Valve Tighten Steam Trading Security Again

77,000 Steam accounts were hijacked each month and pillaged of their wizard hats, trading cards, and other imaginary items, Valve said in December 2015. At the time, Valve had just adding ‘trade hold’ delays to help stop people who’d been hacked or scammed from losing their goodies. Now they’ve tweaked security procedures again, including introducing holds on the Steam Market too.

I only use the Market to flog ‘trading cards’ then spend the pennies on imaginary wizard hats, but for some it’s a hobby, a way to help fund buying games, or even business.

The changes last year meant that folks who wanted to swap items over Steam Trading would have their items held for three days. This short period would give folks whose accounts were compromised (whether they were tricked into giving their password out or had it stolen) a little time to notice and put a stop to it before their items were muled away to be sold or traded on. However, traders could skip this hold period if they used the Steam Guard Mobile Authenticator, a two-factor authentication app which (in theory) keeps accounts secure.

Valve’s latest changes, coming into effect on March 9th, include adding a hold period to the Steam Market, the place where folks can sell items for spendable ‘Steam Wallet’ credit. Hold periods for both Trading and the Market are bumped up to fifteen days too. But, as before, this can be skipped if you’re using the Mobile Authenticator.

Valve really would like folks to use the Authenticator, see. Thousands of folks being robbed isn’t good for either the robbed or Steam. Not to mention that it surely creates a lot of work for Valve’s often-troubled customer service department.

This tightened security is going well, Valve say:

“Since the last account security update, we’ve made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we’d hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.”

As if you haven’t yet got the message that Valve really want you to use the Authenticator, the final change coming on March 9th is that Valve will no longer restore items that leave an account through Trading or the Market. They say it’s to stop duplication devaluing the item economy (yes, I know) but also, well, I suspect they’re sick of having to do it.

To recap: use the Steam Mobile Authenticator if you’re fussed about trades and market sales completing quickly. If you’re more casual about it, you probably won’t even notice this – unless you get hacked and Valve refuse to restore your stuff.


  1. Catweasel says:

    Why the heck would I have to wait 15 days to list an item that CS just dropped for me? If the item is given to me by steam how can it not be legit? There’s no reason to hold it. I don’t have an android or ios smartphone so I’m barred from selling items, basically. Over 15 days the price of items drops to the point that my item will now be listed as too pricy and will never sell. Why don’t they offer basic sms messages as authentication, or the keychain authenticators Blizzard offers? I hate this.

    • Funso Banjo says:

      You can buy a cheap android phone for £20.

      That’s not much more than the keychains (which for some reason are way more expensive here in the UK than in the US).

      • Funso Banjo says:

        Obviously, the phone sucks, but it runs the authenticator just fine. Plus you get something for an extra few quid over the keychain that can play your podcasts, double as a DAB radio, has a (bad) camera, can view websites, and any number of other things.

        • Catweasel says:

          I don’t need ANY of that junk though, I have a tablet. Why can’t they just do sms instead of a dumb app?

          • Ringwraith says:

            Costs them more money.

            I will say £20 is probably more than I make from selling stuff from CSGO, that quickly changes value anyway, so it’s kinda put a damper on that.

          • Didero says:

            If you have an Android or iOS tablet, would Valve’s authenticator app work on that too? Or does it use the phone network for something?

          • Catweasel says:

            It doesn’t work with my tablet because it expects it to be an android phone and have phone service, it’s super frustrating.

          • Suits says:

            @Didero It doesn’t need cellular no, just an internet connection.

          • markzero says:

            Catweasel, I have the Steam Authenticator set up on my Android tablet. Maybe you checked it a long time ago and it didn’t work then (devs can specify phone only in the Play Store), but it certainly works now.

    • Demios says:

      “I’m upset that this item I got for free while playing a game I enjoy cannot be sold immediately unless I have a mobile authentication. I’m also to shortsighted to realize that android emulators exist and I don’t actually have to spend money on a phone.”

