Mailer님이 먼저 게시:

OmninmO님이 먼저 게시:

Having your steam account connected to your phone actually makes you exponentially more vulnerable.

What? Why?

Malware.

Back around 2018 antivirus vendors' threat monitoring already showed that Android and iOS malware was approaching a break-even point with Windows.

Two important things to keep in mind here:

Windows systems usually have anti-virus products actively monitoring for threats. Where Android and iOS don't. They rely pretty much in their entirety on their ecosystems being a walled garden and whatever software being run on them having been checked at the gate - i.e. by automated scanners used by the Apple Store and the Play Store.

And where Windows is kept up-to-date with pretty much a forced update policy for consumer users, many Android phones are kept around for years with no more security updates offered by their device vendor.

Tito Shivan님이 먼저 게시:

OmninmO님이 먼저 게시:

Having your steam account connected to your phone actually makes you exponentially more vulnerable.

Been hearing that for a decade. Still have to see someone who got their account stolen through their phone.

You're not ever going to hear that, because even if Valve would spend the effort on analyzing how a particular account was stolen / compromised - if it were possible to do so via compromising the smart phone, it means their entire security ecosystem built up around their custom Steam Guard app for Android / iOS would come crashing down and would instantly lose all trust placed in it.


As for such malware existing: it (probably) does.
A customized version of the Redline trojan and credential stealer specifically tuned to look for Discord and Steam credentials already appeared on the radar of anti-virus threat monitoring a year or two ago. And Redline afaik comes in Windows; Android and iOS flavors.

RiO님이 먼저 게시:

You're not ever going to hear that, because even if Valve would spend the effort on analyzing how a particular account was stolen / compromised - if it were possible to do so via compromising the smart phone, it means their entire security ecosystem built up around their custom Steam Guard app for Android / iOS would come crashing down and would instantly lose all trust placed in it.

So basically you made up a conspiracy, and then made it such that any scenario anyone can come up wtih only supports your conspiracy. And you want people to take you seriously how exactly?

Steam hijackings are literally SaaS. Your conspiracy theory somehow indicates that people are not willing to sell such an exploit on the public SaaS market? There are literal turnkey systems for basic phishing attacks. But somehow these exploits, that you insist absolutely exist, are not part of even the 'elite' SaaS packages? There are companies, organizations and individuals who all monitor this space. But somehow this has escaped all of them? And somehow these compromises target seemingly only minor users as opposed to you know mabye Valve employees, big accounts, popular accounts, bot that trade in thousands of items? But somehow everything looks indistinguishable from "run of the mill phishing attacks"

This is on par with "big pharma is blocking cancer cures" levels of conspiracy nonsense

Satoru님이 먼저 게시:

RiO님이 먼저 게시:

You're not ever going to hear that, because even if Valve would spend the effort on analyzing how a particular account was stolen / compromised - if it were possible to do so via compromising the smart phone, it means their entire security ecosystem built up around their custom Steam Guard app for Android / iOS would come crashing down and would instantly lose all trust placed in it.

So basically you made up a conspiracy,

[..]

This is on par with "big pharma is blocking cancer cures" levels of conspiracy nonsense

The only person trying to paint this as a conspiracy is you.

I'm not saying any of this is happening, I'm just saying that if there actually were a problem or risk with Steam accounts being compromised via Android or iOS, then don't count on Valve to actually publicly announce it. Because they'd have every reason to not do so and to keep it quiet.

There's precedent for them doing that as well. They have in fact tried it before- with the problems in the Steam Client Service discovered independently by Matt Nelson and Vasily Kravets.

Satoru님이 먼저 게시:

Steam hijackings are literally SaaS. Your conspiracy theory somehow indicates that people are not willing to sell such an exploit on the public SaaS market? There are literal turnkey systems for basic phishing attacks. But somehow these exploits, that you insist absolutely exist, are not part of even the 'elite' SaaS packages?

Redline is an example of a general purpose credential stealer which has had tailored versions aimed at stealing gaming related credentials such as Steam and Discord used in the past. E.g. when 2K's support desk was hacked, it distributed fake emails with a patched '2K launcher' that was in fact the Redline stealer. For Windows in this case.

https://www.bleepingcomputer.com/news/security/2k-game-support-hacked-to-email-redline-info-stealing-malware/

I agree and any serious user who doesn't befriend Valve employees to scam users agree to. Steam security is sub-par. Discord is full of scammers stealing tens of Steam accounts daily. Many of them only steal Steam accounts. This shows how unsecure Steam is.

RiO님이 먼저 게시:

I'm not saying any of this is happening, I'm just saying that if there actually were a problem or risk with Steam accounts being compromised via Android or iOS, then don't count on Valve to actually publicly announce it. Because they'd have every reason to not do so and to keep it quiet.

So again, you spout conspirancy theories and then deny it, then literally confirm one. I don't think you understand how the words you are using work

Hikari.ws님이 먼저 게시:

I agree and any serious user who doesn't befriend Valve employees to scam users agree to. Steam security is sub-par. Discord is full of scammers stealing tens of Steam accounts daily. Many of them only steal Steam accounts. This shows how unsecure Steam is.

