It's much more likely for the person him-/herself to upload the SSNF file and then realize they got hijacked than a virus to steal it.

Yes. I agree that users are pretty dumb if he itself upload the SSNF file. But thinking more in a logical way: If the END USER can move the file between computers to authenticate them without Steam Guard, then a VIRUS can do it too. A keylogger which steals the Steam Guard code will have no success since the generated code is different for each computer, but a virus which steals the completed SSNF file will have access.

Since Steam Guard is designed to allow you to login to a "untrusted" computer, I think this should be fixed ASAP with a optional "High Security" setting, that will have Steam Guard server to verify that the public IP is authenticated aswell. Public IP is something a fraudster cannot fake or spoof (provided the transmission protocol used is TCP - Verification done by SYN-ACKSYN-ACK, or UDP with reply-verification on the application layer)

That's like saying PGP has a security hole because a site asked you to upload your private key and you did it

Instead of attaching anything to the IP address, they should attach the SSFN file to something on your physical computer, so that the SSFN file for that computer cannot be used on any other computer. There are many other programs that lock key files like this, usually to do with copy protection. You can use the Serial Number of the disk drive, which is the most common, but you can also use ID markers from your NIC, etc.

That way, even if you upload the SSFN file, it's pointless to the phisher unless they crack the encryption and linking to the disk serial numer, or somehow know or guess your disk serial number, which is not likely.

If this were true, the only downside would be if you changed out your HDD you would have to log into Steam again and get a new SSFN file and trigger a New Device restriction for 7 days. Not a big deal, in the large picture.

Originally posted by Satoru:

That's like saying PGP has a security hole because a site asked you to upload your private key and you did it

Pretty much.

Yes, that could be part of "Medium" security level.
High security level should attach to the IP adress in addition to hardware.

Tito & Satoru: No. This because PGP and Steam Guard have different "security targets". Think like EAL Classification, EAL classification is a certification against a specific, defined security target. If the security target is "this is a completely open product without any authentication", that product will get EAL 7+ even if that product is less secure than even a EAL 1 product with a stricter security target.

So put simple: PGP have a security target that relies on PGP being ran on a trusted computer. PGP is not designed to be used on a untrusted computer (eg, one which might be loaded with trojans and viruses). Thus its not a security hole if someone is able to copy a private key.

Steam Guard however, has a security target that it should be possible to login into a untrusted computer, without that identity being able to be copied to a another untrusted computer - Provided that the email account are kept secure. (A example: Login to the email with the mobile and your email account does not need to touch the infected computer)

Note that im NOT talking about uploading the SSFN file here. I agree as said, that its dumb by users to upload it.
The key point im trying to make, its that its possible to STEAL the SSFN file. If the user can send the file somewhere and then the file can be misused, then a keylogger designed to steal steam accounts can easly steal the SSFN and send to the fraudster too.

And Steam Guard is explicity designed to protect against malicious software and password stealing software, thus, it shouldn't be enough to steal a "keyfile" anywhere.

How is attaching to your IP address higher security than attaching to physical hardware?

And you are talking about uploading SSFN files... that is what the article you linked to was about. People stealing the SSFN files.

SSFN files are created when you authorize a device. That SSFN file should be linked to that single device upon creation. Moving it to another device should void the SSFN file. Easiest way I can see to do that is to encrypt it to the physical hardware of that device.

TirithRR: Since a malicious software could read the correct values and then decrypt and then reencrypt the file tailored for the fraudster computer. Even if the server ask about the correct hardware values, the fraudster can fake these values by simply lying for the server.

The article linked mentions uploading SSFN files by stupid end users yes. But think longer than what the article says.
If YOU are able to authorize a new device by simply copying a file from a authorized device, anything malicious running on a authorized device can copy that aswell. Think a keylogger, that followed with some map or something, that keylogs the username and password, and also steals the SSFN file, and sends it to the C&C center.
Thats a security case that Steam Guard is EXPLICITY DESIGNED to protect against, and thus Steam Guard must be able to cope with such things.

A IP adress cannot be spoofed. This because most software rely on communication in both directions, and if you spoof the IP adress, you will never get to see the reply. And if the software verifies reply capacity by asking the client to say whatever it was in the packet, it will be impossible for a client to spoof a IP.
Thus the SSFN could have a SHA512 hash of the whole file + a secret key value that only steam server knows + client IP.
The client sends SSFN + SHA512 hash to the steam server. Server recalculate the SSFN by simply using the IP that the login request appear from, and thus if the client IP is changed due to a stolen file, then the SHA512 will not calculate and login is rejected with a Steam Guard Code Question.

