All Discussions > Steam Forums > Help and Tips > Topic Details
Overwatch Jul 5, 2017 @ 5:28am
Your trade rules are stupid, anti-consumer, overkill, and losing you customers. + solutions
So, in addition to your silly rules that TOTALLY lock out trading and market use for a MONTH every time you RECOVER A PASSWORD, we now have to sign up for your nonsense authenticator?

TANGENT

I'm gonna be honest. The password reset thing has lost you customers. At least 3. I used to be able to just barely get my wife and brothers hyped up for your sales. I was on the way to pulling them away from consoles. They didn't log in often enough that we didn't need to reset their password, from their official email, from the same IP we always use. After missing 2 sales, I just can't get them to care anymore. About Steam and PC gaming in general. Thanks for that by the way.

END TANGENT

But on the MAIN topic. WTF guys? I log into my account every day, from the same machines, from the same IP, at the same times. Now I can't trade my OWN extra cards to other active members? I can't sell my excess cards to buy the ones I need to finish my badges?

Postings are locked out for 15 days? So, longer than the sale. Meaning these cards are just going to sit there and vanish before they get posted...

I can't even GIVE them away because I don't have (And have NO intention of using, ever) your authenticator.

You do understand there is such a thing as unreasonable security right? Security is my business. Literally. I have worked for, been contracted by, or consulted for dozens of companies and/or 3 letter agencies.

Your policies are stupid. And yes, that is my professional opinion. HOWEVER! I also know that complaints are worthless without solutions. And I have some.

I usually work on contract, but if I DO have to charge by the hour, it's usually $200 + expenses. So here is a free 20+ minutes/$70 of consulting...

Problem Statement: You need the inventories of your customers to be safe from "hackers" (Which is a stupid term, but it is shorter than "The people who guessed your overly simple password" or sometimes "That person you willingly gave your password to who you shouldn't have, and you know better"). You are doing this because you like money, and you want people to use your silly market, because it makes you money.

Considerations:
  1. "Inventory" is inaccurate. This is all virtual. You have records. You can just recreate this stuff. You can also take it away from people. If the recipients are "innocent" you can just refund them the "money" or even let them keep their item depending on the value.
  2. ALL security comes at a cost. The more you attempt to harden a system, the less usable it becomes. Balancing your security and usability is FAR more important than just cranking it up to 11.
  3. Your business model is based around instant gratification. The reason people buy games on the internet, from their house, and download them on demand, is because they want them NOW. Making people wait for weeks means they WILL forget about that thing they were excited for.

Possible Solutions:
  1. Exempt event trading cards from your trade rules. This is the simplest solution. The cards are literally going to disappear ANYWAY. People are going to lose them when the event ends. even if someone DOES lose control of their account during a sale, they would lose almost nothing (Hell, give them a damn participation badge. Whatever. Keeping customers happy is GOOD for your business.)
  2. Keep items in escrow, or lock them out on the BUYERS end. If there is an issue, revoke the sale. See "Considerations - 1" above.
  3. Have 3 catagories of items, with different restrictions. How is this one not obvious?
    1. Games (or anything worth like $5+ i guess). Losing a $50 game from your gift inventory is "bad". This is the stuff that you should be protecting with an authenticator. It may not give you the pretty metrics that your market trades for hats, weapon skins, or whatever garbage makes you money these days, but it DOES make you money. People buy things to give to other people or to trade. Buying things from you makes you money. Duh. 2 weeks? A Month? Whatever. Lock this stuff down. It doesn't dissapear, and people probably don't log in after like 3 months of inactivity to give a $30 game to their friend too often.
    2. Uhh...intermediate stuff? I don't know what goes here. weapon skins? TF2 hats? Whatever nonsense item you probably have for DotA? I have never once been interested in this junk. But it probably costs more than 5 cents each. And you seem to be modeling ALL your market policies off this category. So I can only presume it is some sort of precious metals commodity exchange or something. 7 days lock down should be PLENTY of security for this. Even that is almost certainly overkill, but whatever.
    3. ALL Trading Cards, Emotes, Wallpapers, Profile things, etc. This stuff is nearly worthless (or actually worthless). This is the "fun" stuff. This is stuff you gave people for free. You can create and destroy it as you please. Some of it is some sensitive and you ALREADY destroy. We don't NEED security on this stuff. Just send an email. If you don;t get a response back in like, an hour, let the trades go through. If you get a response after? Who cares, it's a trading card, just make another one.

You are welcome.

