Captcha doesn't work.

Create 1,000 dummy accounts using 1,000 dummy emails = bypassed.

Petitions don't work.

Users need to stop giving away ALL their account info to any random site. Stop the gullible first.

Escrito originalmente por 999999999:

Captcha doesn't work.

Create 1,000 dummy accounts using 1,000 dummy emails = bypassed.

Petitions don't work.

Users need to stop giving away ALL their account info to any random site. Stop the gullible first.

You totally don't understand the issue, first of all, you need to deposit $5 into your Steam account before you are eligible to register for a Steam Web API. Second thing, if a user is required to verify his request by clicking on a specific "Accept" or "Decline" button in his mailbox, he can decline his request and reset his password if he didn't perform the Steam Web API request.
The captcha doesn't solve the issue, but it will make it harder for automated systems to perform the request.

There are thousands of unlimited accounts (bulk deals) on sites for less than $1 per account that are sold every day.

You still have not solved the email issue with that.

Captchas don't slow them down at all.

Fun fact, Valve tried CAPTCHAs once. About an hour or 2 after CAPTCHAs went live, bots were already blasting past them. Humans had to suffer with CAPTCHAs for the rest of the week before they were removed.

CAPTCHAs are not coming back.

Escrito originalmente por 999999999:

There are thousands of unlimited accounts (bulk deals) on sites for less than $1 per account that are sold every day.

You still have not solved the email issue with that.

Captchas don't slow them down at all.

Escrito originalmente por Gwarsbane:

Fun fact, Valve tried CAPTCHAs once. About an hour or 2 after CAPTCHAs went live, bots were already blasting past them. Humans had to suffer with CAPTCHAs for the rest of the week before they were removed.

CAPTCHAs are not coming back.

This scam has totally nothing to do with bot accounts or whatever. Please inform yourself by reading the petition page.

When a user logs into a phishing website, the website will automatically login on his Steam account and register a Steam Web API key. With this key, the scammer is able to read and cancel trade offers on behave of the owner of the Steam Web API key he is using.

Since this issue is hard to understand for most people, please sign our petition to make Steam a safer place.

Escrito originalmente por Heartz | swap.gg:

• Add a captcha when registering a Steam Web API key.
  
• When a Steam Web API key is requested, require a user to verify his request by clicking on a link in their mailbox (e-mail linked to the user’s Steam account).

What would those do? Nothing, as the user is logging into a Steam account. None of that will prevent the user from giving away the exact same information being requested, in order for them to get the API key, let alone prevent the site from getting it as well.

Neither of these will prevent anything. Only add another step to create the API key.

Imho, best way to prevent the issue? Removed p2p trading and have everyone go through the market. Less reason for hijacking accounts and far fewer scams as people have to go through the market.

Escrito originalmente por Heartz | swap.gg:

Since this issue is hard to understand for most people, please sign our petition to make Steam a safer place.

That is the worst reason to ever sign anything.

It is an easy issue to understand, if explained correctly.

Escrito originalmente por Spawn of Totoro:

Escrito originalmente por Heartz | swap.gg:

• Add a captcha when registering a Steam Web API key.
  
• When a Steam Web API key is requested, require a user to verify his request by clicking on a link in their mailbox (e-mail linked to the user’s Steam account).

What would those do? Nothing, as the user is logging into a Steam account. None of that will prevent the user from giving away the exact same information being requested, in order for them to get the API key, let alone prevent the site from getting it as well.

Neither of these will prevent anything. Only add another step to create the API key.

Imho, best way to prevent the issue? Removed p2p trading and have everyone go through the market. Less reason for hijacking accounts and far fewer scams as people have to go through the market.

Escrito originalmente por Heartz | swap.gg:

Since this issue is hard to understand for most people, please sign our petition to make Steam a safer place.

That is the worst reason to ever sign anything.

It is an easy issue to understand, if explained correctly.

All the solutions provided will prevent it from happening.
If a user has to manually verify his Steam Web API key request by clicking a verify button in his mailbox, the amount of people that become victim will become much less.

Escrito originalmente por Heartz | swap.gg:

This scam has totally nothing to do with bot accounts or whatever. Please inform yourself by reading the petition page.

When a user logs into a phishingwebsite, the website will automatically login on his Steam account and register a Steam Web API key. With this key, the scammer is able to read and cancel trade offers on behave of the owner of the Steam Web API key he is using.

Since this issue is hard to understand for most people, please sign our petition to make Steam a safer place.

I read what you said and I quote...

Escrito originalmente por Heartz | swap.gg:

The captcha doesn't solve the issue, but it will make it harder for automated systems to perform the request.

Bots are automated systems. And thats what you claim that this request is to battle, automated systems.

So how about you read your own posts before telling others what it is and isn't about. Because if the CAPTCHAs could not stop bots, they will not stop scammers who will automate stuff on their end to blast paste the CAPTCHAs.

Captcha and email verification would be perfect.

Captcha's can be solved by automated systems, but it will be slightly harder to register a key. There are some captcha frameworks that require the solver of the captcha to have the same IP addresses as the requester of the captcha, but I don't think Steam has that.

Email verification will require the owner of the Steam account to verify his registration by clicking on a specific link, which would be perfect to decrease the amount of people being scammed (since people decline the request because they didn't request one).

Guys, I really think you all don't understand how pressing this issue is. First of all, the rising of B2P trading and gambling was all made possible due to the lack of willpower from Valve's side of things to shut them down. Possibly they realised how adventageous a more accessible skin market could bring in a lot more money?

If Valve would've shut down gambling sites right away, there wouldn't have been issues with phishing sites (with the intend of scamming skins) whatsoever.

