Автор сообщения: Zefar

Read up on it and it seems to be used a certain group of people only.

And you never heard about those stories when these spy agencies got hacked and every 12 years old script kiddie could just download these tools via torrent? Search for the Italian firm called Hacking Team. Now they are more like Hacked Team...

Автор сообщения: Steven Seagull

I'm ignoring it, because it doesn't have anything to do with 2FA. In case of proper 2FA you don't have both secrets on one device. That's the point of 2FA what you still cannot understand.

To get into the phone you would need it. If someone managed to get into the phone with these things they would have no problem getting past the Google Authenticator protection.

Автор сообщения: Steven Seagull

Here are 3 scenarios where properly implemented 2FA protects you:
Scenario #1:
You have your password typed onto a PC and you have your 2FA app on your phone. On your phone you never enter your password. The PC gets infected with a trojan and the hackers will know your Steam password. The hackers won't be able to log into your Steam account from THEIR PC because you won't approve the login attempt from your phone.
Scenario #2:
You have your password typed onto a PC and you have your 2FA app on your phone (same as before). You lose your phone and someone guessed your PIN or faked your fingerprint or used a vulnerability to crack the phone's encryption (such vulnerabilities existed before). The bad guy cannot do anything with your Steam account, because all he has is some numbers changing every 30 seconds. He doesn't have your password.
Scenario #3:
You have your password typed onto a PC and you have your 2FA app on your phone (same as before). You open a random cat GIF website on your phone which roots your phone and steals all your data. The attackers still won't know your Steam password.

Currently this would happen with Steam mobile app:
Scenario #1:
You will be protected.
Scenario #2:
The attackers will know your Steam password and can authenticate themselves with the 2FA app and they can take over your account.
Scenario #3:
The attackers will know your Steam password and can authenticate themselves with the 2FA app and they can take over your account.

1: Well first that trojan has to get past whatever anti virus program I have installed and figure out how to steal my password with Autologin on.

2: With Autologin I'll never need to type in my password.
Faking the fingerprint censor is gonna be hard. Because you would actually need my fingerprint to begin with. Not to mention what finger I used. You have 3 chances remember.


3: See this is why I keep Autologin on as I never need to type in my password.
Yeah for such cat picture to have a virus it'd be on a sketchy website to begin with. Sites I'd never visit with my phone.
The things I use my phone for is for Google and well known news sites.

Автор сообщения: Steven Seagull

Автор сообщения: Zefar

The App does not give you full access. The thief also won't have your password.
It has actually limited control on what he can do.

In the new Steam mobile app, you never ever have to type in your Steam password?

I didn't need to type in my password because it's on a device I already was logged in on and already have SteamGuard on it.
Also the app itself does not give you full control over the Steam account.

Автор сообщения: Zefar

To get into the phone you would need it. If someone managed to get into the phone with these things they would have no problem getting past the Google Authenticator protection.

I cannot interpret what you are trying to say... I think you have no idea what Google Authenticator does.

1: This is actually ironic, because a lot of times trojans attack the antivirus first. Nowdays the OSes are much more secure in general than they were before. If you install an antivirus you do 2 things: 1: extend your attack surface, 2: give full access to your whole device when there is a vulnerability in it. It happened lot of times that viruses have hacked the OS through the AV. Bonus if the AV stored passwords, credit card details, etc.

2: You really never typed you password? Then how you autologin? You must have typed it at least once. And that point the keylogger has already picked it up and sent it out to the attackers.
For phones you can install keyboards. Guess what they are doing, why they need internet access? They send out everything you type, you don't even have to be infected by a traditional trojan, you infect yourself by just downloading a keyboard app from the store.

3: Wrong, you type your password at least once. You avoid sketchy sites, that's good. The problem is that you don't have to visit it. They can be embedded in an iframe in other sites. Other sites what you trust can be hacked. Even automatically embedded ads can have malware in them. Happened before many times.

I just checked with my friend. After you enable Steam guard in mobile app, you are always logged in there. Basically, mobile app becomes trusted device of highest order which can approve/deny other login attempts. I think you aren't even allowed to logout from steam app when mobile guard is on anymore, because then you have no other device which can generate guard code for relogin.

Can I consider my phone as trusted device? Considering I get ads on my homescreen after installing bunch of games - zero trust lol no.

Yes you have to login to your account with login and password on mobile, then enable mobile guard, then keep steam app always logged in on mobile.Basically, no sign of 2FA at all. Was my mistake to call it that way, it's just "guard".

To make it work as actual 2FA-style authorization, need to do few more workarounds manually:
1) rip out secret code from steam app config files (steam provides some recovery code, but it's not compatible with RFC6238); but you can do that only with rooted android.
2) looks like the secret code taken directly from config files is compatible with google auth and hardware keys, but I haven't found definitive answer to this. Either this, or if doesn't work then one of those open source projects.
3) finally clear steam app files and uninstall the app to delete remaining traces of password and secret code.