I have no illusions that you will actually implement any of this. We all know Steam doesn't care about customers. Or that when they DO, it takes a decade to change something. But at LEAST you can no longer say that you don't have any GOOD suggestions to fix this issue.
< >
Showing 1-15 of 16 comments
J4MESOX4D Jul 5, 2017 @ 5:31am 
Cards are valid until August. Learn how to use the authenticator and if users cannot secure their account password; then of course they will be locked out if they do a reset. Changing password doesn't not cause any restrictions.
#1
Satoru Jul 5, 2017 @ 5:45am 
1) there should be little need to recover a password. solve the problem of "why do you keep forgettting your password".

2) steam login data are not based on IP. If one could bypass that just by being on the same IP you could log in as anyone on NAT networks like college campuses

3) resetting your password requires little effort and doesn't take 2 weeks. Why you would "miss a sale" due to you not being able to remember a password makes no sense since apparently you reset the password fine. No "sale was missed"

4) cards are valid until August

5) no one cares who you've worked for or why. These are irrelevant and don't even make for good arguments of authority. Your "professional" opinions are full of gaping holes too. I worry about your consulting if your advice is so blatantly bad.
#2
Overwatch Jul 5, 2017 @ 5:46am 
@J4MESOX4D
  1. If the cards don't dissapear the MOMENT the sale ends, then that is something new with this sale. My cards are now all gems, so I can't check the expiration anymore, but I was pretty sure it said the 5th.
  2. It has nothing to do with understanding HOW to use the authenticator. I don't need one, so I'm not setting it up. My inventory is literally full of stuff to just GIVE away. If I make a mistake and someone get's access to my account. I lose some worthless cards, and a bunch of things that I could have given away to people. It is literally not even worth the effort to install an app on one of my phones just to be able to trade cards for a silly event. Events are SUPPOSED to pull people in. Not provide MORE restrictions than normal use.
  3. It is not unreasonable to expect a casual user to forget the password to a service they only log into once every 3 months. That is, if you are using GOOD password policies like...
    • "strong" passwords. AKA lowers/uppers/digits/symbols. (even though you can get much higher entropy by just picking 5-7 words. Which would also be easier to remember because you can just make up a story. But most services don't allow passwords long enough, or FORCE you to use numerals/symbols)
    • Not using the same password for anything else. Ever.
    • Not writing it down, or saving it. Ever.
    If you are doing these things, it is likely that you will forget a password after months of inactivity.
  4. I never claimed that changing your password locked you out. Did I?

@Satoru
  1. See above. There is PLENTY of reason for a casual user to need to reset a password they never use.
  2. I never claimed logins were based on IP. I claimed that they were yet one more factor of "me-ness" that makes my activity "normal". I'm not saying they should base any decisions purely off IP, that would be stupid. But they are certainly tracking IP, login time, time in games, page clicks, and probably dozens of other things associated with this account. If the activity doesn't change, ever, then why would security be needed? Do you need to call the bank to authorize every transaction you make with your debit card? No you don't. That would be overkill. Which is my point.
  3. Resetting your password takes very little time. But it DOES stop your account from using the market entirely, or trading anything for 30 days. This means you miss the entire EVENT. You can still buy the games. But the EVENT is designed to get people on the page multiple times per day. That is the whole point.
  4. 2 people say cards are valid until august. Fine. It was not the case in any previous event and I can't check them anymore since I turned all my spares into gems. I'll concede this point.
  5. Those are called "qualifications", and people DO care about them. They are the reason that resumes exist, and why many professionals end up having a paragraph worth of alphabet soup below their name on business cards. BUT, since you didn't bother to point out any of those "holes" you mentioned, nor did you give any alternate suggestions, I'm just going to write off your opinion about "professional opinions".
Last edited by Overwatch; Jul 5, 2017 @ 6:05am
#3
J4MESOX4D Jul 5, 2017 @ 5:53am 
1. Nope it's August. Maked in orange on each card.
2. If you don't have an authenticator; you have to use the restricted trading practices. This is in place for users protection. Whilst I agree is overkill for things such as cards; this is how it's been implemented to simply cover the whole inventory and offer an extra layer of security and a recovery window for compromised accounts.
3. Account security is very basic and essential. Remembering things like passwords is a minimum requirement to maintaining them. If you don't use the service much; choose something simple and easy to remember or just write it down and keep it somewhere safe. Steam also allows for simple passwords.
#4
Forcen Jul 5, 2017 @ 5:56am 
First of all, good job on complaining and voicing your opinions and and actually express why and suggest changes. This is kinda rare around these parts, kudos!

I think you missed this post where they explained why they added this new trading : http://store.steampowered.com/news/19618/

Originally posted by Overwatch:
You do understand there is such a thing as unreasonable security right? Security is my business. Literally. I have worked for, been contracted by, or consulted for dozens of companies and/or 3 letter agencies.
Security becomes valves business when peoples disregard or inexperience becomes creates a huge underground business for hackers and malware authors.

