Messaggio originale di NeXuS23:

- EMail two-factors aren't safe anyway, especially if email transfer isn't encrypted
- SMS two-factors aren't safe anymore
- Common Mobile Authenticators aren't safe anymore

That's why as an example my bank dropped both SMS two-factor and common Mobile Authenticators completely. They now use VR-SecureSign, where everything is encrypted and only works if the user actively use the camera in the mobile to scan a special matrix on screen provided by the bank site itself to actually get the code for the two-factor.

The main reason is that things have changed and it's apparently possible to steal normal two-factor codes sent via sms and also possible to hack common Mobile Authenticators. It's also not known how safe the Steam Mobile Authenticator is and if the app has been hardened or not.

An alternative for Steam would be to support FIDO U2F, it's what i use for various online services now for two-factor, it's way more secure and absolutely impossible to hack. They must physically steal the FIDO U2F dongle and also know the whole login info and because the user must physically touch the dongle to actually initiate the authentication even trojans are useless.

While i agree that a 2 factor product that knows password AND code isnt actually a 2 way factor,
what makes a hacker be able to circumvent
a) sms on an old phone
b) sms in general
c) the app
more likely than it was in the past?

Messaggio originale di Muppet among Puppets:

Messaggio originale di NeXuS23:

- EMail two-factors aren't safe anyway, especially if email transfer isn't encrypted
- SMS two-factors aren't safe anymore
- Common Mobile Authenticators aren't safe anymore

That's why as an example my bank dropped both SMS two-factor and common Mobile Authenticators completely. They now use VR-SecureSign, where everything is encrypted and only works if the user actively use the camera in the mobile to scan a special matrix on screen provided by the bank site itself to actually get the code for the two-factor.

The main reason is that things have changed and it's apparently possible to steal normal two-factor codes sent via sms and also possible to hack common Mobile Authenticators. It's also not known how safe the Steam Mobile Authenticator is and if the app has been hardened or not.

An alternative for Steam would be to support FIDO U2F, it's what i use for various online services now for two-factor, it's way more secure and absolutely impossible to hack. They must physically steal the FIDO U2F dongle and also know the whole login info and because the user must physically touch the dongle to actually initiate the authentication even trojans are useless.

While i agree that a 2 factor product that knows password AND code isnt actually a 2 way factor,
what makes a hacker be able to circumvent
a) sms on an old phone
b) sms in general
c) the app
more likely than it was in the past?

a),b) Attacker can con a mobile network operators to redirect the SMS to their phone.
a),b) Attackers can easily exploit SS7 to spoof phone numbers, intercepting calls or sms.
a),b) There are also numerous malicious Apps that capture SMS codes sent.
a),b) SMS could be delivered through a VoIP network rather than a mobile carrier
a),b) NIST recommends to not use SMS anymore for 2FA in DAG800-63B

c) 2FA Apps need to be hardened against hackers and malicious Apps
c) 2FA Apps should never ever have the whole login info like steams does
c) 2FA Apps also should have physical presence proof (OnScreen Matrix, offline button etc.)

The new recommendation are:

- Hardware dongles based on the U2F standard from the FIDO Alliance
- Hardware tokens that generate time-based codes (keyfobs)
- Apps that generates time-based codes, such as the Google Authenticator app.
- Systems that use encrypted push notifications to phones (not identified by mobilenumber)

For the last two the apps need to be hardened, all communication fully encrypted, not rely on any mobilenumbers, provide no login information to a potential attacker, if possible use some sort of physical presence proof like onscreen matrix that needs to be scanned with camera by user or similar.

Anyway they told you what to do " Steam support has removed this number from the account (my name) Contact us if u didnt request this."
Just contact them and give them all the info (about the trades too).

And on the posts here delete all the peoples names and links to profiles because naming and shaming is against the rules.

If you think a device is no longer safe(pc, mobile or whatever) just make a clean install of the OS or reset to default on the mobile. I hope you can get the account back.

Have you been asked to input an SMS code when logging in lately?

обратись в подержу

Messaggio originale di NeXuS23:

Messaggio originale di Muppet among Puppets:

While i agree that a 2 factor product that knows password AND code isnt actually a 2 way factor,
what makes a hacker be able to circumvent
a) sms on an old phone
b) sms in general
c) the app
more likely than it was in the past?

a),b) Attacker can con a mobile network operators to redirect the SMS to their phone.
a),b) Attackers can easily exploit SS7 to spoof phone numbers, intercepting calls or sms.

The most other points were about malicious programs, just like what you want to avoid from the computer. Which makes steam app a little just the same as "all security on one device"

But these points, are you sure its still the case? I thought by now sim cards are more protected. And only one card can be running at time.
Does the attacker need local transmission presence to your phone to intercept? Do the providers not raise a red flag any time the same "user" is active in two cells?