77,000 Steam Accounts Hijacked Each Month For Items

Big wheel keep on turning, Proud Mary keep on burning

Valve recently introduced ‘trade hold’ waiting periods for people swapping virtual guns and hats trading cards and whatnot on Steam, intended both as a roadblock for people hijacking accounts to steal items and simply to get folks using the Steam Authenticator – which can bypass the waiting period. Responses were not wholly enthusiastic, so Valve have now tweaked the system a little and also explained more of the reasoning behind their decision. This includes the staggering statement: “We see around 77,000 accounts hijacked and pillaged each month.” Dang!

Valve say that account theft “has increased twenty-fold as the number one complaint from our users” since they introduced Steam Trading. It sucks for people to suffer, and their method of restoring stolen things also created duplicates, devaluing rare items (which can be remarkably valuable, you know). They say it’s a concern for everyone:

“First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

While some have grumbled that only the new and naive are hit, so all traders suffered for their sweet innocence (cherish it, you beauties, oh cherish it), Valve say it ain’t so:

“These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.”

But they recognise that their first crack at trade holds was a bit of a nuisance, so they’ve revised it a little. The new rules are a lot friendlier to folks who trade with, and give things to, their pals. If you’ve been Steam Friends with the other trader for a year, the waiting period’s only one day. The three-day waiting period now only applies if the person losing item doesn’t have the Authenticator; previously both people needed to be using it to confirm trades and push them through instantly. New devices added to an already-Authenticated account don’t need to wait seven days to become legit either.

Anyway, Valve have plenty more to say, if you’re curious. They do also go into things like why folks need to use the Steam Authenticator rather than a generic one.

Of course, cheats and thieves are already trying to trick Steamers with malware masquerading as trade authentication software.

53 Comments

  1. PseudoKnight says:

    We’d probably be better off if they just removed Steam Trading. It effects a few things like this and none of them are good. With 77,000 accounts stolen a month, it’s no wonder their support is stretched thin.

    • Pazguato says:

      Agreed.

    • Premium User Badge

      basilisk says:

      We would be. Valve would not.

    • Crocobutt says:

      We never asked for this.

      P.S. – … sorry.

    • Press X to Gary Busey says:

      The trading (outside the market) is a huge wheel in their salami slicing economy. The only reason they would shut it down would be if customer service costs eats the profit. Hence forcing protection mechanisms on the naive and hacking victims rather than shutting down the penny faucet.

    • LegendaryTeeth says:

      I use it all the time to do things like buying games for my wife during a sale and holding on to them until Christmas/Her birthday. Or to swap cards with friends. Or grabbing a 4-pack of a LAN party game on sale to give out at a LAN party.

      I would lose a lot if trading was gone.

      That said, only being able to (efficiently) trade with trusted friends accounts would also work for me.

  2. Todd Hawks says:

    This all begs a question no one has asked yet: How is it possible that so many accounts are hacked each month? Steam itself says it’s not due to their users being naive (and giving out passwords or having bad passwords) and that
    “Hackers can wait months for a payoff, all the while relentlessly attempting to gain access”.

    At least from these comments it seems that the Steam accounts are worryingly badly secured. While I don’t care about trading at all, they should rather tighten their security.

    • Solidstate89 says:

      Probably dedicated spear phishing campaigns. Targeted malware as well – nothing more effective than a keylogger.

      I also doubt any of those people had the 2FA activated either. There’s tons of ways to get access to an account without the service itself being at fault.

    • Malarious says:

      That’s… not how security works. When your users are stupid, use the same password for multiple sites, don’t have multi-factor authentication, fall for phishing scams, are infected with malware or keyloggers, there’s not much Valve can do, except, you know, what they just tried — forcing as many people to use a form of security that scammers will have a bit more difficult defeating.

      Again, remember that many Steam users are young and technically incompetent. 12 year olds don’t exactly practice perfect account discipline. 70,000+ hijacked accounts per month is a lot, sure, but it’s more of a testament to Valve’s widespread success than indicative of “poor security” on their behalf.

      Steam did have a bug in their password reset logic a few months ago, but it was patched really quickly and no damage was done. In 99.9% of cases, if your Steam account is hacked, it’s your own fault.

      Steam’s account database hasn’t been compromised. There’s not some hidden backdoor in their website that the hackers are siphoning data from. It’s the users, making awful decisions, who are inflating the number of stolen accounts per month.

      • Todd Hawks says:

        I know how security works. What you are saying contradicts what Valve is saying (namely “it’s not the users fault”), hence my comment.

        • Ragnar says:

          Of course they say that. Blaming your users is not a good business strategy.

        • Beanbee says:

          It’s also basic human errors. Most people fuck up some of the time, even people who’s job is to secure computer systems for a living.

  3. int says:

    Never use the password “password”. Add a number after it, like “password1”. That’s thinking outside the box.

  4. Ross Angus says:

    I thought Steam was a closed system, when it comes to money: once you’re money’s in there, it can only be spent on Steam products.

    How do these scammers get the money out?

    • welverin says:

      There are ways and sites to do things outside of Steam, which is required if you want to sell the really expensive items, since there’s a money cap on the marketplace.

