Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware

An anonymous reader writes: On Wednesday, Valve introduced a new "trade hold" system that should prevent scammers from stealing items from Steam users' hijacked account, or at least minimize the occurrence of such incidents. Anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. The system was, understandably, not welcome by some users, and it didn't take long for scammers to take advantage of this discontent.

Did the Submitter have a Stroke?

[bigdady92]

The title sounds like someone had a seizure during submission and mashed words into sentences.

Re:Did the Submitter have a Stroke?

[bigdady92]

Bad AC, you must do much better with your Snarkiness and come up with a better response than "UR RETARDED"

We expect better out of our Anonymouse Posters

Well, I did learn something

[NotDrWho]

Apparently Steam has a trading feature, which exists for some reason. You can't use it for selling used games. It's only for "gifting" games and digital items.

Nope, no one could have foreseen that a system like that would be catnip for hackers and scammers.

And they wonder why I won't give them my credit card number.

Re:Well, I did learn something

[Gr8Apes]

And they wonder why I won't give them my credit card number.

I don't give anyone online my real CC, virtual numbers only, thank you.

Re:Well, I did learn something

Doesn't matter if you give them out or not to the ad agencies. This monday I was browsing the menu of a local take out restaurant that I had never used before and decided to pass because of their prices. By Thursday (yesterday) there was an ad postcard in the mail with my full name on it (not simply addressed to resident) and I'm running firefox locked down with ghostery and noscript allowing cookies for session only and disallowing any 3rd party cookies. Another case in point I dropped my insurance Assurant to switch to Obamacare this fall and since then I've had over a dozen cold calls from insurance agents spanning across the country saying they recently heard I canceled my insurance and trying to scare me into getting their insurance instead.

I FUCKING HATE THE SPYING / ADVERTISING OUR WORLD HAS DEGENERATED INTO

Re:Well, I did learn something

Geesh, loosen your tinfoil hat a little. If you own your own home, your name and address are on the public record. It's not that hard for a restaurant (or anyone else) to get names tied to addresses and target a neighborhood. I'd be willing to bet that several of your neighbors got similar cards that same day.

Re:Well, I did learn something

[RogueyWon]

These digital item trading systems which allow items to be redeemed for real money are, when linked to otherwise-useful gaming account systems, an absolute plague. They're the worst kind of incentive to spamming, scamming and outright criminality.

It's not just limited to Steam. If you look over at Xbox Live, you'll find there have been (and to some extent continue to be) serious issues there, despite there only being a single game series that allows these kinds of trades (FIFA Ultimate Team).

It's a funny thing; everybody knows about the Sony PSN hack. And yet very few people ended up actually being inconvenienced by that hack, save for the inconvenience of the PSN being down for a few months. What's not widely known is that there have been a number of less eye-catching but more severe compromises of Xbox Live security in recent years. The most serious exploit involved a flaw in Microsoft's phone-support protocols. It got very little publicity, because it doesn't fit with the media's perception of what a "hack" looks like, but it hit an awful lot of account and resulted in an awful lot of fraudulent credit card transactions.

And why were the scammers doing this? Mostly, it turned out, so that they could purchase and then monetise FIFA Ultimate Team trading items. Ordinarily, there was no means to get money "out of" the Xbox Live system. So you could compromise somebody's account and use it to buy games or DLC, but you couldn't sell these on and once the original owner got their account back, you were left with nothing to show for your efforts. FIFA changed all of that and created a pretty large industry in compromising XBL accounts. Worse, besides keeping a constant eye on their account, there was nothing at the time that users could do to protect themselves; there was no need to get people to divulge a password or click a dodgy link - the scammers were going straight to MS's flawed support services.

Back over on the PC, Valve have been very slow in waking up to the issue of compromised accounts. I suspect it's only the growing prospect of a number of countries' consumer protection authorities taking enforcement action against them that's prompted this recent action. The option they've gone for is slow and over-burdensome. I was disappointed to read in their statement announcing it that they had considered but rejected the idea of just scrapping these trades. Sadly, given they cream off a good chunk of each transaction, that was too much to hope for. But for as long as it is possible to launder money out of Steam, large-scale attempts to illegally access accounts will continue.

Re:Well, I did learn something

[Somebody+Is+Using+My]

Ummm... I hate to break it to you, but the verb form of "gift", as in "bestow a gift", dates back to the 16th century. It's not a modern or American usage; it is a long-recognized usage of the word.

And now back to our regularly scheduled programming...

Re:Well, I did learn something

[KGIII]

Well, that's rational.

Re:Well, I did learn something

[Barefoot+Monkey]

I don't know. It all sounds rather complex.

Re:Well, I did learn something

[KGIII]

Now you're just going off on a tangent!

Re:Well, I did learn something

[Samantha+Wright]

...Did a dictionary shoot your parents or something? That's not how language works. Conversion is one of the most common forms of vocabulary formation in many languages, and English is no exception. Your idiolect is non-standard if it doesn't permit "gift" as a verb, and you certainly don't speak for all of Canada! If you absolutely must complain about a verbified noun, try "impact." It's a much more popular point of contention for pedants.

Item trading bought me a game on sale.

[truck_soccer]

Anyone stupid enough to trade STEAM ITEMS through any service that isn't STEAM gets no sympathy. Are people getting dumber or am I getting less tolerant?

Re:Item trading bought me a game on sale.

[mattventura]

What's happening is Valve has done a 180. The entire reason they introduce certain features (such as the market) is to provide an official, difficult-to-get-scammed way of doing things so that people won't have to go to untrustworthy third parties.

