Support NeoGAF

[ashecitism]

It's today that Steam trade holds go live: www.neogaf.com/forum/showthread.php?t=1146509

http://store.steampowered.com/news/19618/

Recently we've seen the community have a good discussion about the pros and cons of trade holds. We thought we'd walk through how we decided to implement them, in the hopes that it helps you understand why they're absolutely necessary.

Compromised accounts and item theft

Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users. Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers.

Once an account was compromised, the items would be quickly cleaned out. They'd then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn't too hard to figure out what happened, but undoing it was harder because we don't want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.

The number of hijacked accounts continues to grow

This was an unacceptable status quo and we needed to address it. In revisiting our strategy to stop it, we found two things of note.

First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.

The "I got hacked" story is told so frequently it's become commonplace. And that makes it easy to forget its significance; compromised security of email accounts and PCs, Steam account violation, and theft. We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically naïve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.

How we can stop it

We've worked to improve account security features, closed loopholes, improved how and when we message users that their account is at risk, added self-locking, and created the Steam Guard Mobile Authenticator (two-factor authentication).

Two-factor authorization is the use of a separate device to confirm your identity. The security of this system is based on moving that step from your PC to a device a hacker can't access, such as your smartphone. PCs can be easily compromised, therefore a PC-based authenticator would not provide better security than a password or email authentication.

We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Here's the tradeoff

At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.

So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.

One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:

• Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
  
• If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
  
• Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.

A difficult balance

Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.

Hopefully this post has given you some insight into the problem, and why we've taken this approach. As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts.

 

[Xamtheking]

I like this change.
I think it will also help promote a more professional trading environment.

 

[ashecitism]

Good on them for talking about this. Didn't expect something like this to pop up in news.

 

[orava]

Sounds good. They are definitely doing this with the support complaints in mind. They are fixing the root of the problem first instead of trying to patch a broken bone with a band-aid. Like they said, the support system is flooded with requests from people who got their accounts closed because the system was not totally idiot proof.

 

[RedToad64]

Valve continues to screw over Windows Phone users.

 

[Tom Nook Sawyer]

I appreciated the detailed response. Transparency is extremely useful in this case

 

[Hayvic]

Sounds good. They are definitely doing this with the support complaints in mind. They are fixing the root of the problem first instead of trying to patch a broken bone with a band-aid. Like they said, the support system is flooded with requests from people who got their accounts closed because the system was not totally idiot proof.

Well

We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically naïve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.

 

[dangerskew]

Glad Valve is finally stepping up and trying to address this. While I myself have not been a victim, item theft and scamming are incredibly commonplace on Steam, and it's been far too easy to commit these acts too. I found out earlier in the year that my 14 year old brother and a friend of his were doing this to people on Steam, and neither of them are even close to what you would call a "hacker" or even just computer savvy.

 

[orava]

Well

Exactly. It needs to be so secure that it can't be misused by anyone. Foolproof? What's the proper term?

 

[RoadDogg]

Valve continues to screw over Windows Phone users.

My only complaint. Blizzard hasn't had any issues with a WP authentication.

 

[Slavik81]

Very nice work by Valve.

I guess my only question is if I can craft with cards traded to me on the last day of an event, even if they are on hold.

 

[Hari Seldon]

I don't want to use a god damn app. Let me use the one I have for gmail or sell your own FOB.

 

[low-G]

That's a lot of information, I'm not seeing anything about being able to manually lock down my account from any trades... I am never gonna trade...

 

[demosthenes]

I don't want to use a god damn app. Let me use the one I have for gmail or sell your own FOB.

I use my phone but would prefer a fob.

 

[Aranjah]

Valve continues to screw over Windows Phone users.

.

 

[Saintruski]

I refuse to use there two factor app for another reason, as I was going through the steps I was put off...

Give steam solid yubikey support and I'll be happy.

 

[Envelope]

with so many complaints about being hacked/etc you'd think they'd put even a little effort into their garbage customer service :^)

 

[Trojita]

Exactly. It needs to be so secure that it can't be misused by anyone. Foolproof? What's the proper term?

The way you wrote your statement it sounded like they weren't applying band-aids all this time. This has been an open wound for awhile. They aren't "starting out" by going to the root of the problem first.

 

[orava]

with so many complaints about being hacked/etc you'd think they'd put even a little effort into their garbage customer service :^)

By doing this, they are. Hiring more customer support people is not going to fix anything.

 

[Hari Seldon]

I refuse to use there two factor app for another reason, as I was going through the steps I was put off...

Give steam solid yubikey support and I'll be happy.

Yeah the yubikey is what I use for gmail and it works great. I get text messages as a backup when i don't have it.

 

[heyf00L]

So what is the problem. Are accounts being hacked? With Steam Guard that means email accounts are being hacked. That seems difficult. But it also sounds like people are being tricked into making bad trades.