It's not that they where really careless to tell people their passwords, all they did was tricked into running one file and all their ♥♥♥♥ got stolen instantly. Lots of users use other software for voice chat instead of steam because steam isn't that great at voice chat, this became a vector for tricking people to install the wrong thing.

Originally posted by Overwatch:
After missing 2 sales, I just can't get them to care anymore.
Not sure what you meant here, there are no 1 day only sales this summer. All the sales on this summer sale last the full week or so of sale time, if you saw a deal on the front page and it was replaced by some other game that doesn't mean that the deal you saw isn't available.
Maybe you meant something else?

Feels like this reaction is a bit late and if you knew this stuff beforehand and had prepared the app and didn't need to reset passwords it would not be that bad. Basically everyone who trade and market stuff knew that this would be a thing. Sure you didn't know about the password reset but that's just bad luck combined with avoidable stuff.

It's only for password resets, so changing your password is fine. If you have been active on your account lately the restriction is only 7 days instead of 30.
https://support.steampowered.com/kb_article.php?ref=1047-EDFM-2932#reset

You have some nice ideas about letting the non so valuable stuff have less restrictions but I worry this would make them into this faster currency for other stuff or raise their prices or make people use them more. People would get more trading cards and they would be stolen in larger numbers instead and the thefts would still be 50$.
#5
Spawn of Totoro Jul 5, 2017 @ 5:57am 
Originally posted by Overwatch:
If the cards don't dissapear the MOMENT the sale ends, then that is something new with this sale. My cards are now all gems, so I can't check the expiration anymore, but I was pretty sure it said the 5th.

Yes, August 5th. You can see the same date on the cards in the market.
http://steamcommunity.com/market/listings/753/639900-Lemonade%20%28Trading%20Card%29

It has been like that with sale trading cards for a while now. The second such sale after the 15 day restriction was implemented.
#6
Supafly Jul 5, 2017 @ 6:09am 
Originally posted by Overwatch:
You do understand there is such a thing as unreasonable security right? Security is my business. Literally. I have worked for, been contracted by, or consulted for dozens of companies and/or 3 letter agencies.

Unfortunately there are too many idiots in the world that don't safe card their accounts, allow them to be compromised through lax security, stupidity or bad luck. That's the reason for the security. If Valve didn't increase security and you account gets accessed and items traded away you and other would whine, complain and ♥♥♥♥♥ that it's a **** company that doesn't protect it's customers.

If you want to blame someone blame the idiots thaty leave accounts open to exploitation for weak passwords, getting viruses, sharing information and the scumbags that access other peoples accounts.

Doesn't matter how tight security is there is always the weak, Human, link. Yet without high security the human will always hold the company at fault whenever possible.
#7
Overwatch Jul 5, 2017 @ 6:15am 
@Forcen
What I meant was, events are something that should pull people in. I was using the Steam sales, and the cards or games that came with them, to generate excitement for PC gaming in my immediate family. This worked well for the first few sale events. These are people that have no reason to log on to Steam other than events, or occasionally play a COOP game with me. I was trying to convert them. Or at the very least make PC gaming more "regular" for them.

But the moment the trade security got implemented, I lost them. A sale would start. I'd make my rounds getting everyone set up with new passwords. Then they would end up at 8/10 cards by the last day of the sale, and be unable to use the market to complete their badge(even to BUY a card with money that was freshly added to their wallet for that very purpose).

So? 3 potential customers lost. None have even logged into steam since spring of 2016.

@Supafly
I know that people do stupid things. I don't have to be OK with it, but I know that it's going to happen, and that they should have SOME sort of protection.

But protecting a $50 game and a $0.05 trading card that is going to disappear in a month with the SAME security is ludicrous. That is a difference of 3 orders of magnitude. It would be just as crazy for a store to have an armed guard in their bakery to protect a $10 box of cupcakes, that they keep behind glass, lock up in a safe at night, and insure. But those things make sense if your display case is full of $10,000 watches.
Last edited by Overwatch; Jul 5, 2017 @ 6:25am
#8
ReBoot Jul 5, 2017 @ 6:16am 
Steam sales work just fine without trading, for getting cheap games and for generating excitement.
#9
DocShady Jul 5, 2017 @ 6:16am 
Originally posted by Overwatch:
@J4MESOX4D
but I was pretty sure it said the 5th.