Note that this protection must be selectable, so those users sitting on 3G/4G and such network that regularly change IP must be able to disable the extra IP protection, while users that sit on static IP and have own servers and such can have extra IP protection activated.

So reading hardware values could be part of Medium security, and
IP-adress + hardware reading, could be part of HIGH security.

If your computer is compromised to the point that you have programs reading hardware IDs, decrypting and sending files to a third party, etc, you have bigger issues, one that your IP Address linking wouldn't help. Cause they are now on that client anyway.

Simple as that. The most benefitial change would be permanently linking the SSFN file to the piece of hardware it was created for. That would solve the SSFN phishing site issue.

How many people do you think have their accounts compromised via viruses and malware stealing files and logging keystrokes?

How many people do you think have their accounts compromised via the standard phishing attempts with out having any viruses or programs installed?

I'll give you a hint, one of them is MAGNITUDES greater than the other.

Yes but Steam Guard isn't designed to protect against phishing, since the phisher could simply ask the user for Steam Guard code anyways.

Steam Guard is explicity designed to protect against malware account steals. Due to Steam Guard, malware steals with "regular all-catching keyloggers" have zeroed.

Before Steam Guard, amount of accounts stolen via malware was roughtly equal to accounts stolen via regular phishing. Mostly cheaters and pirates that was affected by malware, but those that downloaded maps, mods and other perfectly legit customization files was affected too, since malware can be hidden almost everywhere the user is expected to download a file and use/run.

But if someone does a malware that is explicity designed for Steam, chances are high that they will add a SSFN stealing feature too.


And about IP, I want to make a important point: Stealing a SSFN file will give you permanent access to that steam account. VPN:ing through someone:s IP due to a IP linking feature, will gain suspicion, also that access will be cut off once the victim's computer is off. Also even basic firewalls, those emvedded in routers, protect against most malicious software that rely on the hacker sending packets to the victim (rather victim sending packets to hacker)
And once suscpicion is raised (for example victim being thrown out of his own steam account all the time), victim will propably pull the plug on the computer, cutting off hacker's access, propably permanently since that computer will be cleaned prior to next steam login.

A stolen SSFN file can simply be used while the victim is off, by having the malware to phone home each time computer is shut down or started up, gaining no suspicition other than mysterious changes to account (VAC bans, stolen items, trading restrictions, cooldowns due to abuse and such), which the victim will not know that its linked to malware on his own computer.

So what's the most bang for the buck, so to speak?

An opt-in option (has to be opt in, because of the Static vs Dynamic issue) that will end up being used by very few people.

Or

A change to the way the SSFN file system that would be done behind the scenes and the only people that will know are the phishers who can no longer use those SSFN files people are uploading to their website.

If you're talking about your system being compromised enough for key loggers and uploading files , YOU ARE TOTALLY SCREWED ANYWAY. security dies the second an attacker has rooted your system.

Originally posted by Sebastian Nielsen:

Before Steam Guard, amount of accounts stolen via malware was roughtly equal to accounts stolen via regular phishing. Mostly cheaters and pirates that was affected by malware, but those that downloaded maps, mods and other perfectly legit customization files was affected too, since malware can be hidden almost everywhere the user is expected to download a file and use/run.

And after Steamguard, ammount of stolen accounts is still due to old-plain phishing in its majority. Actual hijacks due to malware are a minimum.
MOST of hijacks related to the validation file are due to the user uploading the file through a phishing site, not actual malware being involved.
Can't avoid but feel the article is just a bunch of fearmongering and pot-stirring over a non-issue.(From a AVS brand)

Also as Satoru said, A attacker getting access to the protected machine is pretty much the worst security scenario. No security can protect you in that scenario.

PS: You're being quite optimistic about the detection capabilities and stopping power of consumer-brand firewalls.

TirithRR: I talked about applying both. SSFN hardware security as default, but with a IP security as opt-in on top of that.

IP security isn't going to fly for purely practical reasons. It'd be too annoying to be on by default, and if it's not on by default, it might as well not exist.

For it to be useful, you'd have to hypothesise a user who is hyper-sensitive about Steam security and turns all the security options on Steam up to maximum, but is entirely slapdash about the rest of their computer's security. That's a rare beast.