 

[Skux]

Well, time to set up two-factor authentication on my phone instead of my email.

 

[Bowdz]

Here's the tradeoff

At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.

So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.

One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:
Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.


This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.

MY GOD.

HL3 confirmed

 

[KiefbladeMaster]

Someone got my mom's info somehow and charged $975 to her card in a day so glad to hear they're taking steps to address it. Took them two days to even respond so that's definitely something they need to work on.

 

[Stumpokapow]

Valve continues to screw over Windows Phone users.

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

 

[Zafir]

The problem is the android Steam app is utter rubbish. I wouldn't mind using mobile authentication otherwise.

So what is the problem. Are accounts being hacked? With Steam Guard that means email accounts are being hacked. That seems difficult. But it also sounds like people are being tricked into making bad trades.

Possibly an issue for users who have the same password for both?

 

[Trojita]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

I don't think many steam windows phone users expected to not be able to use a service conveniently because of the phone type they have.

 

[Nzyme32]

Appreciate the candidness of such a statement and explanation for all the issues people have been concerned of, but god damn at those numbers. I never really though how much a bunch of virtual item economies and trading make Steam such a massive target for full on fraud and scams targeting many people.

The problem is the android Steam app is utter rubbish. I wouldn't mind using mobile authentication otherwise.

Not sure when if you are talking about what it is like now, but I'm perfectly happy with it now since they updated it a few months back. Can't complain at all. Similarly happy with the Battle.net authenticator, though it would be helpful if they also used a push notification to display the authentication code on the lock screen for the sake of speed

 

[Roshin]

Well, my Steam account is massive now and getting hacked would kill me, so I need all the protection I can get.

 

[Gxgear]

I not big on mobile at all, but the authenticator had been a breeze to use.

 

[Dipswitch]

Valve continues to screw over Windows Phone users.

Yup. They need to get their shit together here. Hard for me to lock my account down when you can't even be bothered to provide me with the tools to do so.

 

[TheFurizzlyBear]

My only complaint. Blizzard hasn't had any issues with a WP authentication.

Blizzard had it so long that they still use the Zune logo on the battle.net link to sync the authenticator.

 

[jshackles]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

Well in addition to Windows Phone users getting screwed over, several cell phone carriers are as well. Basically, anything that uses VOIP.

My only phone uses Freedompop. Valve simply refuses to send an SMS to this phone. As such, I'm not able to completely set up the mobile authenticator nor am I able to secure my Steam account with a phone number. I don't have an alternative number or device and I'm not willing to pay for one. I also don't do any trading or have any high value items in my inventory, but I'm in a unique position where I get several attempts at my account on a daily basis so the extra protection this affords would be welcome. Obviously I didn't think things like this would be a hindrance when choosing a cell phone provider.

I'm glad they were able to come up with some solution though, rather than shutting down trading completely.

 

[PetriP-TNT]

It's funny that the recent improvements have spawned questions like "Why must Steam be so secure". For example, see this very popular topic on IT StackExchange http://security.stackexchange.com/questions/106896/why-is-steam-so-insistent-on-security

I take better security for everyone over mild inconveniences any day, especially on services I have tons of money invested to.

 

[purdobol]

It's good that they increasing security measures. But for the most part accounts being hijacked and trade scams are users fault. And no amount of protection will be enough. Users don't like or don't have the time (i guess) for technical stuff. And phishing to this day is the best and easiest way to "hack" something. Or get useful information.

Mobile authenticators are okay I guess but there are problems that come with it. Omitting the fact that mobiles are one of the least secure devices. Good thing you don't need one to log in (if i understand this correctly) and is just needed for trades. Otherwise it may lead to situations like phone being stolen and the only way to log in to an account is by contacting the support and proving that you are who you are.

Am i the only one who is bothered that almost every bigger site/service nowadays wants my phone number in addition to other personal data?

 

[itxaka]

Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.

Ummm, i dont think thats how it works valve, no.

The generic part is because how it works, not that is less secure or easier to hack lol.

 

[balladofwindfishes]

I still think these issues really could more conveniently be solved by better support.

When an account is hijacked, it shouldn't take a month or more to get it back. Nearly every other account system on the planet can be shut down and back in the victim's hands, in under 24 hours, sometimes in less than an hour.

At this point, a lot of the changes Valve adds appear to be just things to buy time while they wait for support to get back. To delay as much harm as possible, so Valve has enough time to react. And even with these measures in place, they still don't react fast enough.

I have a feeling within the next year or two, Valve is going to hit a breaking point for their lack of support. Eventually these band-aid fixes for the larger problem aren't going to work anymore.

 

[Phinor]

I still think these issues really could more conveniently be solved by better support.

