Publicado originalmente por _veleron:

Publicado originalmente por Eagle_of_Fire:

The answer is still the same. Yes, code can be "mimiked"...

Ok, so steam sees this "fake"/"mimiked" code and then sends your id/password and 2FA code to scammers then, this is your theory?

Are you being dense on purpose?

Publicado originalmente por Eagle_of_Fire:

Are you being dense on purpose?

You don't need to be hostile if you don't know the answer.

Publicado originalmente por _veleron:

Publicado originalmente por Eagle_of_Fire:

Are you being dense on purpose?

You don't need to be hostile if you don't know the answer.

I'm not hostile but I've just said it twice already.

Publicado originalmente por Zorgλ:

Let's say i want to log in into a third party site

Why would you do that to begin with?

Publicado originalmente por cinedine:

What "Steam partner link"?
When you log into Steam from a new "device", you get an option to do so with a QR code. You can simply take this picture, put it on your phishing site and have the owner confirm the login. You are loging into Steam itself, not some partner site. Or rather *they* log into Steam with your account data.

Ops, this, sadly, appears to be exactly right.
And it shouldn't any difficult to mirror the legit QR code.
Thanks!

Publicado originalmente por Pierce Dalton:

Publicado originalmente por Zorgλ:

Let's say i want to log in into a third party site

Why would you do that to begin with?

Because sites like skinbaron and cs money are used by many and a lot cheaper than steam market itself. I'm not giving valve 15% of every item i sell. Cs money for example takes only 5% which is way more reasonable

Publicado originalmente por Zorgλ:

Publicado originalmente por Pierce Dalton:

Why would you do that to begin with?

Because sites like skinbaron and cs money are used by many and a lot cheaper than steam market itself. I'm not giving valve 15% of every item i sell. Cs money for example takes only 5% which is way more reasonable

You'll end up regretting that sooner or later. Good luck.

"I'm gonna use multiple scam sites because they promise me whatever I want to hear. And then I'll come back blaming Steam for lack of account security!"

Genius.

Publicado originalmente por Pierce Dalton:

Publicado originalmente por Zorgλ:

Because sites like skinbaron and cs money are used by many and a lot cheaper than steam market itself. I'm not giving valve 15% of every item i sell. Cs money for example takes only 5% which is way more reasonable

You'll end up regretting that sooner or later. Good luck.

How so?

Publicado originalmente por Zorgλ:

Let's say i want to log in into a third party site via the QR code. If i can login with the QR code is that proof it is a legit site and not some phising site that will steal your info?

cellphones lol... much easier and safer without them...:-)

Publicado originalmente por Zorgλ:

How so?

By getting your account "hacked" and loosing your money and your items.

I keep it simple.

Don't TYPE in login info, or scan QR code via any 3rd party sites asking for steam login it's that simple.

Scammers make fake pages to mimic Steam to trick you into entering info, or scanning QR to log the scammer into your account by your own doing hence above, it's not rocket science.



Just bookmark these sites so no excuse to being dumb & lazy, only login from these sites.
steampowered.com
steamcommunity.com

Publicado originalmente por Zorgλ:

Publicado originalmente por Pierce Dalton:

You'll end up regretting that sooner or later. Good luck.

How so?

By forgetting to ask if something is safe at one point in time or simply getting sloppy. Any "legit" site can turn around at any point in time or being hijacked by malicious actors. Or they just need to intercept 1 % of transactions done via their services for 99 % of users to adamantly defend them as safe and legit. Everything is fine until it no longer is.

Also while currently unlikely, nothing stops Valve from restricting your account if they feel like it. Rule of thumb: don't shortchange the service provider.

But anyhow: there is no reason to log into any third party site ever. If they really use Steam's OpenID, you can use official Steam sites as your single sign-on.

---
(Side note:
You are not giving Valve 15 % of the sales price. The buyer does. You can specify eactly how much you want for your item. The 15 % are on top of your asking price.)

Publicado originalmente por cinedine:

Publicado originalmente por Zorgλ:

How so?

Also while currently unlikely, nothing stops Valve from restricting your account if they feel like it. Rule of thumb: don't shortchange the service provider.

Wouldn't that be illegal? If there was a rule to not login into third party sites then the option of doing so wouldn't exist right? As far as i am aware, you aren't allowed to promote gambling in regards to third party activity and that's it

Publicado originalmente por _veleron:

Publicado originalmente por Qbert ⭐:

Phising websites are using the QR too

And what do they do with it?
Steam reads this QR, understands that it's not a legitimate steam partner link and does nothing.
Then what?

No. If I had to try making a scam site, I would very much focus on showing you the ACTUAL login site (so it's a REAL Steam login QR code), but run it as kind of "subprogram" of my own site so I can grab the cookies. I'd let the user log in, and grab the login key that Steam gives it. Mission accomplished.
If that works, even the displayed location would be correct because it's actually happening in YOUR box.

Fallback-idea would be to just forward the QR code image to the fake login, in which case the location would not match. In theory, Steam could protect against this fallback by requiring matching IP addresses -- but, if the user has unlimited (or high) data volume on his mobile, he might not have bothered setting up the wifi...