All steam can see is accounts trading items between each other and steam stepping in to do anything would create serious issues for people to abuse it even more if they did this.

Plus this would be a very large cost to investigate every time it "happens" and steam is a free to use piece of software and spending money on something like this would not be profitable for them.

Securing your account is simple to do as they provide everything you need to do that.

Chompman původně napsal:

Can anyone explain to me why are they not doing this as a standard now?

Because they want to avoid the attitude of "I don't need to be careful because Valve will just gimme my stuff back anyway."

HCMS původně napsal:

With addition of 7 day trade ban for csgo items, it creates enough time for Valve to acquire enought evidence of scam and give back stolen items. Why they still haven't started doing this? With api scam becoming more dangerous every day I see no reason to stick to the old rules.

Can anyone explain to me why are they not doing this as a standard now?

Acquiring evidence and doing research takes time. Multiple that by hundreds or thousands of tickets a day. Kinda seems like you'd have to have a significant staff of dedicated investigators to handle it. Well they want to be paid. So sounds like that would cost a lot. Does Valve want to foot that bill so users are free to be reckless and careless? History shows that they probably don't.

FFL2and3rocks původně napsal:

Chompman původně napsal:

Can anyone explain to me why are they not doing this as a standard now?

Because they want to avoid the attitude of "I don't need to be careful because Valve will just gimme my stuff back anyway."

This. They did restore items and people just took that as a sign to make even more dumb and risky trades or not being careful securing their account because, hey, if something happens, Steam just gives the items back, so no big deal.

After they introduced the "no restore under any circumstances" policy the amount of support requests because of scammed items did go down nearly 80% in a few months.
Because most people now actually are careful about what they click or agree to.

Does not stop everyone from being greedy and dumb but a lot.

HCMS původně napsal:

Steam support should start returning items.

Back in the old days Steam Support used to return items that were scammed. That created the problem of duping. They couldn't remove the items from where they ended up, because they could have been legally bought by unaware user. Thus, Support just copied the item and placed in an inventory of a scammed user. People started abusing the support and duped a lot of expensive items.

With addition of 7 day trade ban for csgo items, it creates enough time for Valve to acquire enought evidence of scam and give back stolen items. Why they still haven't started doing this? With api scam becoming more dangerous every day I see no reason to stick to the old rules.

Can anyone explain to me why are they not doing this as a standard now?

Tell that to the many people that abused Valve's generosity by duplicating items. Groups of people faked getting scammed and went to support to get free item duplicates.

They used to duplicate them but left the originals in the scammers account, locked forever. Never actually returning items.

This is also why we have the stupid, "I accidentally reported you for duped items" scam going around for years.

I still know of accounts that that duped over 50 AWP Dragonlores.

You can read and watch a bit more here...

https://www.reddit.com/r/GlobalOffensiveTrade/comments/409a82/discussion_most_duped_awp_dragon_lore_fn_59/

https://m.youtube.com/watch?v=dr5jJYlwjrA

It's not so dumb.

nullable původně napsal:

Acquiring evidence and doing research takes time.

You know, I started thinking about it because of API scam specifically. It legit takes a second for steam support to verify if you just made a deal with someone that changed his nickname or profile pic a second before. That would prevent like 75% of scams.

There is for sure an issue with steam security. You can clearly see all trade offers on desktop steam, but when you have to confirm it on your phone its where it gets scammy. Steam mobile app is buggy, the notifications are delayed and you can't display all trades on phone. Also, for some reason you can confirm the trade with just a phone but you need 2 factor confirmation when confirming from PC. That is inconvenient. Why not make it double verification every time, no matter the order?

I myself did not get scammed. But thousads of people do. Some of them lost literally life savings. It may even lead to them ending their lives. I think that small improvement of security would be very beneficial for everyone, so I just don't get it why they wouldn't do it.

HCMS původně napsal:

You know, I started thinking about it because of API scam specifically. It legit takes a second for steam support to verify if you just made a deal with someone that changed his nickname or profile pic a second before. That would prevent like 75% of scams.

What would prevent nearly 100% of those API scams would be that if an account changes their profile name and/or avatar:

1. Put a short trade hold on the account.
   
2. Any pending trades that have not been confirmed by BOTH parties are immediately canceled.

HCMS původně napsal:

nullable původně napsal:

Acquiring evidence and doing research takes time.

You know, I started thinking about it because of API scam specifically. It legit takes a second for steam support to verify if you just made a deal with someone that changed his nickname or profile pic a second before. That would prevent like 75% of scams.

There is for sure an issue with steam security. You can clearly see all trade offers on desktop steam, but when you have to confirm it on your phone its where it gets scammy. Steam mobile app is buggy, the notifications are delayed and you can't display all trades on phone. Also, for some reason you can confirm the trade with just a phone but you need 2 factor confirmation when confirming from PC. That is inconvenient. Why not make it double verification every time, no matter the order?

I myself did not get scammed. But thousads of people do. Some of them lost literally life savings. It may even lead to them ending their lives. I think that small improvement of security would be very beneficial for everyone, so I just don't get it why they wouldn't do it.

