Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
Discussions Rules and Guidelines
Report this post
2) you cannot remove the Authenticator without a steam guard code. Which you conveniently gave to the attacker
3) the system already asks for authentication to change your email. Again you GAVE THAT to the attacker. Note that the email you get also has a self locking tool as well
Do you know what stops “hackers”
Stop logging into scam websites
Steam can’t prevent you giving away your home keys to a thief. So you know stop doing that
See, that is not a problem with the security, that is a problem with you and lack of common sense.
Solution, do not use your steam credentials anywhere else than Steam.
I am telling you - people put trust into Steam's OAuth as a means of identification, and they put trust into Steam's Two Factor Authentication as a means to prevent hacking - but it turns out this trust means nothing when a website mimics the interface perfectly. This is a problem. OAuth and 2FA on their own are not strong enough - they aren't magical.
There are holes that hackers are using - have used just this week - and they need strengthening. When I reported my account stolen, there was 30000+ other accounts in the queue for Steam account recovery. I mean - I've lived in towns that had fewer people in them than the queue for 1 single day of reported steam account hacks. This is not good enough! This indicates there may be huge data breaches.
Companies get in huge trouble for allowing data breaches, as I'm sure you know, and this is on a massive scale.
These holes in security need looking at. The current system is inadequate.
the alleged addressbar of the alledged convenient popup window was fake. legitimate sites do not use popup windows for open id. they completely navigate to the openid provider and that refers back on success because that is how the system is supposed to work.
simply login in official steam website first. any legitimate site that uses openid from Steam will then no longer display username/password, it will display your profile name and a button, you dont have to enter anything.
again, user fails are no holes in the system. no system was breached, you gave your credentials away because mis/non-education.
Steam has close to a billion user accounts, the majority of those tickets are probably not because of what you did but because people simply forget stuff.
You got phished
That’s not a problem with OAuth
It’s not a problem with security
It’s a USER PROBLEM
All of your “solutions”
1) do not adddress any actual security issues
2) do not prevent hijacks
3) do not address post hijack scenarios either
Why are you guys so pro-criminal?
Again if you get phished that is functionally a user issue
This is like going to Absa Abbloy and complaining their locks are garbage after you gave your keys to a drunk hobo behind the dumpster at BestBuy and are SHOCKED someone broke into your home via the unlocked front door
NONE of your “solutions” fix anything
Pointing out your ideas are terrible and do not actually solve the real problem is not “pro criminal”
You just refuse to acknowledge you are the weakest part of the security chain
Allowing a hacker to steal entire accounts instantly through a single login interface is a problem.
There need to be more barriers there to protect a few critical security events -
* removing a phone (since it houses mobile authentication)
* removing mobile authenticator (since using mobile authenticator to allow removal of mobile authenticator is circular)
* changing email address within seconds of removing mobile authenticator should be an obvious red flag.
Imagine if someone had their account stolen and you were looking at the data logs. If you saw these three events occurring within seconds, you would know just from that, that they had their account stolen.
Sometimes it's not good enough to just trust in the status quo. Sometimes you need to be active and fix security problems.
But that doesn't mean that I feel like all similar idiots need to be punished.
When you do something stupid, you get up, take a look, and see how you could have done things better, right?
So - this attack can be beaten.
You must never get so complacent when it comes to security.
Never roll over and ignore when you've found a hacker's attack vector.
You've got to do all you can and fix what you can.
Protect the stupid customer, because they put their trust in you.
Because trust is profitable.
The only problem here to fix is the user, that is not something Valve can do anything about.
You gave away your credentials to the attacker
Once you give away your credentials you are fundamentally authorizing the attacker
The attacker looks legit because YOU GAVE THEM authority
Steam isn't a care center, if you can't take care of yourself you put yourself at risk.