I have one 2fa that does deliver a phishing proof way of 2fa.
While having an own app because it works without a code.

It has a setup code, and does know no detail of the account. When i login to the account, it shows a XYZ3...... and a message on phone asks, if i want to allow XYZ3. Or deny.


That is 2fa. I dont get why people look at steam guard and dont see what that is instead.
I hear people say that phones are super safe, thiefs never misuse what they find on phones. And therefore steam guard does not need to follow 2fa guideline to be more than 1fa.

Автор сообщения: Zefar

During my time I never once saw someone make a topic about their phone being stolen and used to hijack their account.

[..]

For a criminal to take your Steam account he would need to do this.

1: Get access to your account name and password. Easier said than done.

2: Steal your phone. Then crack into it by getting past the pin code or the pattern painting. Which btw you have 3 chances to get right.

3: Then finally login to the account to change information.

You are focused on physical theft when the real problem is cyber crime.
Just this past September alone, 35 apps were found in the Google Play Store which carried malware. Similar amounts are found every other month. Both for Google Play and the Apple Store.

These aren't small-time niche apps hidden in the corners of the store. They regularly enjoy in the millions of downloads. Steam's active user base - i.e. users logging in at least once a month - is at approx. 120 million. The batch of malware apps that were removed from Google Play this last July had 3 million users. That's a potential 1/40th of Steam's user base.

All it takes is a criminal that manages to push a password stealer that's capable of escaping the app's own sandbox; or in case of Android: just ask for permission to use the accessibility APIs in the system, which allow it to read and interact with anything on screen by itself - meaning any app with that permission is effectively a potential RAT.

They don't have to change anything wrt your login credentials. They just need to get in. And once they're in; add an API key to your account. Which you as a normal user will never, ever learn was added until it's too late.

Mainly because Valve is incredibly obtuse about its whole existence to begin with, it being little more than a ductaped together crutch to facilitate legit bot accounts such as trade bots, than a formal and proper API-key system where you can issue multiple keys and limit permissions assigned to certain keys.
Here it's just a quickly thrown together one-key-to-rule-them-all.

Ok so lets start by separating something that I think will help all sides in this argument

1. Steam PC is more or less as safe as before, to hijack it now just like before you need the phone
2. If I understand right a lot of the concern here is about the mobile app being login and locked like that, meaning someone can use the account from there without too much trouble

On that matter, Yes I do agree on 2 and did not think about that much till seen the posts here
I will how ever point that Steam app likely don't have much of a console control, meaning someone doing this will need to make a virus that can track and follow stuff on the screen to be able to create an attack (move stuff and press stuff to do it) it will be messy even that I guess possible, and a lock on it may be better or seprating the Guard and Steam app to separate apps so the guard is on its own, and you cant do stuff on it except Steam guard related stuff maybe

Dose someone disagree on number 1?

And about the replies here

Автор сообщения: Steven Seagull

Wrong. The criminal only has to do one thing: send you an SMS. Yes, it can be enough to just send an SMS to a phone and then you can see everything what is on the phone and do everything what the phone owner can do, but in stealth mode so it isn't even visible to the user. Search for the Pegasus malware for example. It is just one malware from the past.
Or you just have to open a webpage and with CPU vulnerabilites like Spectre v2 they can read everything from your phone. These are things happened already in the past, but in the future these can happen again. Just search for the term zero click RCE (remote code execution).

Even if these are rare it doesn't change the fact that Steam's 2FA is broken and not secure.

Ok... let's just put stuff into perspective here
You a master hacker, you were able to get the same ability to hack that a hacking group of brilliant hackers earning millions a year get
And with all that power what you pick to do.... is Steal a Steam account, that I will assume in most cases is worth about 0.0$ and in the high count maybe a 100,000$ and that is if you even get to sell the items before you are blocked and stuff
Dose that seem logical to you?
I mean how dumb brilliant dose a hacker have to be to do that?
Hell why even attack users? get into a Valve employ account, and you can do so much more, enter into a rich man mobile and use his credit card, there is much more worth while targets then Steam for that cases

I mean this is kind of like saying we should make all our walls enforced with metal as there are tanks out there
I just think there is better targets for them then your random house

Honestly ging on that exstram is going into a silly level of things

Again if someone can do that much, they got better targets then Steam, and its why you will not hear about cases like that, because its just not that of a big target, all steam accounts in the end are not worth that much, and most of them are worth even less

I'll say what I've said in similar threads.
In 10 years of the Steam mobile authenticator we've not seen a surge of phone theft or malware in order to steal accounts through the phone.

'Hackers' just like electric current always choose the path of less resistance. And that still isn't through the phone. They've gone to external channels like Youtube or Discord to steal accounts before even trying compromising the phones or stealing them.

Автор сообщения: Black Blade

Ok... let's just put stuff into perspective here
You a master hacker, you were able to get the same ability to hack that a hacking group of brilliant hackers earning millions a year get
And with all that power what you pick to do.... is Steal a Steam account, that I will assume in most cases is worth about 0.0$ and in the high count maybe a 100,000$ and that is if you even get to sell the items before you are blocked and stuff
Dose that seem logical to you?

