8 years ago
Permalink

Comment has been collapsed.

My first phone which I use until now is Samsung Trend Plus, it's pretty decent and I like it, not even planning on changing it at all. (Unless it gets broken).

8 years ago
Permalink

Comment has been collapsed.

I'm on a Note 4 now since it was launched, and haven't had an itch to change it since.
I've been to many new device launches, including last week's S7 release, and the only thing I wanted there was the VR.
My phone will stay with me for the next while at least.

8 years ago
Permalink

Comment has been collapsed.

That's very true. But it's not a case with all users...many are kids and get the games bought for them an activated and they don't know how to do anything besides play games, even before owning a mobile.
But then it's the responsibility of the parent in that case.
$10 here won't get any Android smartphone from the past 3 or 4 years, but maybe 30 or 40.

8 years ago
Permalink

Comment has been collapsed.

As far as I know, steam already implemented a function that will replace any suspicious link parsed through Steam chat with {LINK REMOVED}. It also warns you if the link is valid that you are leaving the Steam community and they are not responsible for any consequences. Therefore, it's the users' fault to fall into a fraud. It's so simple to tell someone is trying to scam you or try to steal your account.

8 years ago
Permalink

Comment has been collapsed.

I've seen the notification that you're leaving Steam only when viewing threads and pages, but not from Friends chat interestingly.
Haven't yet seen the LINK REMOVED part, but haven't had a "friend" with a private account sending me links in ages.
Think a few times those guys were winners of my GA on SG, which was annoying.

8 years ago
Permalink

Comment has been collapsed.

Well, if someone links you to a verified website such as Facebook, Twitter, Youtube..etc. It'll be pasted. However, if the link isn't anything known(or at least verified by Steam), it will be replaced. Give it a try.

8 years ago
Permalink

Comment has been collapsed.

Thanks for the heads up.

8 years ago
Permalink

Comment has been collapsed.

No worries.

8 years ago
Permalink

Comment has been collapsed.

I agree with the person that said stupid people and children are the likely culprits of getting accounts and or items jacked. I don't know how many times I've read or heard about a kid that was tricked by some person that changed their name and picture to one of their friends and got an item from them.

8 years ago
Permalink

Comment has been collapsed.

I find it strange that they'll be allowed to add friends, access links, etc. if they are kids.
Their parents should disable such features using the new Family friendly secure thing.
I wouldn't let my kid (one day) get anywhere near anything of mine that links to any payment methods...that's just bad parenting. ;)

8 years ago
Permalink

Comment has been collapsed.

I agree, I got my account stolen once when I was a kid.(Don't ask how, you'l laugh you ass off). Luckily, I was smart enough to retrieve instantly.

8 years ago
Permalink

Comment has been collapsed.

how =D

8 years ago
Permalink

Comment has been collapsed.

I won't tell.
Someone once sent me a link and claimed that if I enter my steam account name and my password and choose a game, I will receive it as a gift. It did not work, then he said try to put your e-mail information. Please don't laugh, it was nearly 6 years ago :/

8 years ago
Permalink

Comment has been collapsed.

LoL , i never believed BS like that , even when i was a kid im probably still considered a kid

8 years ago
Permalink

Comment has been collapsed.

Thanks all for commenting. Seems to be a touchy subject between Steam Fraud, and Valve security changes.

8 years ago
Permalink

Comment has been collapsed.

that 77k is down from a far higher number - and Valve can't secure against stupid. With the 2part authentication and the fact people not on your friends list can't even talk to you outside of group chat, accepting a random is just stupid, even if it's just for trade - the trade links take care of that.

8 years ago
Permalink

Comment has been collapsed.

I'm not sure what the stats were if you say this is lower now.
But yeah, can't secure against stupid.
Think some of the issues here are people's needs to feel part of a community and the need to belong, so accepting friends to them feels like they're growing their social base. (My assumptions only). Clicking on the links are just stupid after that.

8 years ago
Permalink

Comment has been collapsed.

I was mainly referring to random adds , not people you make friends with in the forums and group chats.

8 years ago
Permalink

Comment has been collapsed.

Yes, was referring to random adds as well. :)
Some people see an invite and get excited about a new friends. Unfortunately.

8 years ago
Permalink

Comment has been collapsed.

Must be a question of personality. For me it is "oh, fuck, what do they want again?"

8 years ago
Permalink

Comment has been collapsed.

Yeah, that's me now.
But at first, I accepted them, hoping they would say something so I could report them.
I can imagine even if I gathered some evidence, nothing would come of from Valve side.

8 years ago
Permalink

Comment has been collapsed.

https://games.slashdot.org/story/16/03/15/2014223/steam-stealer-malware-becomes-extremely-sophisticated-remains-very-cheap

"[The] most targeted game is Counter-Strike: Global Offensive, while Kaspersky Lab says that most of the cyber-gangs behind these malware families are of Eastern European origin, mostly Russian."

Oh, those Russians!

8 years ago
Permalink

Comment has been collapsed.

Statistically that's true, but I refrain emphasizing the whole Eastern European origin...don't wanna be racist. :)

8 years ago
Permalink

Comment has been collapsed.

The steam forum was riddled with threads asking for help in retrieving stolen accounts before the steam guard. Every 1 of 3 threads was an account-got-stolen thread. Now people are not happy with the steam guard; I am not lying that the steam guard is not totally perfect, but it is better than just a simple email guard.

8 years ago
Permalink

Comment has been collapsed.

It appears that it has been a lot more effected, although annoying, than people have expected.
Perhaps over time they can still streamline it a bit more, but, then again, this is Valve.
At least with a chance of less fraud, it should work itself out, and people will become accustomed to doing things that way.

8 years ago
Permalink

Comment has been collapsed.

Closed 8 years ago by Ph03n1xSA.