Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware

An anonymous reader writes: On Wednesday, Valve introduced a new "trade hold" system that should prevent scammers from stealing items from Steam users' hijacked account, or at least minimize the occurrence of such incidents. Anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. The system was, understandably, not welcome by some users, and it didn't take long for scammers to take advantage of this discontent.

Re:Well, I did learn something

Geesh, loosen your tinfoil hat a little. If you own your own home, your name and address are on the public record. It's not that hard for a restaurant (or anyone else) to get names tied to addresses and target a neighborhood. I'd be willing to bet that several of your neighbors got similar cards that same day.

Re:Well, I did learn something

[RogueyWon]

These digital item trading systems which allow items to be redeemed for real money are, when linked to otherwise-useful gaming account systems, an absolute plague. They're the worst kind of incentive to spamming, scamming and outright criminality.

It's not just limited to Steam. If you look over at Xbox Live, you'll find there have been (and to some extent continue to be) serious issues there, despite there only being a single game series that allows these kinds of trades (FIFA Ultimate Team).

It's a funny thing; everybody knows about the Sony PSN hack. And yet very few people ended up actually being inconvenienced by that hack, save for the inconvenience of the PSN being down for a few months. What's not widely known is that there have been a number of less eye-catching but more severe compromises of Xbox Live security in recent years. The most serious exploit involved a flaw in Microsoft's phone-support protocols. It got very little publicity, because it doesn't fit with the media's perception of what a "hack" looks like, but it hit an awful lot of account and resulted in an awful lot of fraudulent credit card transactions.

And why were the scammers doing this? Mostly, it turned out, so that they could purchase and then monetise FIFA Ultimate Team trading items. Ordinarily, there was no means to get money "out of" the Xbox Live system. So you could compromise somebody's account and use it to buy games or DLC, but you couldn't sell these on and once the original owner got their account back, you were left with nothing to show for your efforts. FIFA changed all of that and created a pretty large industry in compromising XBL accounts. Worse, besides keeping a constant eye on their account, there was nothing at the time that users could do to protect themselves; there was no need to get people to divulge a password or click a dodgy link - the scammers were going straight to MS's flawed support services.

Back over on the PC, Valve have been very slow in waking up to the issue of compromised accounts. I suspect it's only the growing prospect of a number of countries' consumer protection authorities taking enforcement action against them that's prompted this recent action. The option they've gone for is slow and over-burdensome. I was disappointed to read in their statement announcing it that they had considered but rejected the idea of just scrapping these trades. Sadly, given they cream off a good chunk of each transaction, that was too much to hope for. But for as long as it is possible to launder money out of Steam, large-scale attempts to illegally access accounts will continue.

Re:Item trading bought me a game on sale.

[tepples]

It depends on whether people are likewise stupid enough to spend $1000 over the course of two years on replacing their current phone with an Apple or Google phone just to be able to trade items in a timely fashion.

I've gathered from the instructions page and the FAQ page that the authenticator requires an iPhone with a valid cellular subscription or an Android Phone with Google Play with a valid cellular subscription. As far as I can tell based on these pages, the authenticator cannot* be obtained on Android devices without Google Play, such as devices running Amazon Fire OS or Replicant OS. The authenticator does not work on devices running Windows Phone, on feature phones, or on landlines. Based on repeated references to phone numbers, it is unclear whether the authenticator works on tablets or on phones with an expired cellular subscription. How many people are willing to buy an iPhone or an Android phone with Google Play just to confirm item trades?

* Lawfully.