These tools can be stolen as it happened before. Search for the Italian hacking firm called Hacking Team. When these tools which were developed for millions of dollars fall in hands of anybody, that's a different case. When such tools become public knowledge anyone can use it for anything. There were tools created by the NSA but stolen by someone and they made it public. Then someone weaponized it and I think you remember when ransomwares got really popular and the news were full of them. That was due to NSA couldn't keep their cyberweapons in house... Search for EternalBlue.

These tools/cyberweapons can become public knowledge, or you can buy them for a small fee on the dark web and create your own ransomware, or if you'd like, a Steam account stealer, if you want to.

Автор сообщения: Tito Shivan

In 10 years of the Steam mobile authenticator...

It's only been just over 7 years, right? Or is 2015 even older than I think it is...?

Автор сообщения: Tito Shivan

I'll say what I've said in similar threads.
In 10 years of the Steam mobile authenticator we've not seen a surge of phone theft or malware in order to steal accounts through the phone.

'Hackers' just like electric current always choose the path of less resistance. And that still isn't through the phone. They've gone to external channels like Youtube or Discord to steal accounts before even trying compromising the phones or stealing them.

I look at it differently:
We use 2fa for the case when for example steam gets hacked.
And their database decrypted.
For that we use 2fa.
You dont need 2fa normally. Thats its scenario. Or password re-use. Fine.

For this difficult happening, we use 2fa.

Now there is a similar theoretical but more likely danger if 2fa is actually 1fa.
It is not far fetched to protect against that, instead of exposing and saying: "Dont you have a safe phone in a safe environment?"

Автор сообщения: Tito Shivan

I'll say what I've said in similar threads.
In 10 years of the Steam mobile authenticator we've not seen a surge of phone theft or malware in order to steal accounts through the phone.

'Hackers' just like electric current always choose the path of less resistance. And that still isn't through the phone. They've gone to external channels like Youtube or Discord to steal accounts before even trying compromising the phones or stealing them.

There is literally malware-for-hire out there which can be tailored and configured for various delivery paths and to target specific credentials for specific services; some sophisticated enough to include phone platforms and 2FA applications.

And yes; Steam is a target. Steam along with Twitch and Discord, was specifically targeted in the last known large-scale deployment of the 'over-the-counter' RedLine malware: through legit emails sent out from the real 2K support desk, which was hacked. That's just the most recent example. But it's been going on for longer.

Автор сообщения: «¿(ähF¶ÒL5ù«ZÇ7ôÃ|v)¯

I want to enable steam 2fa.

This is how it's done in 99% of cases in all other 2fa-requiring programs and webpages:
1) get 2fa code without the need to install something else somewhere else.
2) enter 2fa code into auth.app. Usually it's Google Authenticator, but there are a lot of other open source apps which can generate 2fa codes, because it's always the same 2fa algorithm proven by years and millions of users.
3) password is still safe, I didn't had to enter it elsewhere. Plus I have 2fa security on top. All good.

But this is what I have to go through in Steam. I haven't even done it yet, it's just a result of research so far.
1) download one more unnecessary mobile app (steam app)
2) enter login and password on one more device (mobile), which lowers security. Mobile phones are full of spyware installed from store, except maybe Apple with their strict developer checks. But then you get Apple's always watching keylogger so it's still not great.
3) finally activate 2fa in steam mobile app
4) I literally don't need steam mobile app for anything except enabling 2fa. So, spend eternity to find some rare open source project which can generate steam 2fa codes, because usual auth apps will not work because steam's 2fa is different from global standard.
5) I don't want to keep mobile app logged in into my account. I just need it to enable 2fa and then logout from the steam app and uninstall it forever. And generate 2fa codes in some good trusted app tested and trusted by millions of people. I don't want my entire account security to be tied to mobile phone which can be easily lost or stolen.
5) so, add steam's 2fa code into other app, uninstall steam mobile app
6) change password, because it's probably compromised after typing it into mobile

I just want to secure my account by enabling 2fa, and generate codes on another secure trusted device. Why do I have to actually compromise account security if I want to do that?
Why is there no option is Steam PC version to activate global standard 2fa and to use any other trusted 2fa app to generate codes?

but my steam mobile app keeps generating valid codes even while logged out.

Автор сообщения: cSg|mc-Hotsauce

It's only been just over 7 years, right? Or is 2015 even older than I think it is...?

:taloslol:

I somehow ended up mixing the Steamguard release date (2011) with the authenticator app one...

Автор сообщения: Tito Shivan

Автор сообщения: cSg|mc-Hotsauce

It's only been just over 7 years, right? Or is 2015 even older than I think it is...?

:taloslol:

I somehow ended up mixing the Steamguard release date (2011) with the authenticator app one... :lunar2020gigglemonkey:

Hey; on the other hand. You've been around the block long enough to even start mixing up dates.
Every downside has its upside.