      • welverin says:

        Oh, and necessary if you want to avoid the Valve tax on the marketplace, which is important if you’re selling something worth hundreds of dollars or more.

        • Jalan says:

          Yeah, those TF2, Dota 2 and CS:GO thousand+ value transactions would be crippled if Valve had the ability to take a cut.

    • Cyroch says:

      The first idea I could come up with is the following:
      Pillage account and transfer its items to your account. Sell items on your account. Use money to buy games on steam as gifts to be put in your inventory. Sell steam gifts on shady keyshops. Get cash

    • Lyrion says:

      With stuff like G2A or Kinguin, you could buy games in steam and then sell them there.

  5. Crocobutt says:

    I never liked or understood the idea of steam trading cards. I “sell” mine as soon as possible since they’re only worth a few cents each and never participate in their fancy collect-a-thons where they encourage you to spend money to get item sets to get discounts. I just want games.

    It’s a fake economy, people may be better off going into real stock trading. Who am I to argue tho, Valve probably makes large sacks of gold with the digital replicable goods.

  6. Sin Vega says:

    I really wish they’d have an option to just completely opt out of all this ‘items’ bullshit. Hell, let me drop the ‘achievements’ crap too, I don’t care, just let me play my games and leave me alone.

    • LionsPhil says:

      Yeah:

      Essentially all Steam accounts are now targets.

      Because you made them targets, Valve.

      However, they know exactly what they’re doing. They want you to carry that crap around as the psychological baggage that may one day wear you down into trading some of it, earning them another little slice. It’s the “you’ve already got two of ten loyalty card stamps for a free coffee!” strategy.

      I miss when their business focused pretty much solely on encouraging me to get games to play with my friends in exchange for money. That was a good business model for both sides.

      • Oakreef says:

        Yeah Valve likes to talk about how they’ve created “value” for users with this stuff but for those of us who like to buy games then play them and not engage in this economy of virtual junk all they’ve created is liability.

      • Mario Figueiredo says:

        To this day I don’t even know how to “play” this whole trading card thing and those other… things they added. I honestly don’t know anything about any of it. I’m a complete and happy newb to anything outside the basic concept of Steam Store and my games list.

        So I think that in a way, they do hide that whole nonsense away from those of us who want to have nothing to do with it. But it still lacks an actual functional filter.

        I think the criticism should be more basic. The real problem here is that they shouldn’t have created this whole steam cards and whatnot bullshit in the first place. It’s gamification to the highest degree of a system that would be a lot better without it and had never asked for it. And its dangerously close to generate the same type of gaming mentality on users as a Casino can on a game addict.

        So I’m not surprised, at all, by the fierceness with which certain people defend Valve gamification of a digital distribution platform. And I’m actually worried about it. Valve lacks a filter. And until that happens my daughters won’t be allowed to have a Steam account. I have emailed Valve twice about this very issue. I have received no answer.

    • rumtotinggamer says:

      THIS, I don’t blame them for making steam something more than a green thing needed to play HL2, but damn all this primary school like tat on it is annoying. I have a badge for 11 years of service on it and the only thing that does for me is make me feel old.

    • Kefren says:

      Same here. Things like that clutter up my interface and adds complications. I have a vague memory of having to turn something off so I wouldn’t see achievements (a “Steam overlay”?) that then meant some other things didn’t work. I only play single player games, and only want to experience a story, not have other tat around it.

    • silentdan says:

      While I like the Steam overlay for the Friends list and screenshot management, I loathe achievements and wish I didn’t have to become aware of them. I’d also like to turn off card drops. The money I make from selling them is less than I’d make from going to work for the same amount of time. Most of the time, it’s less than minimum wage.

    • po says:

      It’s like how the mobile authenticator is part of a whole Steam app, that does a whole load of nonsense I have no interest in, no doubt involving annoying notifications that I’ll have to keep disabling.

  7. Premium User Badge

    DelrueOfDetroit says:

    Woah now! Reddit users are getting scammed? There is no hope. We are truly dealing with the cream of the criminal crop.

  8. johnnyplayer says:

    Spyshelter prevented me from second steal, had already incident in the past.

  9. Stuart Walton says:

    Maybe what Steam needs is an auto-sell option that automatically puts any items you get up on the market. You get to choose what type of items get added and how long before they get auto-added. Items you want to keep can be flagged for exclusion.

    It would at least be fun to see the traders cry as their ‘stock’ valuation comes crashing down.

    • Stellar Duck says:

      I also want bulk sell. So much and I can’t be arsed to suffer through the ui to delete or sell it individually.

      • MonkeyJug says:

        If you use Chrome, there is an extension call Steam Inventory Helper. You can select multiple items at the same time and auto-sell them for their default price, and can even auto adjust the price + or – any value.

        I listed 4000 items recently and set the value to default +2p. I’ve currently accrued almost £100 in my Steam wallet in readiness for the upcoming sale…

  10. Catweasel says:

    If hackers wait months for a payoff, how does a 3 day wait mean anything at all?

