Instalar Steam
iniciar sesión
|
idioma
简体中文 (Chino simplificado)
繁體中文 (Chino tradicional)
日本語 (Japonés)
한국어 (Coreano)
ไทย (Tailandés)
български (Búlgaro)
Čeština (Checo)
Dansk (Danés)
Deutsch (Alemán)
English (Inglés)
Español - España
Ελληνικά (Griego)
Français (Francés)
Italiano
Bahasa Indonesia (indonesio)
Magyar (Húngaro)
Nederlands (Holandés)
Norsk (Noruego)
Polski (Polaco)
Português (Portugués de Portugal)
Português - Brasil (Portugués - Brasil)
Română (Rumano)
Русский (Ruso)
Suomi (Finés)
Svenska (Sueco)
Türkçe (Turco)
Tiếng Việt (Vietnamita)
Українська (Ucraniano)
Informar de un error de traducción
Normas y directrices sobre discusión
Denunciar este mensaje
When you give away the key, then you are at fault not the security company.
Then you have to guess the alphanumeric 2FA That changes to a randomly generated code every 30 seconds.
The chance of someone guessing or even trying to brute force it is impossible.
The only way someone can get into your account is because YOU gave them access.
Somewhere along the lines you either gave away your credentials to a phishing site or they were captured with targeting malware and the latter also includes material that can capture persistent login sessions whereby the token can be duplicated.
2FA as a concept on any site does not exist as a magical shield - it merely offers an extra independent layer of security.
- Today at 12:46 I've gotten push notification from my Steam Guard App on Android phone, that someone from Poland or somewhere [most likely VPN] is trying to login
- I opened the App, looked at it, and after few seconds, I didn't allow it, nor disable it, I was logged out of my Steam Guard App. I didn't log out from the App. I didn't literally do anything. It was in seconds
- After still at 12:46 to 12:47 I received three e-mails at once, almost instantly:
1st e-mail: Dear uplink_svk
The Steam Guard Mobile Authenticator has been removed from your Steam account.
If you did not perform this action, please follow the link below to lock your account and submit a request for assistance.
Lock my account
2nd e-mail:
"Hello uplink_svk
A phone number (ending in 65) has been removed from your account.
If you did not do this, your account may have been compromised. Please change your password immediately, or contact Steam Support."
3rd e-mail:
"Dear uplink_svk,
The email address associated with your Steam account has been successfully changed.
We are sending this notice to ensure the privacy and security of your Steam account. If you authorized this change, no further action is necessary.
If you did not authorize this change made from the computer located at 179.6.26.78 (PE), then please change your Steam password, and consider changing your email password as well to ensure your account security."
This all happened under 60 seconds. What are You talking about? The MFA/2FA was suppose to stop the guy or bot entering my account. He /it was not suppose to login without my approval of the push notification from the Steam Guard App. I never approved of the login from notification, never. This happened under 60 seconds, do You understand? Four things. Bot/guy entering my password, bypassing and ignoring my 2FA/MFA completely, logging me out of my Steam Guard App approximately at the same time as he was logging to my account, removing my GSM phone number shortly after, changing my e-mail right after, bam, end of story for me and my account.
There was no process that lasted minutes, hours, or even days.
Do You understand my issue now?
As You can see in a screenshot, it literally happened nearly instantly.
https://imgur.com/a/pFdsrfL
After I clicked the:
"If you are unable to access your account then you may use this account specific recovery link for assistance recovering or self-locking your account."
I clicked the "Specific recovery link." It said it was expired. At the time I clicked it.
After that all I could do was lock my account which I did.
Log into my account then if its so easy, go on. If 2FA can be beaten without giving away your code, do it, show us.
Someone could get my password, sure, I might had it leaked in the past. Username isn't that hard either, MFA/2FA? How?
So I confirmed the login? Is that what You're saying? Why would I confirm login from Poland, when I'm in Slovakia? This makes no sense.
And here we are. MFA/2FA is suppose to protect Your account, and when You don't confirm "it's You", it's not suppose to let You in. But here we are, attacker got in, and attacker changed things, that aren't suppose to be easy to change by a bot in under a minute. Yet it happened again.
Steam as a platform is running on an archaic system regarding everything. This is just another thing that bubbled over. Just look at the design of the client and forums, it looks like early 2000s designs. And MFA/2FA is obviously flawed.
Whole point of MFA/2FA is, that when I as the only owner and an only guy with activated device for Steam Guard don't give my say so, nothing happens on my account. Boy, do I have some news for You. It's not how it works. You can repeat Your blind faith creed in Steam how many times You want, it won't change the facts. Steam user protection is weak, has holes in it and vulnerabilities, otherwise, this wouldn't happen.
I've had some attacks on my MS account in the past. Attacker/bot never gotten past my 2FA/MFA, never. Also I didn't know about 90% of the attacks, because 2FA/MFA didn't bother to activate, when the login was from different country than my home country.
Steam should work the same. I live in Slovakia. I have my steam account for 23 years now. And I've never logged in from different country. And now, I had two logins in one day from two different countries.
Why did Steam system allow it in? Why didn't it want extra confirmation, whether it's me?
When my Credit Card was abused, bank called me at 3am and asked me, whether I'm in Philipines or somewhere and blocked the card immediately, when I said I wasn't.
Steam is leaky and unreliable and this is just another proof. MFA/2FA should be bulletproof. And You can even make it bulletproof, it's easy. Combine GeoiP/specific iP and 2FA/MFA and voila, no one can get in Your account.
I have like dozens of authentications from my static iP in my Steam log. And suddenly there was one or two from completely diffent country and iP. This is childs mistake on the side of Steam, to let someone from abroad do such operations. Total nonsense.
There are many ways that scammers can steal your 2FA.
But that cannot brute force it.
The alphanumeric code changes every 30 seconds to another randomly generated code, you cannot predict that or hack it.
The only way someone gets into you account is because YOU gave them the keys to enter.
So what? I made this whole thing up? I created false screenshots and made it up or why do I even bother writing all of these? Try to think at least on a level of pre-high-schooler, I'm here because my account has been stolen through all the possible protections. It means yes, someone might've obtained my user name and password, sure, but there's no way attacker should've gotten through MFA/2FA. It's the whole purpose of existence of MFA/2FA. It's suppose to be binary. You either let someone in or not. Nothing in between.
I've had exactly one device activated for Steam Guard. My phone, my Android phone, that's that. And I've gotten push notification. And I didn't do anything. And after few seconds my App was logged out, without me doing anything.
Btw. I scanned my phone with Eset Endpoint Security, it's enterprise level AVS solution. Guess what. Zero malware detected.
https://www.youtube.com/watch?v=UhANsAtvLN0
Because if 2FA/MFA can be spoofed, well, than it's useless, that's all. If it can be bypassed, it's useless. Someone had to be on my phone, remotely, or hijack data stream from server to my App and decrypt the data stream to obtain it. It's literally impossible.