Lately blizzard got the bright idea to make their old (good example of how to) 2 factor a one factor thing like steam did. At least you can log out of the blizzard app, which (no joke) presented it as a feature that you can
"secure your account with a second factor and also maintain your account settings
IN ONE PLACE"....... what?
These are things i speak about. There are many extra features, layers, but in the end it is contrary to the actual point that is aimed at.

2fa is fine.
Features (or impressions they create) that contradict the purpose and can be used by scammers, and are used,
are not.

Muppet among Puppets님이 먼저 게시:

Lately blizzard got the bright idea to make their old (good example of how to) 2 factor a one factor thing like steam did. At least you can log out of the blizzard app, which (no joke) presented it as a feature that you can
"secure your account with a second factor and also maintain your account settings
IN ONE PLACE"....... what?
These are things i speak about. There are many extra features, layers, but in the end it is contrary to the actual point that is aimed at.

2fa is fine.
Features (or impressions they create) that contradict the purpose and can be used by scammers, and are used,
are not.

There no way to stop end user from falling for scams, unless they do the following.
- Educate themselves <--- We both know that not likely to happen really, unless they're willing to learn, or want to make effort on that.

- Stop being gullible <--- We both know that not gonna happen until they learn.

- Corporations take complete control over all your devices, accounts you made, and monitor you 24/7 so can't do anything something silly, and someone else do the thinking for you. <--- We both know that not even reasonable, nor practical in any sense of this so this isn't gonna happen at all.

Dr.Shadowds 🐉님이 먼저 게시:

Muppet among Puppets님이 먼저 게시:

Lately blizzard got the bright idea to make their old (good example of how to) 2 factor a one factor thing like steam did. At least you can log out of the blizzard app, which (no joke) presented it as a feature that you can
"secure your account with a second factor and also maintain your account settings
IN ONE PLACE"....... what?
These are things i speak about. There are many extra features, layers, but in the end it is contrary to the actual point that is aimed at.

2fa is fine.
Features (or impressions they create) that contradict the purpose and can be used by scammers, and are used,
are not.

There no way to stop end user from falling for scams, unless they do the following.
- Educate themselves <--- We both know that not likely to happen really, unless they're willing to learn, or want to make effort on that.

- Stop being gullible <--- We both know that not gonna happen until they learn.

- Corporations take complete control over all your devices, accounts you made, and monitor you 24/7 so can't do anything something silly, and someone else do the thinking for you. <--- We both know that not even reasonable, nor practical in any sense of this so this isn't gonna happen at all.

1) Make api key creation 2fa requireing by email, with explaination text "was it you?", "what is it?",
or at least place a warning "your trade got cancelled, if this wasnt you, your account is hijacked, do not proceed".
2) Make item sales and buys 2fa (at least optional)

Scam steps would need to become ridicoulous again. No one would have a negative impact, apart from scammers.

Muppet among Puppets님이 먼저 게시:

Dr.Shadowds 🐉님이 먼저 게시:

There no way to stop end user from falling for scams, unless they do the following.
- Educate themselves <--- We both know that not likely to happen really, unless they're willing to learn, or want to make effort on that.

- Stop being gullible <--- We both know that not gonna happen until they learn.

- Corporations take complete control over all your devices, accounts you made, and monitor you 24/7 so can't do anything something silly, and someone else do the thinking for you. <--- We both know that not even reasonable, nor practical in any sense of this so this isn't gonna happen at all.

1) Make api key creation 2fa requireing by email, with explaination text "was it you?", "what is it?",
or at least place a warning "your trade got cancelled, if this wasnt you, your account is hijacked, do not proceed".
2) Make item sales and buys 2fa (at least optional)

Scam steps would need to become ridicoulous again. No one would have a negative impact, apart from scammers.

The former doesn’t matter, because most of the false API keys come from shady case sites or suspicious pro sites where the user is there under false pretenses and willingly gives away account info. Scammers are not brute forcing API keys, greedy/clueless users allow them to set them up.

The second is already in place, market transactions over 1 dollar require confirmation from the app, and it used to be all purchases but people whined about it being “inconvenient” so the minimum was set to a dollar.