This is like saying Windows is insecure because most vulnerabilities are on Windows. There are more known vulnerabilites on windows because these are worth more to hackers and thus they are attacked more. The whole 'macs are safe' sort of died once everyone figured out 'hey i can hack ios and make a ton of money'. Hackers go to where moeny is. Steam accounts are worth money.

By your logic Epic accounts are 'secure' because they are not hijacked. They are not hijacked cuz no one wants an Epic account, not because they are 'secure'

Satoru님이 먼저 게시:

Hikari.ws님이 먼저 게시:

I agree and any serious user who doesn't befriend Valve employees to scam users agree to. Steam security is sub-par. Discord is full of scammers stealing tens of Steam accounts daily. Many of them only steal Steam accounts. This shows how unsecure Steam is.

This is like saying Windows is insecure because most vulnerabilities are on Windows. There are more known vulnerabilites on windows because these are worth more to hackers and thus they are attacked more. The whole 'macs are safe' sort of died once everyone figured out 'hey i can hack ios and make a ton of money'. Hackers go to where moeny is. Steam accounts are worth money.

By your logic Epic accounts are 'secure' because they are not hijacked. They are not hijacked cuz no one wants an Epic account, not because they are 'secure'

Exactly, no one wants them because EGS doesn't have a community market with ridiculously overpriced items that only attract scammers.

Pierce Dalton님이 먼저 게시:

Satoru님이 먼저 게시:

By your logic Epic accounts are 'secure' because they are not hijacked. They are not hijacked cuz no one wants an Epic account, not because they are 'secure'

Exactly, no one wants them because EGS doesn't have a community market with ridiculously overpriced items that only attract scammers.

People do try. I used to get plenty of emails from Epic from people trying to get into my account. Updated my password and started using their 2FA and haven't had a problem since. Pretty sure it was people trying to find Fortnite accounts with cool skins to hijack.

JPMcMillen님이 먼저 게시:

People do try. I used to get plenty of emails from Epic from people trying to get into my account. Updated my password and started using their 2FA and haven't had a problem since. Pretty sure it was people trying to find Fortnite accounts with cool skins to hijack.

Fortnite accounts are routinely hijacked as much as Steam accounts used to. Just because there's no market doesn't mean they're not valuable.

Satoru님이 먼저 게시:

RiO님이 먼저 게시:

I'm not saying any of this is happening, I'm just saying that if there actually were a problem or risk with Steam accounts being compromised via Android or iOS, then don't count on Valve to actually publicly announce it. Because they'd have every reason to not do so and to keep it quiet.

So again, you spout conspirancy theories and then deny it, then literally confirm one. I don't think you understand how the words you are using work

It's only a conspiracy theory if you're claiming it's actually happening.
Which I'm expressly not.


The only thing I stated is, that if such problems would exist then you'd best not count solely on finding out via Valve. Because if they would exist, then Valve would logically have reason to try to keep them covered up. And there's demonstrable proof that they're not afraid to do that, as it's well documented - including even mainstream media attention - that they've attempted to do so in the past with certain security vulnerabilities in the desktop Steam Client.

Again: I'm not saying that this is the case. I'm saying that if it were the case, then past concrete; tangible happenings would lead to believe that [..]

There's a minor nuance which makes a significant difference there.

RiO님이 먼저 게시:

The only thing I stated is, that if such problems would exist then you'd best not count solely on finding out via Valve.

Which is a non issue because if we're not short of anything is people looking to throw shade at Valve for any mistake they do.

Which makes this not quite correct.

RiO님이 먼저 게시:

Tito Shivan님이 먼저 게시:

Been hearing that for a decade. Still have to see someone who got their account stolen through their phone.

You're not ever going to hear that.

And we still haven't heard from any source (not just Valve) about account theft using the phone as the attack vector. After all these years.

Tito Shivan님이 먼저 게시:

JPMcMillen님이 먼저 게시:

People do try. I used to get plenty of emails from Epic from people trying to get into my account. Updated my password and started using their 2FA and haven't had a problem since. Pretty sure it was people trying to find Fortnite accounts with cool skins to hijack.

Fortnite accounts are routinely hijacked as much as Steam accounts used to. Just because there's no market doesn't mean they're not valuable.

Those guys were going after anyone they thought had an Epic account. If they had gotten into mine and loaded up Fortnite, all that was there was the default stuff. It wasn't until a couple of years ago I started getting the free winter holiday stuff.

Satoru님이 먼저 게시:

It would appear more you have not actually been around Steam long enough to remember all the 'other' ways Steam has tried this and how they failed. You wanting conveneince is not a reason to reduce security or to ignore a decade of problems with how traders and scammers have engaged with the system.

Stupid interference and privacy hazards not inconvenience as you put it and no they haven't tried all the other ways.
If you are a child or have one that then it is you who can put all those extra security features for yourself instead of inflicting it on others.

Steam hasn't helped this with it's 3rd party website sign ins.