Slashdot Mirror

← Back to Stories (view on slashdot.org)

Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware (malwarebytes.org)

Posted by Soulskill on from the impatience-is-security's-archnemesis dept.

An anonymous reader writes: On Wednesday, Valve introduced a new "trade hold" system that should prevent scammers from stealing items from Steam users' hijacked account, or at least minimize the occurrence of such incidents. Anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. The system was, understandably, not welcome by some users, and it didn't take long for scammers to take advantage of this discontent.

88 comments

  1. Did the Submitter have a Stroke? by bigdady92 · · Score: 3, Funny

    The title sounds like someone had a seizure during submission and mashed words into sentences.

    --
    Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
    1. Re:Did the Submitter have a Stroke? by Anonymous Coward · · Score: 0

      Maybe you're just retarded.

    2. Re:Did the Submitter have a Stroke? by Anonymous Coward · · Score: 1

      (The new) Steam escrow system [is driving] impatient users to [imitation] trading sites (that are) serving malware.

      Not exactly a Garden Path, but has some elements of one.

    3. Re:Did the Submitter have a Stroke? by bigdady92 · · Score: 2

      Bad AC, you must do much better with your Snarkiness and come up with a better response than "UR RETARDED"

      We expect better out of our Anonymouse Posters

      --
      Wheel of Time: Book by Book and Sumview (summary review) Bigdady92 style: http://bigdady92.blogspot.com/
    4. Re:Did the Submitter have a Stroke? by Anonymous Coward · · Score: 0

      Maybe you're Donald Trump.

    5. Re:Did the Submitter have a Stroke? by Anonymous Coward · · Score: 0

      "Not a garden path" means it's not misleading, and for someone to take such an exception with headlines in general (especially this one, which is quite precise in its wording) shows a remarkable lack of experience with reading headlines.

      Actually, I have never heard the phrase 'garden path sentence' before because if people know how to communicate, the phenomenon simply does not exist except as a transitory misunderstanding (and not at all in the case of this headline)

      In any case, I don't think the submitter was having a stroke and mashing keys, except maybe Ctrl+V as they completely plagiarized the headline from the second linked article.

  2. Well, I did learn something by NotDrWho · · Score: 2, Informative

    Apparently Steam has a trading feature, which exists for some reason. You can't use it for selling used games. It's only for "gifting" games and digital items.

    Nope, no one could have foreseen that a system like that would be catnip for hackers and scammers.

    And they wonder why I won't give them my credit card number.

    --
    SJW's don't eliminate discrimination. They just expropriate it for themselves.
    1. Re:Well, I did learn something by Gr8Apes · · Score: 2

      And they wonder why I won't give them my credit card number.

      I don't give anyone online my real CC, virtual numbers only, thank you.

      --
      The cesspool just got a check and balance.
    2. Re:Well, I did learn something by gstoddart · · Score: 1

      I'll broaden that to pretty much the entire intertubes ... as much as it's a useful thing, it's also full of shady players who are trying to make a buck.

      From the ad agencies to people trying to sell me in-app purchases, I pretty much don't trust any of them to have any financial impact on me ... because I assume they're either all crooked, or are likely to be hacked.

      I pretty much start with the default position of assuming everything on the internet is sketchy these days, and only enable the bare minimum of trust I need to make something work if it actually has benefit to me and is an entity who is fairly likely to be somewhat safe to trust a little.

      But my credit card? Not happening.

      --
      Lost at C:>. Found at C.
    3. Re:Well, I did learn something by Anonymous Coward · · Score: 3, Insightful

      Doesn't matter if you give them out or not to the ad agencies. This monday I was browsing the menu of a local take out restaurant that I had never used before and decided to pass because of their prices. By Thursday (yesterday) there was an ad postcard in the mail with my full name on it (not simply addressed to resident) and I'm running firefox locked down with ghostery and noscript allowing cookies for session only and disallowing any 3rd party cookies. Another case in point I dropped my insurance Assurant to switch to Obamacare this fall and since then I've had over a dozen cold calls from insurance agents spanning across the country saying they recently heard I canceled my insurance and trying to scare me into getting their insurance instead.

      I FUCKING HATE THE SPYING / ADVERTISING OUR WORLD HAS DEGENERATED INTO

    4. Re:Well, I did learn something by Anonymous Coward · · Score: 1

      And they wonder why I won't give them my credit card number.