Second of all, the phishing sites that ARE actually around at the moment, look extremely legitimate, especially to new players. 8 out of 10 players joining the CS:GO community is aware of the game's rich history of trading/gambling. Once they wish to try it out themselves, they will probably run into one of those phishing sites.

With the scam Heartz is talking about, users will only have to login ONCE in order for the, mostly Russian, scammers network, to request a Steam Web API key on their behalf and save it. For new players, that don't have skins yet, this would mean that they wouldn't have any issues at first, however, as soon as they start to enjoy the game and familiarize themselves with the market, they might look into buying some skins. And once they actually do, their Steam Web API key will be used to manage their incoming trades, and a scam duplicate of the trade will automatically be sent.

I think it's a huge problem into which Valve should definitely look. I share the opinion with Heartz that an email verification before requesting a Steam Web API key would shut the possibility to bot/fully automate this type of scamming down.

It's a very serious issue and I think Valve has the obligation to step in to stop their users from getting scammed. Thousands of dollars are getting stolen every single day by a Russian scammers network. (I have forum posts, IP addresses and more info on the person that even sells this scamming platform to other Russians. It's serious.) In the end, Valve didn't succeed in successfully shutting down gambling and B2P trading, in my opinion because of a lack of willpower, so it would be good right for Steam users to get the security measures before requesting a Steam Web API key, increased.

Well if people didn't go to gambling websites which are not allowed to be advertised even in peoples names, then there would not be a problem now would there.

Escrito originalmente por 彡Deƒnite | swap.gg:

Guys, I really think you all don't understand how pressing this issue is. First of all, the rising of B2P trading and gambling was all made possible due to the lack of willpower from Valve's side of things to shut them down. Possibly they realised how adventageous a more accessible skin market could bring in a lot more money?

If Valve would've shut down gambling sites right away, there wouldn't have been issues with phishing sites (with the intend of scamming skins) whatsoever.

Second of all, the phishing sites that ARE actually around at the moment, look extremely legitimate, especially to new players. 8 out of 10 players joining the CS:GO community is aware of the game's rich history of trading/gambling. Once they wish to try it out themselves, they will probably run into one of those phishing sites.

With the scam Heartz is talking about, users will only have to login ONCE in order for the, mostly Russian, scammers network, to request a Steam Web API key on their behalf and save it. For new players, that don't have skins yet, this would mean that they wouldn't have any issues at first, however, as soon as they start to enjoy the game and familiarize themselves with the market, they might look into buying some skins. And once they actually do, their Steam Web API key will be used to manage their incoming trades, and a scam duplicate of the trade will automatically be sent.

I think it's a huge problem into which Valve should definitely look. I share the opinion with Heartz that an email verification before requesting a Steam Web API key would shut the possibility to bot/fully automate this type of scamming down.

It's a very serious issue and I think Valve has the obligation to step in to stop their users from getting scammed. Thousands of dollars are getting stolen every single day by a Russian scammers network. (I have forum posts, IP addresses and more info on the person that even sells this scamming platform to other Russians. It's serious.) In the end, Valve didn't succeed in successfully shutting down gambling and B2P trading, in my opinion because of a lack of willpower, so it would be good right for Steam users to get the security measures before requesting a Steam Web API key, increased.

There are already multiple layers of security that have to be passed before an API key can be put in place the problem is users keep giving the details and permissions needed to do it already adding another layer won't change that.

As for your claims Valve should shut down the gambling sites you might want to join the rest of us here in reality and realise the simple truth that Valve do not have the ability to do that because they don't control the internet or have any power to make or enforce global laws.

When introducing skins to the game, Valve purposely chose for an open economy, with which could obviously be predicted that people would eventually create systems to automate trading and introduce gambling.

Valve has the legal right to shut gambling and/or trading sites down since it is in fact against their ToS, however they actively choose not to. Once in a while they decide to ban a bot or two, resulting in the operation just being left with the chances to keep on existing. IF Valve had the REAL intend on shutting down automated trading- and gambling websites, they would've already done so.

So, because they don't shut these operations down, they do profit from the advantages gambling sites. I understand Valve can't be held responsible for phishing and scammer sites, however they do get away with the semi-responsibility for shutting these sites down. It would be a great effort from their side if they'd help shutting the scams down, and keeping the legitimate business operational OR shut them all down.

It doesn't matter that these sites are against Valve's ToS. They are seperate sites that have no true link to Valve, thusly they cannot simply shut them down. It takes a lot of effort to get these sites closed. Something which is useless, as closing one will only result in 2 others emerging.

The problem doesn't lie with Valve, it lies with people being stupid and giving their info out. Yet somehow when people act like idiots, it's Valve's fault.

I'm not sure if you've ever truly been into the gambling and/or trading community, but the problem is way more complex than you're implying. An experienced trader as myself, knowing the risks of logging onto trading sites, item databases etc, also risk getting scammed. Some phishing sites are so extraordinarily put together, that you never notice it's in fact a scam site. It can happen to everybody.

I do understand it's people's own risk to log onto external sites that aren't linked to Valve in any way, however, we're talking about a very specific type of abuse of a system offered and created by Valve. A public Steam Web API key, which can be used to manage incoming-outgoing and live trades.

About shutting down gambling sites; it's extremely easy to do for Valve. With these sites using Valve data and API's, usually even pulling prices off the Steam Community Market, they are violating Valve ToS. If one violates a ToS, with which they automatically agree once using the service, the organisation has the legal right to immediately shut the operation down, without a lawsuit.

In addition to that, finding gambling sites is extremely easy for users, let alone for Valve themselves. That's not an excuse to not shut them down. It's a choice.