Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware

An anonymous reader writes: On Wednesday, Valve introduced a new "trade hold" system that should prevent scammers from stealing items from Steam users' hijacked account, or at least minimize the occurrence of such incidents. Anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. The system was, understandably, not welcome by some users, and it didn't take long for scammers to take advantage of this discontent.

Did the Submitter have a Stroke?

[bigdady92]

The title sounds like someone had a seizure during submission and mashed words into sentences.

Item trading bought me a game on sale.

[truck_soccer]

Anyone stupid enough to trade STEAM ITEMS through any service that isn't STEAM gets no sympathy. Are people getting dumber or am I getting less tolerant?

Re:Item trading bought me a game on sale.

[tepples]

It depends on whether people are likewise stupid enough to spend $1000 over the course of two years on replacing their current phone with an Apple or Google phone just to be able to trade items in a timely fashion.

I've gathered from the instructions page and the FAQ page that the authenticator requires an iPhone with a valid cellular subscription or an Android Phone with Google Play with a valid cellular subscription. As far as I can tell based on these pages, the authenticator cannot* be obtained on Android devices without Google Play, such as devices running Amazon Fire OS or Replicant OS. The authenticator does not work on devices running Windows Phone, on feature phones, or on landlines. Based on repeated references to phone numbers, it is unclear whether the authenticator works on tablets or on phones with an expired cellular subscription. How many people are willing to buy an iPhone or an Android phone with Google Play just to confirm item trades?

* Lawfully.

Hold system is ridiculous

[LanMan04]

My son plays TF2 and doesn't have a cellphone yet (11 years old).

If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet. Even if we had been friends for that long, it would take a full 24 hours because he doesn't have the "mobile authenticator". Every time. He doesn't even have a phone, you jackasses!

And now *I* have to have the stupid authenticator turned on if I want to trade with randoms on the internet. Dude, my account is secure! I get email notifications of trades, which show up instantly on my phone.

It's way way way overkill, with no way to opt out. Sucks.

Re:Hold system is ridiculous

[BenJeremy]

I understand your frustration, but something had to be done. My son had his account stolen. It took us over a week to get it back, and in the meantime, the scammer who tricked my son into giving up his password (I tried to teach him better beforehand, but at least his experience means he actually listens to me now) and took over his account sold it to some Russian kid, who was probably out a bit of cash when the account was returned (my son's account had over 600 games at the time).

He didn't have anything in his inventory worth trading out, at least... there wouldn't have been anything left if there was. With this system, at least that wouldn't have been as much as a worry.

The authenticator is a fine system. You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator; no need for a cell phone these days. It's never too early to take measures that can enhance your son's security now, and even better when such measures can be carried with him for the rest of his life, too.

I hope Steam also improves the way they handle account thefts - it would be a simple thing to check logs against IPs and international locations to see fishy activity once a complaint is raised and act immediately to, at least in the short term, freeze the account until things get sorted. From Day One Steam has not allowed the trading or sale of Steam Accounts in their TOS, so a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system. Likewise, actions like trying to trade out all the items in the inventory should also signal a possible fraudulent activity. There are probably a good dozen automated ways Steam could detect potential account theft and squash it without ever inconveniencing the customer.

Re:Well, I did learn something

Doesn't matter if you give them out or not to the ad agencies. This monday I was browsing the menu of a local take out restaurant that I had never used before and decided to pass because of their prices. By Thursday (yesterday) there was an ad postcard in the mail with my full name on it (not simply addressed to resident) and I'm running firefox locked down with ghostery and noscript allowing cookies for session only and disallowing any 3rd party cookies. Another case in point I dropped my insurance Assurant to switch to Obamacare this fall and since then I've had over a dozen cold calls from insurance agents spanning across the country saying they recently heard I canceled my insurance and trying to scare me into getting their insurance instead.

I FUCKING HATE THE SPYING / ADVERTISING OUR WORLD HAS DEGENERATED INTO

Re:Well, I did learn something

[RogueyWon]

These digital item trading systems which allow items to be redeemed for real money are, when linked to otherwise-useful gaming account systems, an absolute plague. They're the worst kind of incentive to spamming, scamming and outright criminality.

It's not just limited to Steam. If you look over at Xbox Live, you'll find there have been (and to some extent continue to be) serious issues there, despite there only being a single game series that allows these kinds of trades (FIFA Ultimate Team).

It's a funny thing; everybody knows about the Sony PSN hack. And yet very few people ended up actually being inconvenienced by that hack, save for the inconvenience of the PSN being down for a few months. What's not widely known is that there have been a number of less eye-catching but more severe compromises of Xbox Live security in recent years. The most serious exploit involved a flaw in Microsoft's phone-support protocols. It got very little publicity, because it doesn't fit with the media's perception of what a "hack" looks like, but it hit an awful lot of account and resulted in an awful lot of fraudulent credit card transactions.

And why were the scammers doing this? Mostly, it turned out, so that they could purchase and then monetise FIFA Ultimate Team trading items. Ordinarily, there was no means to get money "out of" the Xbox Live system. So you could compromise somebody's account and use it to buy games or DLC, but you couldn't sell these on and once the original owner got their account back, you were left with nothing to show for your efforts. FIFA changed all of that and created a pretty large industry in compromising XBL accounts. Worse, besides keeping a constant eye on their account, there was nothing at the time that users could do to protect themselves; there was no need to get people to divulge a password or click a dodgy link - the scammers were going straight to MS's flawed support services.

Back over on the PC, Valve have been very slow in waking up to the issue of compromised accounts. I suspect it's only the growing prospect of a number of countries' consumer protection authorities taking enforcement action against them that's prompted this recent action. The option they've gone for is slow and over-burdensome. I was disappointed to read in their statement announcing it that they had considered but rejected the idea of just scrapping these trades. Sadly, given they cream off a good chunk of each transaction, that was too much to hope for. But for as long as it is possible to launder money out of Steam, large-scale attempts to illegally access accounts will continue.

Re:Well, I did learn something

[Somebody+Is+Using+My]

Ummm... I hate to break it to you, but the verb form of "gift", as in "bestow a gift", dates back to the 16th century. It's not a modern or American usage; it is a long-recognized usage of the word.

And now back to our regularly scheduled programming...