      I don't give anyone online my real CC, virtual numbers only, thank you.

      Get with the times, I've switched to giving out imaginary numbers.

    5. Re:Well, I did learn something by Anonymous Coward · · Score: 2, Interesting

      Geesh, loosen your tinfoil hat a little. If you own your own home, your name and address are on the public record. It's not that hard for a restaurant (or anyone else) to get names tied to addresses and target a neighborhood. I'd be willing to bet that several of your neighbors got similar cards that same day.

    6. Re:Well, I did learn something by RogueyWon · · Score: 5, Interesting

      These digital item trading systems which allow items to be redeemed for real money are, when linked to otherwise-useful gaming account systems, an absolute plague. They're the worst kind of incentive to spamming, scamming and outright criminality.

      It's not just limited to Steam. If you look over at Xbox Live, you'll find there have been (and to some extent continue to be) serious issues there, despite there only being a single game series that allows these kinds of trades (FIFA Ultimate Team).

      It's a funny thing; everybody knows about the Sony PSN hack. And yet very few people ended up actually being inconvenienced by that hack, save for the inconvenience of the PSN being down for a few months. What's not widely known is that there have been a number of less eye-catching but more severe compromises of Xbox Live security in recent years. The most serious exploit involved a flaw in Microsoft's phone-support protocols. It got very little publicity, because it doesn't fit with the media's perception of what a "hack" looks like, but it hit an awful lot of account and resulted in an awful lot of fraudulent credit card transactions.

      And why were the scammers doing this? Mostly, it turned out, so that they could purchase and then monetise FIFA Ultimate Team trading items. Ordinarily, there was no means to get money "out of" the Xbox Live system. So you could compromise somebody's account and use it to buy games or DLC, but you couldn't sell these on and once the original owner got their account back, you were left with nothing to show for your efforts. FIFA changed all of that and created a pretty large industry in compromising XBL accounts. Worse, besides keeping a constant eye on their account, there was nothing at the time that users could do to protect themselves; there was no need to get people to divulge a password or click a dodgy link - the scammers were going straight to MS's flawed support services.

      Back over on the PC, Valve have been very slow in waking up to the issue of compromised accounts. I suspect it's only the growing prospect of a number of countries' consumer protection authorities taking enforcement action against them that's prompted this recent action. The option they've gone for is slow and over-burdensome. I was disappointed to read in their statement announcing it that they had considered but rejected the idea of just scrapping these trades. Sadly, given they cream off a good chunk of each transaction, that was too much to hope for. But for as long as it is possible to launder money out of Steam, large-scale attempts to illegally access accounts will continue.

    7. Re:Well, I did learn something by Somebody+Is+Using+My · · Score: 4, Informative

      Ummm... I hate to break it to you, but the verb form of "gift", as in "bestow a gift", dates back to the 16th century. It's not a modern or American usage; it is a long-recognized usage of the word.

      And now back to our regularly scheduled programming...

    8. Re:Well, I did learn something by PopeRatzo · · Score: 1

      One of those nauseatingly cutesy Americanisms that makes me want to tell people I'm Canadian.

      We tell people you're Canadian, too.

      --
      You are welcome on my lawn.
    9. Re:Well, I did learn something by Anonymous Coward · · Score: 0

      That wasn't an example, but a definition of the word 'gift' as a verb.

    10. Re:Well, I did learn something by KGIII · · Score: 2

      Well, that's rational.

      --
      "So long and thanks for all the fish."
    11. Re:Well, I did learn something by KGIII · · Score: 1

      This is two weeks without a mid-day SJW thread! You're gonna have way too much blood in your alcohol system if Slashdot keeps this up. I, for one, am disappointed.

      --
      "So long and thanks for all the fish."
    12. Re:Well, I did learn something by Anonymous Coward · · Score: 1

      That is actually the definition example for gift as a noun... They are right, in that sentence "bestow" is the verb and gift is the noun.

    13. Re:Well, I did learn something by Barefoot+Monkey · · Score: 2

      I don't know. It all sounds rather complex.

    14. Re:Well, I did learn something by KGIII · · Score: 2

      Now you're just going off on a tangent!

