All Discussions > Steam Forums > Steam Discussions > Topic Details
olavafar Feb 17, 2024 @ 12:54pm
Steam security is a bit of hoax
This is a word of warning for anyone trading with skins or similar. I would be very careful to do this with more than pocket money amounts. Steam is NOT a bank. Unfortunately a friend of mine realised this too late.

The steam security may look solid from the outside but it relies only on your mail in the end. If your mail get compromised, your steam account can/will be hijacked and anything in the inventory will be gone before you can do anything. The steam guard, password security level etc will not matter as it can all be reset/removed only by using the email address. Your mobile steam guard, if running, will just silently be disconnected and so will any mobile phone number.

I have a friend who lost skins that was worth about 3000$ this way. The email he had was a hotmail one and it got compromised although all security measures were taken. He only got an SMS saying account security info was changed but no way to cancel it. It is unknown how the original password leaked but. Microsoft is not responsive in their support so while he tried to get his mail back (he did not think about the steam account and others at that moment) someone sold all his inventory in one day. He has still not been able to un-hijack that hotmail account.

He also got some other services linked to the hotmail address like Netflix stolen in the process btw but Netflix refunded him. This is actually how he noticed it in the first place as Netflix started to draw money from his Amex card on a reactivated Netflix account.

Refunds will not happen with any skins lost at steam as they are now owned by someone else and the money is in the hands of a dishonest lowlife somewhere. These skins of course could be recreated by Valve etc and given to him again, but that will not happen either.

The only upside is that he could quickly (once he realised the steam account had been compromised) get the steam account back (with all the games, but no skins) by following a reset procedure where he could prove identity.
< >
Showing 1-15 of 39 comments
Crazy Tiger Feb 17, 2024 @ 12:58pm 
So your friend gets their email hijacked, but somehow the security on Steam is a hoax? Sure, very logical.

The problem is the user, as you showcased.
#1
Mountain Months Feb 17, 2024 @ 1:08pm 
if valve took security seriously they would allow 2FA hardware keys but apparently forcing everyone to install their spyware on your phone is more important

:winterbunny2023:
#2
Thermal Lance Feb 17, 2024 @ 1:11pm 
Originally posted by Mountain Months:
if valve took security seriously they would allow 2FA hardware keys but apparently forcing everyone to install their spyware on your phone is more important

:winterbunny2023:

Dosen't matter how big the lock is when people are handing out the keys like candies.
#3
Tito Shivan Feb 17, 2024 @ 1:14pm 
A chain is as secure as the weakest of its links.
#4
Amaterasu Feb 17, 2024 @ 1:15pm 
Look, as someone who has paid attention to security in the past. Yes, there are security breaches and security issues all the time and they get the big media coverage. But do you know what the weakest link in security is? The human using it. You don't need to break a massive encryption if they give you their email, password, 2FA, social security number, phone number, date of birth, and child's first name just because you convincingly said please.
#5
Neo Feb 17, 2024 @ 1:16pm 
Sounds like your friend had poor security habits.
#6
olavafar Feb 17, 2024 @ 1:17pm 
'Bit of a hoax' not 'complete hoax'. But I just want to warn people to not make the same assumption. The problem is that it does not matter what fences one put up on steam as it removes those fences without any sort of confirmation IF you lose the email. Therefore this is not really a Multifactor Authentication system because in the end it relies 100% on a single factor (email).

I do not really see how this is a user issue as I fail to see what he could do differently.
#7
Crazy Tiger Feb 17, 2024 @ 1:20pm 
Originally posted by olavafar:
I do not really see how this is a user issue as I fail to see what he could do differently.
Account hijackings happen via phishing and malware. Not hard to see what your friend could have done differently.
#8
Amaterasu Feb 17, 2024 @ 1:24pm 
Not fall for a phishing link, not openly give away details about how to access one's email, not fall for a fake email with a phishing link, not use gambling sites. There are many, many things he could've been differently. I really really hate to say this, but unless a lot of people have had it happen all at once, the problem isn't a security breach. The problem is the human behind the account falling for a trick.

Unfortunately, security is one of those Dunning-Kreuger type things. The more you know about it, the more you think that you'll be able to see all the tricks and unfortunately, that hubris is exactly what ends up leading to people handing out their sensitive information to someone just because someone decided to send them to a site like nintemdo rather than nintendo and just like that... it doesn't matter how tight their security was, they gave the people everything they needed to bypass it on a silver platter wrapped with a shiny golden bow.