When an account is hijacked, it shouldn't take a month or more to get it back. Nearly every other account system on the planet can be shut down and back in the victim's hands, in under 24 hours, sometimes in less than an hour.

At this point, a lot of the changes Valve adds appear to be just things to buy time while they wait for support to get back. To delay as much harm as possible, so Valve has enough time to react. And even with these measures in place, they still don't react fast enough.

I have a feeling within the next year or two, Valve is going to hit a breaking point for their lack of support. Eventually these band-aid fixes for the larger problem aren't going to work anymore.

77000 hijacks a month is the number they quoted. That's not something you just fix by adding more people on the support team. That's a huge number. That's nearly a million account recoveries a year. If you don't do anything concrete to fight the issue, the problem only keeps growing.

 

[Zafir]

Appreciate the candidness of such a statement and explanation for all the issues people have been concerned of, but god damn at those numbers. I never really though how much a bunch of virtual item economies and trading make Steam such a massive target for full on fraud and scams targeting many people.



Not sure when if you are talking about what it is like now, but I'm perfectly happy with it now since they updated it a few months back. Can't complain at all. Similarly happy with the Battle.net authenticator, though it would be helpful if they also used a push notification to display the authentication code on the lock screen for the sake of speed

I had a load of issues with it. It kept forgetting my login details for one. Not to mention the chat doesn't work most of the time.

Edit: It's worth noting because of those issues I just stopped using it completely. It's possible that it may have improved in the last monthish.

 

[RiccochetJ]

Have they improved their app recently? I had to remove it because it was a massive piece of junk.

 

[balladofwindfishes]

77000 hijacks a month is the number they quoted. That's not something you just fix by adding more people on the support team. That's a huge number. That's nearly a million account recoveries a year. If you don't do anything concrete to fight the issue, the problem only keeps growing.

The same methods used to hack into people's accounts is working for Steam Mobile as well.

Post a fake download link to Skype or something, they download it, now they have your account.

It was implemented less than a few days and already hackers have figured out a way around it.

A stronger support team would mean those hacks made within the first 7 days couldn't do anything. If support handled the hack within 7 days, then the hacker gains nothing. If phishing and hacking get less and less profitable, you'd get less and less hackers/phishers.

Right now it's too easy. Send a bunch of fake downloads to a bunch of people, grab any you can get, then use their friends' trust to grab some more and then you have a million accounts a year that were phished.

I think they should

- Keep the 7 day trade ban on new computers
- Ensure Steam Support can handle hijacks within 7 days
- Give every user a unique URL that can be used to force their Steam account to shut down completely until support can retrieve it.

I don't really know much about security, so this is mostly coming from me as a consumer and what I'd want and "tolerate" for security.

As it stands, I don't trade anymore. I barely buy from the market anymore. I don't even spend much money in TF2 or Dota 2 anymore. I used to drop hundreds on the market and Valve's F2P games, now with all the trade restrictions and stuff like that, I just don't bother. If Valve wants me play their lotteries, they better allow me to offload my junk conveniently, or I'm not putting money into the system.

They have a serious problem, but destroying their lucrative trading market to handle the issue seems counter productive. It was their trade market that made Steam accounts so valuable in the first place.

 

[RedToad64]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

How was I supposed to know that owning a Windows Phone would add a large amount of inconvenience to Steam... a service that has nothing to do with smartphones.

Steam is the only thing missing from Windows Phone for me.

 

[Tom Nook Sawyer]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

Is this supposed to be a counterpoint? You could apply similar reasoning to almost any complaint:

Like Nintendo games, but not happy with 3rd party support on Nintendo platforms? Shouldn't have bought a Wii U. Like iPhone but wish it had widgets? Should have bought Android. And so on.

 

[ThoseDeafMutes]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

This sounds like victim blaming to me stump. For shame.

WP enjoys somewhere between a 2 and 4 % marketshare globally depending on which source you look at but is much higher in some markets like Germany (closer to 10%) and India (12%). It's no giant but it's bigger than linux is for PCs (especially if you're counting linux in the home / office rather than use as a server or government supercomputer or something) and the effort in porting an authenticator app is a bit different than porting a game engine, like orders of magnitude less complex. Community members have actually brought out their own authenticator as of like a day ago for Windows Phone 10, but Valve will probably get it pulled because that's how they roll.

 

[Pureauthor]

Ideally they would support Windows Phone, but was app support part of your purchasing decision? Like, the trade off with Windows phone is that you get a Windows Phone, but in exchange you get a Windows Phone. I bought one as a spare phone in 2011ish and weak app support was a problem then and it's still a problem.

It's kinda like how ideally more companies would port games to Linux, but if you choose to use Linux as your only OS then you know you're giving up access to many games

Given the primary purpose of this change is for security I would've hoped Valve would take the initiative to be as inclusive as possible.