      --
      "So long and thanks for all the fish."
    15. Re:Well, I did learn something by phorm · · Score: 1

      Also for trading in-game items, such as DOTA2 "loot", which to some may have a monetary value if it's a rare, etc.
      There's been lots of scams trying to trick people out of their loot, etc. Often these may be done by somebody who hacks an account to sell somebody else's stuff, does a trade, and quick trades/sells off the valuable stuff again. This is why they put they delay in there in the first place for those that aren't using extra measures to protect their account(s).

    16. Re:Well, I did learn something by Samantha+Wright · · Score: 1

      That, again, is a definition and not an example! Top shelf reading comprehension.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    17. Re:Well, I did learn something by Samantha+Wright · · Score: 2

      ...Did a dictionary shoot your parents or something? That's not how language works. Conversion is one of the most common forms of vocabulary formation in many languages, and English is no exception. Your idiolect is non-standard if it doesn't permit "gift" as a verb, and you certainly don't speak for all of Canada! If you absolutely must complain about a verbified noun, try "impact." It's a much more popular point of contention for pedants.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    18. Re:Well, I did learn something by Anonymous Coward · · Score: 0

      One of those nauseatingly cutesy Americanisms that makes me want to tell people I'm Canadian.

      What are you on aboot?

    19. Re:Well, I did learn something by Anonymous Coward · · Score: 1

      The world has still degenerated into an advertising quagmire - even if they didn't have to spy.

    20. Re:Well, I did learn something by Anonymous Coward · · Score: 0

      Giggity giggity goo! Oh yeah!

      . . . did somebody call my name?

    21. Re:Well, I did learn something by Anonymous Coward · · Score: 0

      They did not get similar cards. I know this because our regular mail lady is smart enough to take her vacation this time of year and the temp replacement has been giving our mail to the neighbors and vice versa. My neighbor is a teacher with no social life so restaurants are not soliciting her.

    22. Re:Well, I did learn something by radarskiy · · Score: 1

      Ummm... I hate to break it to you, but the verb form of "gift", as in "bestow a gift", dates back to the 16th century. It's not a modern or American usage; it is a long-recognized usage of the word.

      And now back to our regularly scheduled programming...

      That can't be right, America didn't even exist then! ;-)

    23. Re:Well, I did learn something by ls671 · · Score: 1

      You understand that you are completely outside of the real realm don't you?

      --
      Everything I write is lies, read between the lines.
    24. Re:Well, I did learn something by ls671 · · Score: 1

      Natural numbers are complex too...

      http://www.mathsisfun.com/sets...

      --
      Everything I write is lies, read between the lines.
    25. Re:Well, I did learn something by Anonymous Coward · · Score: 0

      Huh, I've been getting these emails to my outlook account for a guy who has been buying hundreds of dollars of FIFA points- I figured it was a mistake and reported it to Microsoft (no response naturally) but didn't realize it was a scam.

  3. Item trading bought me a game on sale. by truck_soccer · · Score: 5, Insightful

    Anyone stupid enough to trade STEAM ITEMS through any service that isn't STEAM gets no sympathy. Are people getting dumber or am I getting less tolerant?

    1. Re:Item trading bought me a game on sale. by gstoddart · · Score: 1

      Are people getting dumber or am I getting less tolerant?

      It can be two things! ;-)

      Of course, the reality is accessing the internet is far easier than understanding the security issues, since people don't seem to be paranoid enough by default. Far too many people just think "oh, it's the internet, it's a warm and inviting place".

      Anything which can be scammed, will be scammed. The internet just magnifies this by a zillion.

      If people had to be as paranoid in real life as they need to be on the internet, they'd never leave the house.

      --
      Lost at C:>. Found at C.
    2. Re:Item trading bought me a game on sale. by mattventura · · Score: 2

      What's happening is Valve has done a 180. The entire reason they introduce certain features (such as the market) is to provide an official, difficult-to-get-scammed way of doing things so that people won't have to go to untrustworthy third parties.

      But then, they started implementing more and more restrictions on these things. e.g. the only way to trade certain things is to "gift" them which is a one-way transaction where the only guarantee that the other party will actually follow through is the word of an anonymous stranger on the Internet. The best way to reduce the amount of scamming is by not forcing users to third party or other seedy methods of trading to begin with.

