Hatsaver: Steam Stymying Hijackers With Trade Holds

Scammers! They’re everywhere nowadays. Cheats! Hackers! Frauds! Phoneys! These rogues and more want your precious wizard hats and shark guns, to plunder your Steam account of its cosmetic goodies and steal them away for their own nefarious ends. CS: GO guns and Dota 2 wizard hats can be worth a lot of money, you know. Valve are sick of folks doing this, and probably sick of the headaches it creates for their support department. To reduce this, they’re soon adding trade holds that’ll hold things up by a few days – unless both parties are using the Steam app‘s Mobile Authenticator.

What tends to happen is a blaggard gets control of an account, then quickly trades all the cosmetic items away to a mule account. By the time you’ve regained control of your account, everything’s gone – and you can’t necessarily get it back, or it might take a while given how slow Steam support can be.

Trade holds will go into effect on December 9th. As the CS:GO blog explains, trades will by default be held for three days, during which folks can hop on and cancel all pending trades. If both folks are using the Steam Mobile Authenticator (and have been for at least a week), then can confirm the trade in the app to send it through instantly.

A bit of faff for everyone, then, and probably a bigger bummer for folks who don’t have an appy device or whose phones aren’t supported by the Authenticator app.

This all helps Valve too, of course. More people using the Authenticator means fewer folks getting scammed (though social engineering knows no bounds), which means fewer people annoyed about Steam and fewer cases for Steam’s customer support. That last part is probably important. Valve say they’re really trying to make their rubbish customer support less rubbish, and part of their approach has been to reduce the number of potential problems.

Oh, and to celebrate all this, Valve are offering a 5-33% discount on items in the Steam Community Market until December 16th for folks using the Mobile Authenticator. They’d really like for you to use the Mobile Authenticator.


  1. Premium User Badge

    Aerothorn says:

    I am one of said people without an appy device, and thus cannot use this. I realize that people in Bellevue believe that everyone has a modern smartphone, but it’s not true.

    • Premium User Badge

      Aerothorn says:

      And the FAQ on this is incredibly tone deaf:

      “I don’t have a phone. Can I still use the mobile authenticator?

      Not at this time. Support for standalone authenticators is being considered, but is not available today.”

      The issue is not people “not having a phone” (there are a few of those, but not many). The issue is people not having a smartphone.

      • kwyjibo says:

        Smartphone penetration is over 50% in every developed country. They’re just phones now. Maybe the FAQ should read, “I only have a dumbphone. Can I still use the mobile authenticator?”

        link to independent.co.uk

        • LionsPhil says:

          Owning a mobile phone, it seems, should render one ineligible for help when trying to stop themselves and their families from dying in a war.

          That article starts with a strong headline and just runs from there.

        • cpt_freakout says:

          I hope you realize you just basically equated “over 50%” with “everyone”. It is an issue, just because there’s a majority using these kinds of devices it doesn’t mean they should screw whoever isn’t. To emphasize: “over 50%” is only relatively a high percentage.

      • SuicideKing says:

        Actually – the issue is that people with a smartphone may not have or want to have steam installed on it. Like me.

    • slerbal says:

      It’s not just you – I have a Windows Phone and they will not produce any kind of app or authentication for it either. If you don’t have an iDevice or an Android they don’t seem to care

      • Martel says:

        Microsoft is working on Android app support for Windows phones I think, maybe that’ll help flesh out their app offerings. Valve is big enough though that they could spare the cash for a developer to port it.

        • slerbal says:

          Android app support on windows is definitely not what I’m after. I moved to Windows phone to get away from Android. I guess I doomed myself, which would be ok but this move towards making the Steam Mobile Authenticator only works if people are able to use it.