Not hard to fake a hijacking. Close Steam, Modify IP, Change name of computer load Steam. Do something, like trade, close Steam. Change everything back and then 'Recover' the non compromised account and expect items back.

Oh and if someone has their life savings in Steam Inventory they have more important things to address

JPMcMillen původně napsal:

HCMS původně napsal:

You know, I started thinking about it because of API scam specifically. It legit takes a second for steam support to verify if you just made a deal with someone that changed his nickname or profile pic a second before. That would prevent like 75% of scams.

What would prevent nearly 100% of those API scams would be that if an account changes their profile name and/or avatar:

1. Put a short trade hold on the account.
   
2. Any pending trades that have not been confirmed by BOTH parties are immediately canceled.

Any hijacker would quickly learn NOT to change those things and modify their methods going forward.

Supafly původně napsal:

JPMcMillen původně napsal:

What would prevent nearly 100% of those API scams would be that if an account changes their profile name and/or avatar:

1. Put a short trade hold on the account.
   
2. Any pending trades that have not been confirmed by BOTH parties are immediately canceled.

Any hijacker would quickly learn NOT to change those things and modify their methods going forward.

But it would eliminate trades getting rerouted to shell accounts controlled by the hijacker as they aren't going to know what account to imitate so there's no way to make the changes in advance. That's what most API trade scams do, they reroute the trade to a look-alike account and hope the victim doesn't notice the change. But if you can't change the scam account without getting a trade hold, it doesn't work really well.

Another thing would be alerting the user if a trade they just made was canceled by their account from a different device. Maybe even include a short trade cool down if this happens as well.

Sure, the scammers will certainly try new things, but Valve should really be locking down some of these easy security holes.

HCMS původně napsal:

Back in the old days Steam Support used to return items that were scammed.

This was only a one-time restoration and was because the platform didn't have the stringent security measures it does now. Any user that gets scammed now with all the security in place and with the warnings too has to accept full responsibility for their incompetence.

HCMS původně napsal:

nullable původně napsal:

Acquiring evidence and doing research takes time.

You know, I started thinking about it because of API scam specifically. It legit takes a second for steam support to verify if you just made a deal with someone that changed his nickname or profile pic a second before. That would prevent like 75% of scams.

Or how about the user adequately vets the trade confirmation screen which gives detailed info about the other account. Users blindly press confirmation and this is on top of them allowing their account or themselves to be baited into a trade.

HCMS původně napsal:

I myself did not get scammed. But thousads of people do. Some of them lost literally life savings. It may even lead to them ending their lives. I think that small improvement of security would be very beneficial for everyone, so I just don't get it why they wouldn't do it.

I have sympathy for people...but there's a certain point of cutting off. Even though I think it's unrealistic to begin with, I don't believe that most people are putting their life savings into virtual items. But if they are, they are simply asking for trouble. It's even more volatile and unreliable than crypto. One day Steam could simply decide to cut off trading, after all, and be done with these scams and money laundering altogether. It's not a stretch to even say in my opinion, since Valve disabled trading of all future keys years ago specifically because of this. Only keys from before this change can be traded now.

You will never fix the weakest security link no matter what measures, and that security link is the user.

JPMcMillen původně napsal:

Supafly původně napsal:

Any hijacker would quickly learn NOT to change those things and modify their methods going forward.

But it would eliminate trades getting rerouted to shell accounts controlled by the hijacker as they aren't going to know what account to imitate so there's no way to make the changes in advance. That's what most API trade scams do, they reroute the trade to a look-alike account and hope the victim doesn't notice the change. But if you can't change the scam account without getting a trade hold, it doesn't work really well.

Another thing would be alerting the user if a trade they just made was canceled by their account from a different device. Maybe even include a short trade cool down if this happens as well.

Sure, the scammers will certainly try new things, but Valve should really be locking down some of these easy security holes.

Ahh when you put it that way it clicked. Thanks for the clarification. Makes much more sense now than when I initially read it.

JPMcMillen původně napsal:

What would prevent nearly 100% of those API scams would be that if an account changes their profile name and/or avatar:

1. Put a short trade hold on the account.
   
2. Any pending trades that have not been confirmed by BOTH parties are immediately canceled.

This is actually brilliant. I had the same idea when creating this thread. I was kinda hoping that someone might notice our discussion and actually implement the solutions into the trading system. Sure, people still could get scammed by "Skin Bots" etc., but it would prevent any bots from impersonating your friends. And I believe that's what's the most dangerous.

HCMS původně napsal:

JPMcMillen původně napsal:

What would prevent nearly 100% of those API scams would be that if an account changes their profile name and/or avatar:

1. Put a short trade hold on the account.
   
2. Any pending trades that have not been confirmed by BOTH parties are immediately canceled.

This is actually brilliant. I had the same idea when creating this thread. I was kinda hoping that someone might notice our discussion and actually implement the solutions into the trading system. Sure, people still could get scammed by "Skin Bots" etc., but it would prevent any bots from impersonating your friends. And I believe that's what's the most dangerous.

Maybe edit the topic to include that as part of your suggestion?