The only way to be properly secure is to be paranoid as hell and trust no one. Like me! I can't fall for any tricks because I don't trust anyone to begin with! :SpadeSmug:
#9
Qbert ⭐ Feb 17, 2024 @ 1:31pm 
You cant expect a door to be secure if you close it and then proceed to throw away the key to the street :CAT_NOTE:
#10
Nx Machina Feb 17, 2024 @ 1:40pm 
Accounts are PHISHED because the end user gave away all their account details. The account name, the password and the KEY to the door, the Steam Guard Mobile code giving them access to your account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible :

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And then they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account.

Note:

1) Only you and Steam Support know your account name until you give it away.

2) Steam passwords are hashed, not stored therefore only you can give it away.

3) They physically need to have your mobile for the code, or you need to enter the code.


And finally I have being here 19+ years and have never lost access to my account and this includes before Steam Guard email and Steam Guard Mobile existed, My Steam account is safe because i only log in to Steam.
#11
76561199540158642 Feb 17, 2024 @ 1:55pm 
in all honesty, the mobile steam guard is why your account got compromised , it is not secure, do not engage with any trading using the mobile app, this known issue has been going on since before 2019
#12
Leader of the Zakonistians Feb 17, 2024 @ 1:55pm 
Originally posted by olavafar:
This is a word of warning for anyone trading with skins or similar. I would be very careful to do this with more than pocket money amounts. Steam is NOT a bank. Unfortunately a friend of mine realised this too late.

The steam security may look solid from the outside but it relies only on your mail in the end. If your mail get compromised, your steam account can/will be hijacked and anything in the inventory will be gone before you can do anything. The steam guard, password security level etc will not matter as it can all be reset/removed only by using the email address. Your mobile steam guard, if running, will just silently be disconnected and so will any mobile phone number.

I have a friend who lost skins that was worth about 3000$ this way. The email he had was a hotmail one and it got compromised although all security measures were taken. He only got an SMS saying account security info was changed but no way to cancel it. It is unknown how the original password leaked but. Microsoft is not responsive in their support so while he tried to get his mail back (he did not think about the steam account and others at that moment) someone sold all his inventory in one day. He has still not been able to un-hijack that hotmail account.

He also got some other services linked to the hotmail address like Netflix stolen in the process btw but Netflix refunded him. This is actually how he noticed it in the first place as Netflix started to draw money from his Amex card on a reactivated Netflix account.

Refunds will not happen with any skins lost at steam as they are now owned by someone else and the money is in the hands of a dishonest lowlife somewhere. These skins of course could be recreated by Valve etc and given to him again, but that will not happen either.

The only upside is that he could quickly (once he realised the steam account had been compromised) get the steam account back (with all the games, but no skins) by following a reset procedure where he could prove identity.
You are correct, Steam is not a bank. However, Steam by themselves can't really stop people from cheating/hacking/stealing or whatever else there is. Steam is only required to handle transactions when you buy or sell something. If you want to trade skins from a game with a friend and something goes wrong, don't just blame Steam. Steam can only do so much. Yes, their system isn't perfect and it never will be but that's just how it is sometimes. All Steam can do is give you the money you lost back. However, don't quote me on that. I'm not even sure if they can do that much. This is the internet where basically everyone is autonomous and tracking is hard unless you know how to. But even then they can't promise they'll get you your stuff back. Sometimes people cheat and win, it's just how life is sometimes. I'm sorry you got scammed but don't feel too bad. This happens to a lot of people. I understand your frustration of losing out on money and/or a skin that you worked hard to get but life is just unfair sometimes. The best thing you can do is report to Steam and ask them to look into it. Again, can't promise it'll work but that's really your only option if you want to get it back. I know this isn't THAT helpful but hopefully I gave you some good advice.
#13
-=<yb4f310 Feb 17, 2024 @ 2:56pm 
Originally posted by Crazy Tiger:
So your friend gets their email hijacked, but somehow the security on Steam is a hoax? Sure, very logical.

The problem is the user, as you showcased.
wow - steam network is hacked - cs2 is hacked - your workstation is hacked - thank you STEAM - steam is not a hoax - its a damn in your face VERY real insecure network based on evert M$ vulnerability known to man, dog and inhuman
#14
Nx Machina Feb 17, 2024 @ 8:13pm 
Originally posted by Golden Unicorn:
in all honesty, the mobile steam guard is why your account got compromised , it is not secure, do not engage with any trading using the mobile app, this known issue has been going on since before 2019

If as you state it is not secure then explain how I have never lost access to my account.
#15
< >
Showing 1-15 of 39 comments
Per page: 1530 50

All Discussions > Steam Forums > Steam Discussions > Topic Details
Date Posted: Feb 17, 2024 @ 12:54pm
Posts: 39
Start a New Discussion

Discussions Rules and Guidelines