          Also unfortunately I don’t think Gaben is going to shell out for anyone to make a Windows app because he’s been pretty clear that he hates Windows 8 and 10 and while he might have a reasonable beef against MS it is the users who end up suffering with things like this (and the annoying lack of touch support for even scrolling the page in the Steam store)

          • DrGonzo says:

            What is that reasonable beef though? Complaining about Microsoft wanting people in their ecosystem, then releasing a controller that requires not only steam but big picture mode to run, pushing their own OS that comes with their app store built in, and far more locked down than windows 8 or 10 is! Grrr, no touch screen support on the windows desktop version, no windows app and no windows phone app.

            They use many of the same tactics as MS, but then hypocritically slag off MS about it. I’m becoming increasingly disappointed with them, and I used to be a huge fan of theirs. But punishing me as a customer for their vendetta is pushing me away.

      • trjp says:

        You can acquire an Android device for pennies if you REALLY want to get the authenticator working. There are compatible Android phones available new for £30 or less – and used Android devices under £20 and maybe even under £10

        I realise it’s not ideal but it’s an option – furthermore, unlike a phone you can leave it by your PC permanently and not risk losing access to Steam if you lose/break/leave your phone somewhere…

        • slerbal says:

          I know you are trying to be helpful, but no, that’s not a realistic option. That would smack of the worst levels of corporate customer abuse: “Go buy a different system”. If I wanted an Android, of course I could have one, but I don’t.

          Also though I certainly have access to that kind of thing, many, many people around the world who use Steam don’t, while most of them do have access to Windows and the app would work on Windows 10 desktops as well as phones.

          • trjp says:

            Plenty of people I know use old Android phones/tablets as ‘extra screens’ with their PC already – there’s a fair bit you can do other than the authenticator thing

            Music manager
            Volume control
            Email/Chat notifications

            and so on

            The lack of a Windows port is slightly odd, but as I’ve always said, Windows Phone won’t ever really succeed because MS will fuck about with it/change it/desupport it and developers are sick-and-tried of that shit (I believe you also have to pay to get into the Windows Store which deters a LOT of developers from bothering)

            Valve hate MS – SteamOS is 100% about flicking-the-Vs at them – Windows port not likely therefore ;0

      • Premium User Badge

        phuzz says:

        It would make more sense if they just used TOTP, because there’s apps that support that on most platforms. Afterall, why reinvent the wheel?

    • tehfish says:

      you can potentially run it via an android emulator on a PC.

      link to en.wikipedia.org

      I’ve used it a fair few times on android games, i presume it’d work for the steam android app too.

      • Anguy says:

        I also don’t have a smart telephone but I am using an Android emulator to communicate with a bunch of friends who seem to have forgotten that something else than whatsapp exists (text messages for example or you could call).
        Anyhow the problem with the emulator is, that I could only authenticate my login from my home pc not when I’m say at my brothers place or at a friends flat and want to login there. Which is pretty idiotic and I dare not think about the program malfunctioning or something resulting in a lot of hassle to just get steam going again.
        Only using the authenticator for trades would be fine I suppose but I don’t think one can choose to use it just for that. Either to log in and everything else or no authenticator at all…

  2. trjp says:

    I’m in 2 mins about this – I feel that the 2-step login system already in place (password plus code sent to email) should be enough to protect my account tho – and that if it’s not, it’s not MY security which is at fault.

    The authenticator is therefore ‘something else to lose’ or ‘something else to go wrong’ – I’m not 100% sold on the idea and apparently I’m not alone as they’re essentially bribing us to get one.

    Also – it won’t trouble their support dept because by any measure of it they don’t HAVE a support dept.

    • slerbal says:


    • subedii says:

      It’s an extra step, naturally they need to bribe people to take it. Most people didn’t even know or care to turn on two-factor authentication in the first place.

      Maybe it’s just me but I remember people constantly posting things along the lines of “I got this message from a guy who said he was from Steam to give me a FREE game and I just needed to LOG IN at the link he provided but it didn’t work and I didn’t get my free game and also my account isn’t even working anymore HALP!”