I can confirm you are wrong.
Last edited by DocShady; Jul 5, 2017 @ 6:17am
#10
J4MESOX4D Jul 5, 2017 @ 6:20am 
Originally posted by Overwatch:
@Forcen
What I meant was, events are something that should pull people in. I was using the Steam sales, and the cards or games that came with them, to generate excitement for PC gaming in my immediate family. This worked well for the first few sale events. These are people that have no reason to log on to Steam other than events, or occasionally play a COOP game with me. I was trying to convert them. Or at the very least make PC gaming more "regular" for them.

But the moment the trade security got implemented, I lost them. A sale would start. I'd make my rounds getting everyone set up with new passwords. Then they would end up at 8/10 cards by the last day of the sale, and be unable to use the market to complete their badge(even to BUY a card with money that was freshly added to their wallet for that very purpose).

So? 3 potential customers lost. None have even logged into steam since spring of 2016.
If you had not hastilly turned your cards into gems; you could have still completed the badge or sold the cards in the market regardless. These are just some virtual cards worth pennies and if it means so much to you rather than gaming on the Steam platform then perhaps this isn't the place for you.
#11
wuddih Jul 5, 2017 @ 6:22am 
Originally posted by Overwatch:
The password reset thing has lost you customers. At least 3. I used to be able to just barely get my wife and brothers hyped up for your sales. I was on the way to pulling them away from consoles. They didn't log in often enough that we didn't need to reset their password, from their official email, from the same IP we always use. After missing 2 sales, I just can't get them to care anymore. About Steam and PC gaming in general. Thanks for that by the way.
so they are super hot for microtransactions for virtual ingame fancies on their consoles?

or you simply misunderstood all the restrictions. steam store has nothing to do with community market restrictions and you are not locked out of the store, no matter how often you forget your password.
#12
Overwatch Jul 5, 2017 @ 6:44am 
@J4MESOX4D
I completed 2 levels of the badge. I just turned my EXTRA cards into gems, since I have nothing else to do with them, and I was under the impression that they were going to go 'poof' in a few hours like they have for the last year+.

Why does everyone keep pointing out that the store != market. Yes. I know. That is why I KEEP using the word "event". Yes. you can still buy games at reduced prices if you had to recover your password. No, you cannot use the market after doing so. No you are unlikely to be able to complete a badge if you cannot use the market. No badge = no payoff for the event = not participating in the event.

Sale != Event

I'm a PC gamer. I've been using Steam since it started. If I didn't like the core features, I wouldn't be here. But that doesn't mean it is without faults.

I love gaming, and I love to introduce my hobby to others. Especially if I care about those people. But that becomes incredibly difficult to do, when the services I use implement policies that make it so inconvenient for casual users that they hobby ceases to be fun.

This rant turned into a real post about security sggestions, which then ended up becoming...whatever this is. It's clear that i'm not adding anything new at this point. So i'm going to stop posting/responding. I'm just going to finish buying my sale games, and get back to working on...whatever it was I was working on a few hours(?!) ago.

Hopefully in the future, Steam can find a level of protection that is adequate to protect it's "core" users, yet is not so restrictive that casual users get inconvenienced away. That would be genuinely good for everyone.

Overwatch, signing off...

EDIT: Also, I love how so many peoples solutions to not resetting a password is to write it down. It's people like you that make the physical portion of a security audit so easy. Only once in recent years have I had to spend more than 10 minutes in an office dressed as a delivery/cleaning guy before I had a handful of passwords to use.

This is exactly my point. If a policy is so restrictive that people feel the correct thing to to is just to break it, just so they can use a service, then it is too restrictive.
Last edited by Overwatch; Jul 5, 2017 @ 7:14am
#13
ReBoot Jul 5, 2017 @ 6:58am 
What about NOT resetting the passwords, by the way? Just wrote them down. On paper.
As for "gaming", do you k kw what it means? Because all this security is irrelevant for playing games, which "gaming" means. Just habe your folks play the games, that's what "gaming" means.
#14
Ogami Jul 5, 2017 @ 7:01am 
Originally posted by ReBoot:
What about NOT resetting the passwords, by the way? Just wrote them down. On paper.
As for "gaming", do you k kw what it means? Because all this security is irrelevant for playing games, which "gaming" means. Just habe your folks play the games, that's what "gaming" means.

This. Honestly i never reseted my password in the nearly 6 years i am on Steam. Not once.
I also keep a list with all my different online passwords in my desktop drawer. I have like 30 different logins since i dont use the same for more then one site.
#15
< >
Showing 1-15 of 16 comments
Per page: 1530 50

All Discussions > Steam Forums > Help and Tips > Topic Details
Date Posted: Jul 5, 2017 @ 5:28am
Posts: 16
Start a New Discussion

Discussions Rules and Guidelines