      You already had to be a complete and utter moron to actually get scammed. It doesn't matter how idiot-proof they make it, someone will make a better idiot.

      Also, another reason why there's so much scamming on services like Steam is that while the amount of money you'd get would be considered less than peanuts in any first world country, in other places it might amount to something decent. So as technology spreads, you get more online petty theft.

    3. Re:Item trading bought me a game on sale. by Zontar+The+Mindless · · Score: 1

      Are people getting dumber or am I getting less tolerant?

      It can be two things! ;-)

      We'll, he used "or" and not "xor", so that's a given. :D

      --
      Il n'y a pas de Planet B.
    4. Re:Item trading bought me a game on sale. by tepples · · Score: 3, Interesting

      It depends on whether people are likewise stupid enough to spend $1000 over the course of two years on replacing their current phone with an Apple or Google phone just to be able to trade items in a timely fashion.

      I've gathered from the instructions page and the FAQ page that the authenticator requires an iPhone with a valid cellular subscription or an Android Phone with Google Play with a valid cellular subscription. As far as I can tell based on these pages, the authenticator cannot* be obtained on Android devices without Google Play, such as devices running Amazon Fire OS or Replicant OS. The authenticator does not work on devices running Windows Phone, on feature phones, or on landlines. Based on repeated references to phone numbers, it is unclear whether the authenticator works on tablets or on phones with an expired cellular subscription. How many people are willing to buy an iPhone or an Android phone with Google Play just to confirm item trades?

      * Lawfully.

    5. Re:Item trading bought me a game on sale. by Anonymous Coward · · Score: 0

      "where the only guarantee that the other party will actually follow through is the word of an anonymous stranger on the Internet."

      You lost me. I've not had this problem. Because I don't gift things to anonymous strangers on the Internet. I gift things to friends and people I know and trust. If you're talking about those dumb steam trading cards a) Why the hell does anybody care about those and b) If you trade one and somebody doesn't trade one back, you're not actually out anything. Play a little more and you'll get another one. I seem to recall to encourage community they made it that you can only unlock 3 by playing and have to trade for the rest, but that's 3 types, you can get multiples of the three types you unlock.

    6. Re:Item trading bought me a game on sale. by mattventura · · Score: 1

      No, I'm talking about certain items (usually in-game items) that can't be traded, but can be gifted once. Thus the only way to actually trade (i.e. get something in return) is by arranging to gift each other the items.

    7. Re:Item trading bought me a game on sale. by malditaenvidia · · Score: 1

      Shit, I still remember when Valve was a games developer. They were damn good, too.

    8. Re:Item trading bought me a game on sale. by Anonymous Coward · · Score: 0

      Here is the USA a valid Google Play phone with cellular service can be gotten for $40.

    9. Re:Item trading bought me a game on sale. by tepples · · Score: 1

      Here is the USA a valid Google Play phone with cellular service can be gotten for $40.

      $40 per what time period?

    10. Re:Item trading bought me a game on sale. by U2xhc2hkb3QgU3Vja3M · · Score: 1

      I tried to switch to the Steam Guard Mobile Authenticator, however two things prevented me from choosing this option:

      1. As you say, it requires cellular service. For devices that can communicate directly with servers via Wi-Fi, this is a stupid design decision.

      2. This option requires you to use the Steam Guard Mobile Authenticator every time you log in, vs the email option which is only required if you log in from a new system or a new location.

    11. Re:Item trading bought me a game on sale. by Anonymous Coward · · Score: 0

      I'm a different AC, but last winter I got an LG Fuel phone from tracfone for $30, and then it's $20 for 3 months service. 3.5" screen and Android 4.4 and Google Play. So it is possible to get a cheap phone that will work with this Steam thingie. I use wifi for data, so the $20 refill really does last 3 months.

    12. Re:Item trading bought me a game on sale. by tepples · · Score: 1

      But does authenticator use count against your received SMS allowance? If so, how many text messages does TracFone allow you per $20?

    13. Re:Item trading bought me a game on sale. by Bing+Tsher+E · · Score: 1

      It probably blocks non-subscription cell phone. I use Virgin Mobile and I was unable to register my cellphone number as an 'activation number' with Blizzard. You have to place your balls in a Mobile Provider's vice and promise to keep them there for a 1-2 year contract.