      • Premium User Badge

        Aerothorn says:

        This is a decidedly unexcellent post and should probably be deleted, but in case it isn’t: not knowing about android emulators does not make one “shortsighted,” nor does not wanting to bother setting one up so you can sell steam cards for a few pennies.

    • Punning Pundit says:

      I would sign up for basic SMS 2 factor authentication for my Steam account in a heartbeat! But I’ve heard too many horror stories about phone authenticators and lost phones to ever be comfortable downloading a specific app.

      • markzero says:

        Modern software authenticators, like Steam’s, include static “recovery codes” so you can remove them from your account if you lose them.

        First thing you do after attaching this one to your account is click on Steam Guard in the menu (on the Android version, at least) and underneath the temporary code is a section with a flyout for recovery codes. Copy it somewhere (I just took a screenshot and moved it to my PC) and you should be safe.

        • Premium User Badge

          sedouri says:

          The iOS version works exactly the same way, and the flyout is named “My Recovery Code” making it pretty hard to miss.

  2. Mokinokaro says:

    On a sad note, these changes have killed Idlemaster, the most convenient way to get card drops from Steam as the creator does not wish to use a mobile authenticator.

    • Jalan says:

      Given that it’s the same guy who made that browser extension that dropped Firefox support entirely, maybe his time and efforts would be better spent applying for an internship at Google or something more feasible toward his interests at his this point.

      • Jalan says:

        *at this point

        Every other time the lack of editing comes back to bite me.

    • markzero says:

      I’m still able to use the latest version of IdleMaster, I just have to reauthenticate it every few days. An annoyance, but not as bad as complete breakage by any means.

  3. Shadow says:

    Out of curiosity, is the mobile authenticator a significant (and necessary) step-up compared to receiving the code via e-mail? The hackers would need to hack both your Steam account AND e-mail account for the system to fail.

    • keefybabe says:

      Yeah, but there are wallies who use the same password for both their email and steam.

      • Xiyng says:

        I would imagine losing the email account is more serious than losing some stuff on Steam. If someone has access to your email account, it also means access to tons of other places. Also, any decent service (such as email or Steam) stores passwords in a hashed form, which means they’re quite slow to crack unless it’s a really simple password. If you have a simple password and you use it in a lot of places, I’d say that’s pretty horrible.

        All in all, I’d say email authentication should be enough. the mobile authenticator is a huge hassle, especially since it’s required for each login. I’d be much more understanding for it if it required the authentication for each trade you make (and I imagine even authenticating the first trade of the session should be enough). Valve’s way to handle authentication just feels like an overkill and a major inconvenience.

        • keefybabe says:

          Absolutely but all I was saying is if you use the same password for both then it’s a case of one hacked, both hacked.

      • markzero says:

        And then there are the people who use different and suitably hard passwords, but log into their personal accounts while on computers at school, at the library, or in the “business center” sections of hotels while traveling, without thinking about the probability they’ve got keyloggers installed.

        • Press X to Gary Busey says:

          Piratpartiet (the Swedish Pirate Party) demonstrated how little people care about privacy and security during a defence conference last year (Folk och Försvar).

          They had an open access point where they logged all connected traffic and several people connected their phones to the unencrypted network and accessed government mail servers. The metadata could also be used to identify and track individual politicians, journalists and government officals who had connected.

          That’s supposedly people who should’ve had internet security drilled in to their heads for years.

    • trjp says:

      In terms of being hacked, the only thing the Authenticator adds is a time-sensitivity thing.

      A hacker who wants to get into a Steam Guarded account needs someone to either give them a password AND either a Guard Code or disable Steam Guard.

      A hacker who wants to get into an Authenticator Account needs the password, Steam Guard disabled AND a timely Authenticator code (auth codes only work for 30secs usually?)

      Realistically I think this is more a ‘change in emphasis’ – when we switched to PIN codes for Credit/Debit Cards they also changed responsibility for fraud from the card company to the store taking the money

      The authenticator is putting the power of security into your hands – literally – you are the only person who can open your account – you have the only key – so if it’s hacked, it’s definately you and not “cos Steam and my eMail was hacked”

      • jrodman says:

        Do you mean that they’ll claim it or that it’s true?

