All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Foffy Dec 7, 2017 @ 7:42pm
Crawling proxy-list sites to prevent bruteforce account stealing
Introduction
Today I've seen an email where certain IP address attempted to login in my steam account, thankfully steam requires a confirmation code to get in.

I've been involved in digital security and have found that most of the people uses only few passwords in different services.

The issue
The problem resides when an user uses the same password for their confirmation method making possible to the hacker access to the service thinking it is a legal user.

First approach
There're so many solutions, but the most user-experience wise one is to crawl proxy-list websites and restriction them from accessing the Steam auth servers, or returning unexpected data making it really hard to debug.

Divagation
The most effective alternative but not user-experience wise is to use a dual unknow variant auth system, having for example two different secret codes both unknow by the attacker where one of them is randomly generated using non predictable patterns or a certain value the person knows but varies from the other secret code (like a date, an ID number or phone number), so the e-mail address is the only value that might be known by the attacker, making the attack to take much longer and harder to achieve for automated attacks.

Conlusion
I'm talking about this since the Steam platform uses sometimes bank/credit data and making it harder for the attackers could work.

Farwell fellas, Foffs.
Last edited by Foffy; Dec 7, 2017 @ 9:22pm
< >
Showing 1-10 of 10 comments
Rex Ninja Dec 7, 2017 @ 7:57pm 
Hi Foffy, I see your point I respect your post and your point it is an interesting idea. thank you for sharing. I have no problem wiht your post.
I would like to recommend making your paragraph into two or three smaller ones to lighten the message exspressed for those who read it. I feel you can get your message across with more ease this way.
If you like my recommendation that is welcome, if not I apologize if I effend. Thank you again for your suggestion for this topic.
#1
Foffy Dec 7, 2017 @ 9:17pm 
Hey Rex, thank you for your support and formatting recommendation. I'lll re-write it soon as possible!
#2
Rex Ninja Dec 7, 2017 @ 9:22pm 
Your welcome
#3
Rex Ninja Dec 7, 2017 @ 9:23pm 
I forgot to place the T

Originally posted by Rex Racer:
Originally posted by Rex Racer:
Hi Foffy, I see your point I respect your post and your point it is an interesting idea. Thank you for sharing. I have no problem with your post.
I would like to recommend making your paragraph into two or three smaller ones to lighten the message exspressed for those who read it. I feel you can get your message across with more ease this way.
If you like my recommendation that is welcome, if not I apologize if I effend. Thank you again for your suggestion for this topic.
#4
Rex Ninja Dec 7, 2017 @ 9:25pm 
I found some spelling errors of mine so went back to fix them. Not perfect, on my part for those errors.
#5
mr kuso Dec 10, 2017 @ 1:48pm 
Good idea :steamhappy:
#6
Darren Dec 10, 2017 @ 1:51pm 
Activate the Steam Mobile Authenticator on your account you will have exactly the additional kind of secret code you want.
#7
Start_Running Dec 10, 2017 @ 2:17pm 
Last I checked Brute force hasn't been a thing for over a decade. Since most sites have limited attempts bbefore they block further attempts.
#8
Foffy Dec 11, 2017 @ 1:53am 
Originally posted by Colony Of an Gang:
Good idea :steamhappy:
Oh, thanks Colony! Any suggestion is welcome!

Originally posted by Darren:
Activate the Steam Mobile Authenticator on your account you will have exactly the additional kind of secret code you want.
Hey there Darren, the hacker didn't had the oportunity to access the account because the email confirmation code. I can see how the 2FA can help here, but isn't enabled by default.

Thank you, it's a really nice solution to this issue!


Originally posted by Start_Running:
Last I checked Brute force hasn't been a thing for over a decade. Since most sites have limited attempts bbefore they block further attempts.
Good morning Start_Running!

My first tought was brute force because my password haves no logic, it uses random letters and numbers and it was just used between Steam and steam applications (there was no usage outside this PC and I really doubut this PC is compromised). I might have no idea how they did got access to the password otherwise.

By other side, I did a lookup of the IP and it's listed in few databases as a Socks5 proxy used by several attackers.


Thank you all for your support, solutions and useful comments!

Gracefuly,
Foffs.
#9
Start_Running Dec 11, 2017 @ 5:44am 
If someone has your password and you don't thionk your PC is compromised. It's probably compromised.
#10
< >
Showing 1-10 of 10 comments
Per page: 1530 50

All Discussions > Steam Forums > Suggestions / Ideas > Topic Details
Date Posted: Dec 7, 2017 @ 7:42pm
Posts: 10
Start a New Discussion

Discussions Rules and Guidelines