  4. Hold system is ridiculous by LanMan04 · · Score: 3, Informative

    My son plays TF2 and doesn't have a cellphone yet (11 years old).

    If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet. Even if we had been friends for that long, it would take a full 24 hours because he doesn't have the "mobile authenticator". Every time. He doesn't even have a phone, you jackasses!

    And now *I* have to have the stupid authenticator turned on if I want to trade with randoms on the internet. Dude, my account is secure! I get email notifications of trades, which show up instantly on my phone.

    It's way way way overkill, with no way to opt out. Sucks.

    --
    With the first link, the chain is forged.
    1. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      And also, for a user who has been with them for 8 years, they somehow have decided that since I have not purchased anything from them for a year, I am no longer allowed to sell market items anymore. I have been adding games from HumbleBundle as recent as 3 months ago, but nope, that does not count. I must purchase something directly from them for the privilege to use their market now...

    2. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      Sure you can. If Steam gets too onerous, you can always walk away from your account and use something else. Most people won't do that if they have a significant amount of games on the service, which is what Valve is counting on. In fact, the more games you have, the less likely you are to just abandon your account for something else.

    3. Re:Hold system is ridiculous by BenJeremy · · Score: 3, Insightful

      I understand your frustration, but something had to be done. My son had his account stolen. It took us over a week to get it back, and in the meantime, the scammer who tricked my son into giving up his password (I tried to teach him better beforehand, but at least his experience means he actually listens to me now) and took over his account sold it to some Russian kid, who was probably out a bit of cash when the account was returned (my son's account had over 600 games at the time).

      He didn't have anything in his inventory worth trading out, at least... there wouldn't have been anything left if there was. With this system, at least that wouldn't have been as much as a worry.

      The authenticator is a fine system. You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator; no need for a cell phone these days. It's never too early to take measures that can enhance your son's security now, and even better when such measures can be carried with him for the rest of his life, too.

      I hope Steam also improves the way they handle account thefts - it would be a simple thing to check logs against IPs and international locations to see fishy activity once a complaint is raised and act immediately to, at least in the short term, freeze the account until things get sorted. From Day One Steam has not allowed the trading or sale of Steam Accounts in their TOS, so a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system. Likewise, actions like trying to trade out all the items in the inventory should also signal a possible fraudulent activity. There are probably a good dozen automated ways Steam could detect potential account theft and squash it without ever inconveniencing the customer.

    4. Re:Hold system is ridiculous by tepples · · Score: 1

      You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator

      This won't work if the SMS verification backend used by Steam is one of the several that explicitly block non-cellular SMS numbers because they have been "abused" in this manner.

      it would be a simple thing to check logs against IPs and international locations

      Which opens up the "I can't play games while on vacation or a business trip. Is Steam region locked?" debate if not carefully thought out.

    5. Re:Hold system is ridiculous by wbr1 · · Score: 2

      Simple solution. Have his mobile authentications go to YOUR phone, or to a Google Voice number you control. On personal machines he should stay logged in and not have to use it and bother you but rarely.

      --
      Silence is a state of mime.
    6. Re:Hold system is ridiculous by edtice1559 · · Score: 1

      I'm pretty sure that you can use Google Voice as a mobile authenticator.

    7. Re:Hold system is ridiculous by LanMan04 · · Score: 1

      Fair enough, I suppose.

      I just wish there was a "I really know what I'm doing, and sign away all recourse/, I don't want to use this thing" button. :)

      --
      With the first link, the chain is forged.
    8. Re:Hold system is ridiculous by LanMan04 · · Score: 1

      Oh! I thought it *had* to be the smart phone app. I wouldn't mind getting the code via SMS I suppose.

      --
      With the first link, the chain is forged.
    9. Re:Hold system is ridiculous by hairyfeet · · Score: 1

      Uhhh you don't have any family or friends with a smartphone? Your kid cannot wait 3 days for some stupid steam item?

      And people wonder why suckers are getting scammed, see the perfect example of a spoiled impatient user above. As for why? because email is EASY TO COMPROMISE dumbass, its a HELL of a lot harder to snatch your phone throug the Internet.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    10. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      Wait for a sale and buy something for a dollar.

    11. Re:Hold system is ridiculous by LanMan04 · · Score: 1

      Your kid cannot wait 3 days for some stupid steam item?