      This, even when it says at the very top of every chat dialogue: “Never tell your password to anyone”

      To a large extent this appears largely something to help with trading. Personally I don’t intend to get the app (I don’t do trading and for general use I feel like the e-mail’s enough, maybe my mind will change later) but I don’t think it’s a bad idea to encourage its use either.

    • Chaz says:

      I thought exactly the same way, and then one day a few weeks back I tried to log into my Steam account and found it had been hijacked. I used the 2FA protection with an email being sent to my account with the codes and thought that plenty good enough. That being the case, it only meant one thing.

      Somehow the sods (Russians of course, is it ever anyone else?) had compromised my email account. So they were able to get a password and email change followed by a login from a different machine authorized. Fortunately I check my Steam account more or less every day and was able to nip it in the bud before I lost anything. After noticing my Steam account had been hijacked I logged onto the webmail server for my email accounts and found the Steam authorization request mails in the deleted items store. All pointing to IPs in Russia.

      Managing the fallout from having a compromised email account however was a lot more hassle. After that they tried a couple more unsuccessful attempts to access a few of my other internet accounts. By that time however I had spent a couple of evenings changing associated email accounts and passwords for just about everything I could think of. You just don’t realise how many different accounts you have registered online until you start to list them all and try and remember the emails and passwords you used for them. If you’ve never really organised it before, it is a major headache and time sink. Every forum you’re registered with, every online store you’ve had to register with to make a purchase, not to mention all the big stuff like Pay Pal, eBay, Microsoft account etc etc.

      I do however realise that having your email account hacked is probably a rare thing. In my case I land the blame squarely at the feet of Virgin Media’s incompetent handling of their new mail servers. My email account passwords were only used for those accounts and nothing else, and the only time they got typed in anywhere was to setup the mail accounts on my PC and tablet. I was still using the old Blueyonder domain addresses for my email. Shortly after Virgin switched over from using Google’s email servers to their own, myself and many other BY address holders noticed a huge upsurge in spoofing using our account addresses, with my accounts getting swamped with spoofing returns. Then about a week later, that’s when I find my accounts had been compromised. Coincidence? Not likely as far as I’m concerned. Another bizarre thing about the switch over from the Google’s servers to Virgin’s own, was that I had to change my account passwords to something less secure. I used to have passwords for the accounts made up from letters numbers and special characters, whereas the new servers only supported passwords using letters and numbers. Which I thought was pretty poor really.

      On the upside I have now moved over to using Gmail which is 2FA protected and frankly just far more convenient than using the old accounts on Virgin’s mail servers. Virgin’s webmail browser sucks balls too. Also I have got my account handling and password management a bit more organised now. I used to work in IT so I was already pretty security concious and have full up to date AV across all my devices. My mobiles wi-fi and data is always off by default and I’m very particular about what I install. But no matter how careful you are in protecting your own machines, you are to some extent still reliant on the security of those who keep your data. Just ask a Talk Talk customer about that.

      If I have one main take away from my experiences, it is to use as many different passwords as you can for all your different logins. Also it’s preferable to have different email addresses for different types of stuff. I have an email account I use for games logins and forums etc, one for business related stuff and another for personal things. It just helps keep things separated off if one of those accounts does become compromised. Doing that with my accounts saved me from a lot of pain, as after they’d got my email account password, it looked like they’d then tried the same password on other accounts using the same email address for their logins. As that password was unique to that account, they had no joy.

      So yeah, now I use the Steam Guard app, and have setup 2FA on every account that does it, preferably sending codes via text to my phone. Most people assume it will never happen to them, but just take a moment to think about the set up of your accounts and how screwed you might be if it did happen. If it does happen, there would probably have been very little extra you could do to have prevented it, but you can certainly do a lot to limit the resulting damage.

  3. Baines says:

    Sounds like the nail in the coffin for those who remotely care about Steam Trading Cards but don’t want to use the Marketplace to “trade”.

  4. The Sombrero Kid says:

    I haven’t checked but you can almost certainly use the mobile authenticator on any device with an android runtime, like a pc for example.