It’s not hard to keep your account secure, and valve can’t prevent people from being morons and giving away details.

People focus too much on bandaid "solutions" and too little on the actual problem --> people giving away their login credentials.

Slav Mcgopnik님이 먼저 게시:

Muppet among Puppets님이 먼저 게시:

1) Make api key creation 2fa requireing by email, with explaination text "was it you?", "what is it?",
or at least place a warning "your trade got cancelled, if this wasnt you, your account is hijacked, do not proceed".
2) Make item sales and buys 2fa (at least optional)

Scam steps would need to become ridicoulous again. No one would have a negative impact, apart from scammers.

The former doesn’t matter, because most of the false API keys come from shady case sites or suspicious pro sites where the user is there under false pretenses and willingly gives away account info. Scammers are not brute forcing API keys, greedy/clueless users allow them to set them up.

The second is already in place, market transactions over 1 dollar require confirmation from the app, and it used to be all purchases but people whined about it being “inconvenient” so the minimum was set to a dollar.

It’s not hard to keep your account secure, and valve can’t prevent people from being morons and giving away details.

Api keys have to be set up in the client. Scammers set them up when they are in.
There is no reason why they should be able to, behind the users back.

Crazy Tiger님이 먼저 게시:

People focus too much on bandaid "solutions" and too little on the actual problem --> people giving away their login credentials.

Then 2fa login is enough. What is the rest for?

Muppet among Puppets님이 먼저 게시:

Dr.Shadowds 🐉님이 먼저 게시:

There no way to stop end user from falling for scams, unless they do the following.
- Educate themselves <--- We both know that not likely to happen really, unless they're willing to learn, or want to make effort on that.

- Stop being gullible <--- We both know that not gonna happen until they learn.

- Corporations take complete control over all your devices, accounts you made, and monitor you 24/7 so can't do anything something silly, and someone else do the thinking for you. <--- We both know that not even reasonable, nor practical in any sense of this so this isn't gonna happen at all.

1) Make api key creation 2fa requireing by email, with explaination text "was it you?", "what is it?",
or at least place a warning "your trade got cancelled, if this wasnt you, your account is hijacked, do not proceed".
2) Make item sales and buys 2fa (at least optional)

Scam steps would need to become ridicoulous again. No one would have a negative impact, apart from scammers.

1. You do get email for when someone try to login. That the whole point of email 2FA is that it sends you code. For mobile app you get a notice for login, and for trade you get notice as well on that via your app. Users are still gonna fall for scam either way when the problem still gonna remain regerdless. Hence end user ignore, not paying attention, or just gullible.

2. You do get email notice when items are sold, and if try to sell items above certain point of value it asks you to confirm sell item that bypass trade hold, but the problem remains either way as long the end user give scammer access, and them putting items on market for sale, or trade, and let trade/market hold time lap to approve after X amount of days. So either way the problem is if end user didn't grant them permission to account in the 1st place, they wouldn't be able to do any of it to begin with, and that is the point is to stop root, not after root problem.

Crazy Tiger님이 먼저 게시:

People focus too much on bandaid "solutions" and too little on the actual problem --> people giving away their login credentials.

^This. Root of problem user giving account away, that problem need to be solved and not easy to solve either since there no simple answer to prevent it from ever happening to anyone, all can do is educate people, or spread info to others how things happen, but that can only so much due to end user still the root problem that been giving away account either way at end of the day they have to learn one way, or another.

Is the api key a problem, as is, by what we see?
Is selling items cheap to go around the system a problem?

Muppet among Puppets님이 먼저 게시:

Is the api key a problem, as is, by what we see?
Is selling items cheap to go around the system a problem?

We can do this spamming your screen, your inbox, and all that scream at you SCAM SCAM STOP DOING IT SCAM!!!!!
https://www.youtube.com/watch?v=I6JpedHk-T4

But if the end user still goes out of their way to getting themselves scam, HOW DO YOU PREVENT IT? That what you should be asking yourself, because you just keep looping back over, and over to same answers.