But then, they started implementing more and more restrictions on these things. e.g. the only way to trade certain things is to "gift" them which is a one-way transaction where the only guarantee that the other party will actually follow through is the word of an anonymous stranger on the Internet. The best way to reduce the amount of scamming is by not forcing users to third party or other seedy methods of trading to begin with.

You already had to be a complete and utter moron to actually get scammed. It doesn't matter how idiot-proof they make it, someone will make a better idiot.

Also, another reason why there's so much scamming on services like Steam is that while the amount of money you'd get would be considered less than peanuts in any first world country, in other places it might amount to something decent. So as technology spreads, you get more online petty theft.

Re:Item trading bought me a game on sale.

[tepples]

It depends on whether people are likewise stupid enough to spend $1000 over the course of two years on replacing their current phone with an Apple or Google phone just to be able to trade items in a timely fashion.

I've gathered from the instructions page and the FAQ page that the authenticator requires an iPhone with a valid cellular subscription or an Android Phone with Google Play with a valid cellular subscription. As far as I can tell based on these pages, the authenticator cannot* be obtained on Android devices without Google Play, such as devices running Amazon Fire OS or Replicant OS. The authenticator does not work on devices running Windows Phone, on feature phones, or on landlines. Based on repeated references to phone numbers, it is unclear whether the authenticator works on tablets or on phones with an expired cellular subscription. How many people are willing to buy an iPhone or an Android phone with Google Play just to confirm item trades?

* Lawfully.

Hold system is ridiculous

[LanMan04]

My son plays TF2 and doesn't have a cellphone yet (11 years old).

If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet. Even if we had been friends for that long, it would take a full 24 hours because he doesn't have the "mobile authenticator". Every time. He doesn't even have a phone, you jackasses!

And now *I* have to have the stupid authenticator turned on if I want to trade with randoms on the internet. Dude, my account is secure! I get email notifications of trades, which show up instantly on my phone.

It's way way way overkill, with no way to opt out. Sucks.

Re:Hold system is ridiculous

[BenJeremy]

I understand your frustration, but something had to be done. My son had his account stolen. It took us over a week to get it back, and in the meantime, the scammer who tricked my son into giving up his password (I tried to teach him better beforehand, but at least his experience means he actually listens to me now) and took over his account sold it to some Russian kid, who was probably out a bit of cash when the account was returned (my son's account had over 600 games at the time).

He didn't have anything in his inventory worth trading out, at least... there wouldn't have been anything left if there was. With this system, at least that wouldn't have been as much as a worry.

The authenticator is a fine system. You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator; no need for a cell phone these days. It's never too early to take measures that can enhance your son's security now, and even better when such measures can be carried with him for the rest of his life, too.

I hope Steam also improves the way they handle account thefts - it would be a simple thing to check logs against IPs and international locations to see fishy activity once a complaint is raised and act immediately to, at least in the short term, freeze the account until things get sorted. From Day One Steam has not allowed the trading or sale of Steam Accounts in their TOS, so a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system. Likewise, actions like trying to trade out all the items in the inventory should also signal a possible fraudulent activity. There are probably a good dozen automated ways Steam could detect potential account theft and squash it without ever inconveniencing the customer.

Re:Hold system is ridiculous

[wbr1]

Simple solution. Have his mobile authentications go to YOUR phone, or to a Google Voice number you control. On personal machines he should stay logged in and not have to use it and bother you but rarely.

Re:Hold system is ridiculous

[tepples]

I just want a "I know what I'm doing and accept the risk, now fuck off" button

I'm under the impression that some countries' consumer protection statutes and some payment processors' terms of service forbid companies to offer such a button because scammers are likely to trick marks into clicking it.

A problem of Valve's own creation

[timrod]

Valve really bought this problem upon themselves by introducing trading and not having a first-party trade listing service that does not involve real-world money. Right now, most people list their trades on third-party sites over which Valve has little to no control. This is where you'll see the vast majority of people getting phished or scammed out of their items or accounts.

Contrary to what Valve says, a lot of the items I've seen stolen have been stolen through phishing or other social engineering, not through actual hacking. I've seen people go to ludicrous lengths to steal someone's stuff: case in point, a TF2 scammer I busted late last year who was using offers of PayPal money (which is pretty much a guaranteed way to get your stuff stolen as PayPal does not recognize digital items) to lure people into trading their items to him (ie; "Give me your item and then I'll send you the hundreds of dollars I promised you").

The scammer was a 14-year-old kid (at the time) and had scammed at least twenty people out of thousands of dollars of items. He wasn't actually successful in selling most of them, largely due to third-party reputation sites like SteamRep catching onto his game and marking him as a scammer fairly early on, but even after that mark had been placed on him he was still able to continue scamming.

Really, 99% of the problems with trading could have been solved if Valve had just put up a first-party listing service.

Multiple accounts per phone

[tepples]

My son plays TF2 and doesn't have a cellphone yet (11 years old).

Then how should he call you for a ride home, especially now that payphone operators have been removing payphones? Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA. In any case, the FAQ states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

It's way way way overkill, with no way to opt out.

Then opt out of Team Fortress 2 in the first place.

Re:Multiple accounts per phone

[LanMan04]

Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA.

It's really easy to turn off blood/gibs using a few commands on launch, as well as muting incoming voice chat. Once you're past that you have a cartoon-y FPS that really isn't bad. He isn't allowed anywhere near realistic FPS games (CoD, or L4D, etc).

In any case, the FAQ states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

Cool, thanks!!

Then opt out of Team Fortress 2 in the first place.

Come on, you can do better than that.