      I mean, he *could*, but it's unnecessary in my situation. It worked perfectly fine for me for years.

      And people wonder why suckers are getting scammed, see the perfect example of a spoiled impatient user above.

      Fuck you, dude. I'm not spoiled. I'm a grown-ass adult who takes security seriously and has never had a problem with Steam item trading. I've never had an online gaming account of any kind taken over. Ever. This is overkill, at least in my case.

      because email is EASY TO COMPROMISE dumbass, its a HELL of a lot harder to snatch your phone throug the Internet.

      Yes, I am aware that it's much harder to spoof 2-factor auth. But if I submit a trade offer, I *instantly* get an email after pressing the submit button. I then use that email to confirm the trade. Even if someone else was simultaneously accessing my gmail account, I'd still see the email. And of course the zillion alerts from Google that my account is being logged into from Ukraine or wherever...

      Fine, put a 10 minute wait timer on it if you want to. But 3 fucking days? Insanity. At least let me take responsibility for myself and opt out if I want to.

      And please, tell me how my gmail account, with multiple back-up email addresses and recovery options, a frequently-changing password, and takeover alerts out the wazoo, is "easy to compromise". I've only had it for 10+ years and never had an issue...

      --
      With the first link, the chain is forged.
    12. Re:Hold system is ridiculous by BenJeremy · · Score: 1

      You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator

      This won't work if the SMS verification backend used by Steam is one of the several that explicitly block non-cellular SMS numbers because they have been "abused" in this manner.

      Scammers aren't using the SMS to jack the system, but in theory, they could add an SMS once they hijack an account; then again, they could use any SMS, including something keyed off of burner phone. They can already do that. Blocking SMS services doesn't help Steam fight fraud.

      At least if his son has the authenticator set up through some sort of SMS service, then he at least has more security.

      it would be a simple thing to check logs against IPs and international locations

      Which opens up the "I can't play games while on vacation or a business trip. Is Steam region locked?" debate if not carefully thought out.

      I'm talking about using location in conjunction with sudden account changes, not about where the account is used. Detection has to be tweaked to eliminate such obvious false positives. It's about confirmation and likelihood.

    13. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      They're probably reluctant to provide that option because the first thing a scammer would do is ask them to click that button, and stupid people would.

      I still want it, though.

    14. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      For what it is worth, you can regularly get Android phones new without contract (in the US) for under $20. They are locked to a really crappy carrier, but if you're just using it as a mini tablet (paired with Google Voice for texting), they work great (my kids have them).

      Anon to not undo moderations - there have been several good posts on this thread :)

    15. Re:Hold system is ridiculous by tepples · · Score: 1

      I imagine that the Gmail accounts of a lot of people not named LanMan04 are so "easy to compromise". For example, do most people subscribe to multiple email services through which they can obtain "multiple back-up email addresses"? And how are you going to respond to a takeover alert while you are in bed?

    16. Re:Hold system is ridiculous by edtice1559 · · Score: 1

      Sorry you do have to have an Android device to run the app. But from what I can tell, it doesn't need to be running on a phone. I'll try it out and let you know. I have an old Nexus 6 with no SIM card for a perfect test.

    17. Re:Hold system is ridiculous by LanMan04 · · Score: 1

      I understand your point. I just want a "I know what I'm doing and accept the risk, now fuck off" button so I don't have to use the authenticator.

      That's all.

      --
      With the first link, the chain is forged.
    18. Re:Hold system is ridiculous by PopeRatzo · · Score: 1

      If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet.

      Not, THREE DAYS! My god, how does he survive?

      --
      You are welcome on my lawn.
    19. Re:Hold system is ridiculous by phorm · · Score: 1

      OH NOES, he has to wait for gifted items a whole three days. Add the f'ing authenticator to a device you own, or if he has an iPod etc you can use that too so long as the initial SMS (during setup) goes to a mobile device.

      Your son not getting a few TF2 items is much less an issue than the account hacks, fraud, and scams that were going on before this (which is why they made the change in the first place).

    20. Re:Hold system is ridiculous by tepples · · Score: 2

      I just want a "I know what I'm doing and accept the risk, now fuck off" button

      I'm under the impression that some countries' consumer protection statutes and some payment processors' terms of service forbid companies to offer such a button because scammers are likely to trick marks into clicking it.