    • LionsPhil says:

      The idea is presumably that in those three days the actual account holder will notice that their account has been nicked and get on to Steam support to hold any activity and regain access.

      Steam support will look at their ticket within three days of receipt, right?

      • Chaz says:

        When my account was hijacked I had it returned to me less than 3 hours after I put the ticket in.

  11. Niente says:

    There’s some real Last of the Summer Wine fustiness here. People who pretend not to know what the Steam Overlay is, others who JUST WANT TO PLAY VIDEOGAMES and ivory tower dwellers who feel they are literally and intellectually better than those who demean themselves with Trading Cards and the Steam Market and the like.

    Is RPS now the gamer’s equivalent of the Daily Mail?
    :)

    • FuriKuri says:

      Comparing a publication to the Daily Mail is a bit of a Godwin tbh.

    • Mario Figueiredo says:

      You read too much into stuff. Maybe a complex of inferiority…

    • SnE says:

      I don’t know if it’s whining to say that you don’t see how Steam adds value apart from allowing you to play games that are unavailable through other DRM applications. And i think it’s just common sense to be frustrated with a DRM platform which offers no value AND has account security issues (my account was hacked years ago when i gave up on Steam).

      My expectation in playing a game might be different from yours – when i play a game, i want the bare minimum between me and playing – especially since i don’t have a lot of time to game these days. Achievements and trading cards and even multi-player are absolutely worthless to me. When i think of Steam, i think of barrier to game play and the reason i bought a console and play GOG games these days.

    • Ovno says:

      I for one feel intellectually far better than those who value all these items of worthless digital tat, but that’s not the point.

      The point is we want to opt out of it, not just try and ignore it get annoyed at it pretending I have a message when in fact I have a ‘digital trading card’!!!

      If I could delete (for a reasonable amount of effort) them I would, if I could hide them I would, and if I could block them I would.

      But no instead I have to put up with them and now I have to worry about getting hacked because of them, just give us the option to opt out and make that opting out publicly visible so no one bothers hacking those would don’t want any part of it!!!

  12. Chaoslord AJ says:

    In about 16 years of internet with 50+ accounts I’ve never once been “hacked” if you want to call phishing and distributing malware “hacking” at all.
    On the other hand you don’t need to run faster than the lion only be better than the next guy or rather more strict with password policy.
    If steam says it’s not the user’s fault they mean they don’t really expect much from their users. Blaming the users (sweet naive flowers these days) harms their “business” – that is in this regard the taxing of the trade of virtual commodities, some “business”, Valve.

  13. Koinzellgaming says:

    I feel like one of the biggest retarded choices is that Steam has absolutely NO way of changing your sign in username. Once an account has been hacked the hackers will always be able to know the sign in username of that account. The fact you can’t change one of your most important account details even if your account is compromised is bullshit.

    A simple thing like that is not an option, and it simply has no reason for them to not add that EASY function.. Pretty much every other webpage has that option, just not the platform that belongs to the multi-billion dollar business of Valve.

    Their customer service might as well be an AI that scans the general words from a message and sends out an automated message as well..

    As a sales platform EA’s Origin is 100 times better than Valve.. The only thing that keeps me using steam is my 800 games in my library…

    • Optimaximal says:

      The user database probably uses the username as the primary key for the account. Changing this to be a unique auto-incrementing number or some other system would require a front-to-back refactoring of their entire system.

      Something like that has huge, wide-reaching issues – remember the ‘system’ is more than 10 years old now… Best Practices change. Heck, there’s a good chance the first database they used ran on a 32-bit system, meaning if they used an auto-number for the accounts, then they’re in danger of running out of unsigned numbers fairly quickly (depending how they use them).

      • Koinzellgaming says:

        Then we should agree that it’s about time for Valve to update those databases to be up to date with our current standards.

  14. po says:

    What I don’t understand is why they need my phone number to activate the authenticator.

    I didn’t need to give it to Blizzard to use theirs, neither did I need to give it to any of the companies that I use the Google authenticator for.

  15. flexm says:

    It would be pretty neat if you could check a box for “automatically donate cards”, which would just throw any new cards onto a separate marketplace priced at twice the current average “real market value”.

    Then people could buy from the donation pile with Valve giving any moneys from there to charity. Leaving the normal market to go on as usual, whilst letting people who don’t care about cards never having to see the little notification icon light up.

  16. Premium User Badge

    joekiller says:

    Valve isn’t locking down for your trading cards people, it’s all about the hats. 38% of people playing play 3 games: DOTA, CS and TF2. Hats and knifes can be worth $1000s and are desirable because they make your in game character unique. Casual players don’t care about this stuff and don’t trade. But there are many players who put in many many (thousands) of hours into the games as they are fun. Valve gives casual gamers games and hard core gamers a community way beyond the game. The top 6 TF2 backpacks are all valued at over $50k. The top 5000 packs are all worth over $1k. The rub is that noobs sometimes get top items and those players are the most common victims of scams and hijacks. The guard is to protect from noobs getting hit and making valve focus on duping hats and unlocking accounts of those which have been hacked. Do you want valve spending their money on call centers or new tech, immersive gameplay and better community?