The item to sell cheap was because all the whine cry babies wanting to sell their trading cards, and items for cheap quick, because they hated the confirm option. Steam used to make it mandatory you had to confirm all listing no matter how cheap, that was changed to met with the whiners.
https://steamcommunity.com/groups/community_market/announcements/detail/1705067494681435160

API key is a problem for trading, since it allow them to cancel a trade, and restart a trade with all your items to send to another account that happen to copy the name, and profile image for the canacel trade. The API meant for those that want to do things with their account, and not limited to just game devs, and whatever, but it still falls under the end user to using it, or not, hence why it's still a option as you don't know whom gonna wanna use it, or not.

Muppet among Puppets님이 먼저 게시:

Is the api key a problem, as is, by what we see?
Is selling items cheap to go around the system a problem?

You won’t ever deal with either of these issues if you don’t give away your login details.

Scammers already trick people around the existing safeguards, they did it before they were added, and new ones will just lead to the scammers adapting to them as well. The extra confirmation email for API keys won’t help a user who is convinced it’s part of setting up for a case or trade site.

There’s endless warnings about how to never give away account details, never talk to people claiming to be Valve employees, never trade items to a “friend” when being told you’re being “reported”, and people still do it anyway.

The system is as close as it can get to idiot proof and people still get conned the same ways as always.

And if they do try to idiot proof the system, they get backlash for it being “inconvenient”, which I know inevitably would flood this forum if they locked the market down the way they did before.

The ultimate point is, you can easily keep your account safe with some responsibility, and you can’t save everyone, because some people will ignore every warning and fall for the most basic tricks.

Informations can help more than features then. Thats my conclusion.

Muppet among Puppets님이 먼저 게시:

Informations can help more than features then. Thats my conclusion.

We just loop back to this.
https://steamcommunity.com/discussions/forum/1/3811782223875078328/?tscn=1687634120#c3811782223876962856

Dr.Shadowds 🐉님이 먼저 게시:

Muppet among Puppets님이 먼저 게시:

Informations can help more than features then. Thats my conclusion.

We just loop back to this.
https://steamcommunity.com/discussions/forum/1/3811782223875078328/?tscn=1687634120#c3811782223876962856

Yes, and also we see that there is not much difference between just 2fa, and the stuff we got alongside it. Its just....... there.

I've always said that major account changes like the creation of an API key should go through the authenticator to confirm - it would make greater use of mobile guard and provide a crucial extra security layer that could contain a further warning that if the user didn't request such a change, their account might be compromised.

However, if they fall for basic entry bait such on the likes of Discord, I'm not sure any extended measures will help or be paid much attention to. Once victims are hooked into panic then they do silly things like avoid reading and applying common sense.

I do believe Valve should add extra functionality to the wasted and rather outdated mobile authenticator framework even if it may not be enough. It would certainly reduce the more complex API-oriented scams by a small margin at least and it would further demonstrate Valve doing more than writing a few articles that people only see when it's too late and that's largely down to the community assisting scam victims.

Users are ignoring all the warnings
Users are NOT educating themselves on Basic internet security
Users are NOT educating themselves on What Steam Guard does and how it makes an account more secure. More importantly it is NOT a Magical make an account immune to compromise if not keep it secure
Users not learning that if they intend to use third party sites they can do so SAFELY if they

1. Open Web browser
2. Login on Steams Official page
3. Visit Third party site
4. Look for and use the one click login button
5. If 4 doesn't work and you're asked for you username, password and Guard code your on a phishing site. LEAVE and DO NOT use again

If you add email, notification or whatever else when an API key is created Sites will just add something like
'To make full use of this site an Api key will be created for your account. You'll have an Email informing you about its creation shortly'

Any added security/notifications will be overcome by scammers informing users about the notification and convincing users that it's all good. As for security they'll just update their sites to ask for the new passcode or whatever.

Bottom line is the issue is NOT the system at vault it's that the PEBKAC aka Users.

No amount of telling my younger brother to use different passwords for different accounts and not use easily guess passwords. Wasn't till 1 account got compromised and he'd used the same username and password on at least another 3 account. Some people just refuse to listen till it's too late