    21. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      I've seen things on sale in last couple months for 19 cents each, and they weren't DLC.

    22. Re:Hold system is ridiculous by rahvin112 · · Score: 1

      a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system.

      So if you travel with your computer you will be immediately locked out of your steam account for x number of days.

    23. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      it would be a simple thing to check logs against IPs and international locations to see fishy activity once a complaint is raised and act immediately to, at least in the short term, freeze the account until things get sorted..

      Why would the freeze be needed? Steam has full control over its "world". If there is a complaint, they can undo the transaction. Virtual items can be taken back. Problem solved, and whoever bought from a scammer deservingly lost his money.

    24. Re:Hold system is ridiculous by mattventura · · Score: 1

      The stupid part of the whole thing is that I already had a mobile authenticator: it sends the code to my email and I can read the email on my phone. Hell, it's a lot easier and faster to open the always-running-in-the-background mail app than find the Steam app, wait for it to load, and get the code from it.

    25. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      That's what I am planning to do now. I had no idea that there was a limitation in the first place...

    26. Re:Hold system is ridiculous by Gadget_Guy · · Score: 1

      I got something in October for 2 cents. Amazingly the trading cards have kept their value too. I guess that it is time for me to go play a crappy game!

    27. Re:Hold system is ridiculous by Anonymous Coward · · Score: 0

      No, if you travel with your computer you will be immediately locked out of trading for x number of days. Unless you use the Authenticator.
      Steam doesn't want to stop people playing the games on a compromised account, only monetizing it.

  5. Trading is dead to me by Anonymous Coward · · Score: 0

    What it boils down to is simple: I don't bother trading anymore. It's become too much hassle, or it forces me to disclose even more information to Valve that I don't want to in order to decrease that hassle (e.g., my mobile phone number). I can't even give away stuff anymore without jumping through more and more hoops? Fine. I don't.

    I know Valve is trying to deal with innocent users who have lost their stuff due to malware or other techniques, but I don't have much sympathy for people who download random programs to "enhance" trading and are surprised when they get scammed/phished. I appreciate that Valve has to do their best for their customers, but at some point people have to take responsibility for their own mistakes. I mean, how is Valve certain that the person who was "scammed" wasn't willingly doing something stupid in the knowledge they could pass all their stuff off to a scammer and then get it all back again? The "victim" could be in on it.

  6. A problem of Valve's own creation by timrod · · Score: 2

    Valve really bought this problem upon themselves by introducing trading and not having a first-party trade listing service that does not involve real-world money. Right now, most people list their trades on third-party sites over which Valve has little to no control. This is where you'll see the vast majority of people getting phished or scammed out of their items or accounts.

    Contrary to what Valve says, a lot of the items I've seen stolen have been stolen through phishing or other social engineering, not through actual hacking. I've seen people go to ludicrous lengths to steal someone's stuff: case in point, a TF2 scammer I busted late last year who was using offers of PayPal money (which is pretty much a guaranteed way to get your stuff stolen as PayPal does not recognize digital items) to lure people into trading their items to him (ie; "Give me your item and then I'll send you the hundreds of dollars I promised you").

    The scammer was a 14-year-old kid (at the time) and had scammed at least twenty people out of thousands of dollars of items. He wasn't actually successful in selling most of them, largely due to third-party reputation sites like SteamRep catching onto his game and marking him as a scammer fairly early on, but even after that mark had been placed on him he was still able to continue scamming.

    Really, 99% of the problems with trading could have been solved if Valve had just put up a first-party listing service.

  7. Multiple accounts per phone by tepples · · Score: 2

    My son plays TF2 and doesn't have a cellphone yet (11 years old).

    Then how should he call you for a ride home, especially now that payphone operators have been removing payphones? Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA. In any case, the FAQ states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

    It's way way way overkill, with no way to opt out.

    Then opt out of Team Fortress 2 in the first place.

    1. Re:Multiple accounts per phone by LanMan04 · · Score: 2

      Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA.

      It's really easy to turn off blood/gibs using a few commands on launch, as well as muting incoming voice chat. Once you're past that you have a cartoon-y FPS that really isn't bad. He isn't allowed anywhere near realistic FPS games (CoD, or L4D, etc).

      In any case, the FAQ states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

      Cool, thanks!!