  5. flexm says:

    It would’ve been better if they had made the hold always be there. No need for people with wrong phones to need to feel excluded, and plenty of time for people to consider what they’re doing when spending large amounts of real money for virtual hats.

  6. _Nocturnal says:

    The thing is, Valve have been pestering me to give them my phone number for months, in various, increasingly aggressive ways, that couldn’t be turned off. And I don’t see a reason to do it. I’m happy with the email code system. But they keep asking and integrating phone numbers into stuff, so I’m left with the impression that the whole thing is more for their benefit, rather than their customers’.

    • trjp says:

      I’m not sure it is – I don’t really see Valve selling-off their customer database (or their entire company) – do you?

      Backup emails don’t work for most people – hell, most people struggle to remember ONE email address/password at the best of times.

      Mobile recovery makes sense – people are a BIT savvier about their phone/keeping their number (tho some people are tiresome fuckers who change numbers so often I’ve stopped caring about them!) :)

      • Orillion says:

        It’s not really about whether or not they intend to intentionally sell user information; If the information can be accessed when logging in, then it’s held in a database that connects to the Internet. Every one of these idiot companies seems to think it’s the exception to the rule that no online database is perfectly secure.

        • trjp says:

          Oh I completely agree with the idea of giving as little info as possible – in order to use a fitness tracker this week I had to offer-up access to either a Facebook/Google/YMail account – that is give oAuth2 access via it!!!!

          Also – just to register for information from a company they wanted phone/email details (and would not accept dummy content!!)

          Fuck these people

    • alms says:

      Indeed, these days everyone wants you to install an app on your smartphone, the preoccupation is to gather all kind of different information and in Valve’s case, most likely to build a marketing profile and sell more, more effectively.

      At this stage smartphones are effectively consensual spyware anyway, and I do realize we are a point in history companies who have a wider picture and deeper understanding of you than the people around you is a huge trend.

      What’s worse is that everybody seems to be fine with this. It’s an ugly trend, that I cannot see as anything else as leading to worse things.

      I’d say the times are almost ready for a privacy-oriented fork of Cyanogen, if nobody is doing that already.

  7. epmode says:

    By the way, you can use WinAuth in lieu of a mobile device. It’s compatible with a few useful services including Steam and Battle.net: link to github.com

  8. TheManfromAntarctica says:

    Can people make money with those hats? Everything sold on the Steam Market only inflates somebody’s steam wallet to buy more videogames. Are there black markets where people pay real money to PayPal accounts?

    • trjp says:

      Of course there are and that’s why all this security stuff exists ;0

    • Pantalaimon says:

      Hat barons make living salaries from selling cosmetic items. Yes. It’s not even difficult to turn a small profit as a normal person, either.

  9. Sam says:

    looks needed. scams happen too often, and sometimes people lose items worth thousands of dollars
    link to youtu.be

  10. Cantisque says:

    I find it ridiculous that Valve expects people to have an Android/iOS device just to use Steam’s trading feature. The two facts that rile me up are
    1) Trading isn’t even supported on the Steam app.
    2) Even if you have a compatible phone, the Steam app is terrible.

    • Pantalaimon says:

      You can still trade without, you just have to wait a few days. Their logic is that if it matters to you to trade instantly then by that token you’re probably in the same tech-savvy crowd of users who own devices capable of authing. And to be realistic, you can use devices from nearly a decade ago (or maybe even older than that) just to auth your device. If it matters that much, you can get them for a tenner on ebay. I have a third gen ipod from 2009 that I use to auth some things.

      Two step authentication is something that everyone should be using, though, and it’s only going to increase in usage going forward, so it’s probably wise to invest in a modern capable mobile or tablet device.

    • purex. says:

      1) Trading is supported on the Steam app, in the form of trade requests at least
      2) This wouldn’t qualify as a fact, but still, the newer version of the app works much better and has many of the features that were sorely missing before, such as the aforementioned trading and library browsing