        It certainly seems like replay attacks will still work, though there are some challenges.

  4. LionsPhil says:

    If there’s any question on where their priorities lie, note that they don’t give us the most secure option, “disable all this trading crap and just let me use my account to play games”, because they don’t want to shut out the possibility we’ll get suckered into that lucrative side business.

    • Ringwraith says:

      Errrm, if you don’t trade in any cosmetic tat, this doesn’t affect you? At all?
      Pretty much?

      • LionsPhil says:

        See Oakreef below, basically. Dropping cards, crates, etc. (or the possibility of cards, crates, etc.) on me paints a target on my account.

        • jrodman says:

          Dear god if they would just let me opt out of the circus, that would be the best steam feature yet.

      • trjp says:

        Only from a PoV that the whole circus draws a target on your account whether you take part or not

        You don’t want to lose your Steam Account at the best of times – making it more desireable steal without adding benefit to you isn’t ideal.

        XBOX accounts were mostly worthless until that stupid FIFA card collecting thing came along – they were tradeable which meant getting into an account, spending a little money on the cards, trading them out and moving along become the in-thing.

    • Mokinokaro says:

      Yep. If you’re not trading items the hold is meaningless to you anyways.

  5. Solidstate89 says:

    Can’t use something that isn’t available to my platform. Why Steam felt the need to role its own 2FA system instead of just using an industry standard like the TOTP system used by Facebook, Google, Microsoft, Amazon, etc, I’ll never know.

  6. instantcoffe says:

    At least release an app for every (major) platform if you intend to basically force your users to use it.

  7. Premium User Badge

    Oakreef says:

    I miss the days when my Steam account wasn’t such a target for people wanting to carry out money laundering.

  8. Legion23 says:

    I learned yesterday that if you want to remove a phone number from your Steam account you need to put in a code send to that number. So if you lost your phone or somebody stole it you have a problem removing that number of your account and you cannot add a new number either. I removed my phone number and will ignore the Steam market in the future.

    • Premium User Badge

      alison says:

      This is the main reason i hate modern two-factor authentication. It was a nightmare trying to get back into my Google account two phones ago. I immediately disabled the “feature”, fortunately, since i lost my replacement phone a few weeks afterwards. I don’t know what possessed security developers to think that it would be a great idea to bind two-factor authorization to a small physical device that is so prone to loss/breakage/theft/falling in the toilet.

  9. Premium User Badge

    Aerothorn says:

    As someone who has no desire to own a smartphone, and will obviously not buy one for the sole purpose of selling Steam Cards, I am very bummed about this news.

  10. jrodman says:

    Pretty soon you won’t be able to communicate on the steam game discussion stuff if you don’t have a mobile authenticator. I wish this stuff had a more palpable effect on Steam usage levels.

  11. trjp says:

    I have a smartphone with me constantly and spares lying around should I choose to use one JUST for this and I’m still not going to do it.

    The market/trading hold stuff just means I won’t do it – I’ve had my “free money for JPEGs” anyway!

    To my mind, the authenticator just adds a hurdle to a system I don’t need – Steam Guard stops people logging-into my account unless they live in my house, no idea why I need another layer of crap?

    • winter says:

      Yeah, I had a horrible experience with the Mobile Authenticator to the point where I just had to get rid of it. Not only was it a major inconvenience for when I didn’t have my phone right next to me, but during the Holiday Sale, it ended up straight up not working. I can’t remember what exactly happened, but I ended up not being able to trade anything (I think there was something I couldn’t figure out), so I ended up switching back to the email option (it’s much more convenient anyways.) I got a 15 day trade hold that resulted in me not being able to buy anything off the market during the entire sale. I guess it’s partially my fault for that, but after that awful experience, I don’t like essentially being forced to use it now.