      Then opt out of Team Fortress 2 in the first place.

      Come on, you can do better than that.

      --
      With the first link, the chain is forged.
  8. Stranger danger perception by tepples · · Score: 1

    as well as muting incoming voice chat

    It's not voice chat as much as text chat. The rationale behind the COPPA law and various kid-friendly games' restrictions on chat is that young children allegedly cannot be trusted to share their personally identifying information with would-be abusers. Some games even block use of number words, such as "two" and "three", because that lets users give out their age or home address.

  9. Easiest method... by BenJeremy · · Score: 1

    Have users create a secondary, "sudo" password, that prevents any major account changes (like the main password, associated e-mails or SMS accounts) without presenting that password, too.

    In theory, a user should never give out that password, or ever be required to use it, unless on Steam itself.

    Sadly, many people are taken in by the fake steampowered websites "http://steempowered.com" and lured in with the promise of free games. This is why they made changes (filtering some web sites) to their chat windows a long time ago.

    1. Re:Easiest method... by tepples · · Score: 1

      A secondary password can be keylogged. The Steam authenticator actually displays the trade details on the smartphone's display.

    2. Re:Easiest method... by Anonymous Coward · · Score: 0

      People will forget a secondary password. 2FA is quite adequate here.

  10. Do what I do by the_Bionic_lemming · · Score: 1

    Every time I see a reminder about setting up a sms account, I go to support and raise a ticket, I explain that I have no sms phones and would like a phone number to discuss the issue.

    they reply that they are unable to provide a phone number to resolve the issue - at which point I remind them that I am unable to provide them with an sms number, and then I again ask for a phone number to discuss the issue.

    Now if everyone did that,.....

    --
    _ _ _ Go for the eyes Boo! GO FOR THE EYES!
  11. It felt like a lot of arm twisting by manwargi · · Score: 1

    A few weeks ago Steam started redirecting activity to a message about giving them a mobile phone number that you had to oblige/skip to get to what you were trying to reach. Then a couple of weeks later it got more aggressive. Then they started offering small discounts to anyone who gave a number. Then came the warning that without giving up a phone number they were going to hold purchased items (virtual items like trading cards and TF2 hats) for three days. Even if their intentions were simply to reduce scamming, it felt like a whole lot of pushy coercion.

  12. For the best protection vs. malware & more? by Anonymous Coward · · Score: 0

    See subject: APK Hosts File Engine 9.0++ SR-4 32/64-bit http://start64.com/index.php?o...

    ---

    FREE, not 'souled-out' to advertisers + adds speed, security & reliability. Does FAR more w/ FAR less more efficiently vs. redundant browser addons & local DNS servers @ home + fixes DNS' many security issues & it stops a LOT of tracking @ webpage + DNS levels via 1 file you NATIVELY have - firewalls do the rest (on less used IP address trackers vs. host-domain name type).

    ---

    It obtains data vs. threats & for adblocking from 10 reputable security community sites!

    ---

    SPEEDS YOU UP 2 ways (adblocks + local RAM cached favorite sites @ TOP of hosts for fastest resolution speed vs. remote DNS (aids reliability)) vs. other "so-called security 'solutions'" SLOWING YOU!

    ---

    All that via something you natively have vs. "bolting on browser addons 'MOAR'" that's usermode slower & increases messagepassing, cpu + ram overheads!

    ---

    MalwareBytes' hpHosts Admin (MalwareBytes employee who verified it's source as safe http://forum.hosts-file.net/vi... ) hosts & recommends it -> http://hosts-file.net/?s=Downl... & MalwareBytes = BEST antivirus per this VERY recent testing of them all http://www.av-test.org/en/news...

    &

    It's safe proven by 57 antivirus programs recently in BOTH its 64-bit model https://www.virustotal.com/en/...

    +

    Its 32-bit model too https://www.virustotal.com/en/...

    Its installer too -> http://f.virscan.org/APKHostsF...

    ---

    * "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend".

    APK

    P.S.=> By "yours truly" - "The Lord of Hosts" so-to-speak:

    "The image this title brings to mind is of a mighty military commander, one who can at a mere word summon rank upon rank of protective power" from https://answers.yahoo.com/ques... & THE WORD = hosts!

    (Accept NO substitutes!)

    ...apk