Összes téma > Steam fórumok > Steam Community > Téma részletei
Ez a téma zárolásra került
7heo 2013. júl. 13., 16:26
I can't decide if I'm disappointed or angry...
Since the day I got my beta access to the steam trading cards "system", I have been enjoying that new idea from valve in many and different ways, such as dropping cards, trading with friends, using the market, and so on.

Now, I would like to share my story here, so people can learn from it, and, maybe, valve will do something to avoid such situations in the future (suggestions at the end of the post).

Firstly, it is necessary for understanding the rest that I both:

- don't trust SSL (it's flawed, you can ask why if you want, I will answer, but for now it's not the point) so I use one-time-virtual-credit-cards to buy over the Interwebz;
- and don't use mainstream payment platforms (Paypal, Google wallet, etc.) for personal reasons, that I can explain later too if you are really that curious.

Now, to the point: to use the steam market, I need money in my steam wallet. To put money on my steam wallet, I have different options; but the one I was using for now was the virtual credit cards I described above.
The first time I did that, I got a one-week lock because valve did want to check the money before I was granted the right to use it. I perfectly understand that. I would have really prefered to be warned before, though.
The second time I did it (with a different virtual credit card of course), there wasn't some lock at all, so I figured out that my account had been marked as "safe" (a.k.a. "not a scammer") and that I wouldn't get another delay, even when using different credit cards.
The third and last time I did it, yesterday, I got my wallet locked again. For one week, yes. So, okay, I did increase the amount, compared to the other times, so I still can understand that. But I would have really prefered to be warned before, though. Again.

When your wallet is locked like this, you can still spend money in the steam store (since they keep the money anyway in that case, so it's safe for them anyway), even if you cannot use the market (money in the wallet cannot be claimed back (it will stay on the valve account anyway), so technically, they could allow it anyway for the same reasons as mentionned in the point just before; but it would be really harder for them to trace each exchange and revert them in such cases; and people (not only the scammers) would definitively complain, so that's okay, I also understand, and I will accomodate to it). So I spent that money in the steam store, since it's the sales, and that was no big deal. But still, I would have really prefered to be warned before, each time I was about to get my money locked for a week.

Now, since I really wanted to access the market, and since my account is blocked for a week; I asked my roommate if I could use his steam account, to put the money on his wallet, use his account and trade the items back to my account. He told me that there were absolutely no problem, and that he would even do that for me, as long as I pay for my stuff.
But there are two problems, that, again, I can understand.
1. He did forget his password, so, password reset. And doing so, we locked his account out of not only the market, but also TRADING. Dammit, a lot people must have done REALLY stupid things on steam to get valve come to such ends... but okay, I can understand. But I would have really prefered to be warned before, though. Again and again.
2. Also, he didn't buy a single game in the past year (tough times, indeed). So the account is locked out of the market for a month (30 days) in addition to that. Again, thanks to stupid scammers, there's another limitation, but this case, there were nothing to warn me of. Unfortunately, English being my second language, the warning they displayed was not crystal clear to me, and even though I did understand that buying a game was required, I didn't get the 30 days part at first.
So, as a result, I did buy a prepaid wallet topup card from a store, and added it to my roommate's account, hoping to be able to buy from the market as soon as the password-reset delay was elapsed. Now I've realized that I won't be able to use this money for the market before 30 days, so I will probably buy from the steam store too with it, instead of waiting for the summer sale to be finished...
But okay, that second point was my fault, so I won't complain about having my money locked for 30 days: there was a warning displayed BEFORE, in this case.
But hey, wait... the money I put on my roommate's wallet is locked ANYWAY! I cannot even buy something from the steam store with it, 'cause it complain about some obscure "the payment method does not correspond to the country of the store" reason. Again, again, and again, I wasn't WARNED before. So I guess I have to wait for the summer sales to be finished in order to be able to use my money ?

(EDIT: my roommate has apparently sent a ticket to the steam support about this)

Now, the end of the story:

I managed to have my wallet balance dropped to zero, and the steam market is still locked for me; even tho I have no money in my wallet. Meaning that if (or when) I'll add more topup in it, this topup will be locked too: Right now, I cannot add money in my wallet, for no valid reason.

I've emailed steam support about that, 'cause it's definitely a bug. I hope they will find the time to answer me, and I hope that they will then become aware that this is a bug (and not dismiss me).

But if I write this post right now, and the reason why I'm both disappointed and angry, it's especially to say that if there were WARNINGS BEFORE I did each of these actions that resulted in my money being locked, I wouldn't had to spend 30E to try'n'guess how their system works, and I wouldn't had to wait days for nothing.

So Valve, please have these warnings displayed BEFORE people do actions that will harm their freedom. Maybe they won't give you their money on evenings or sundays knowing that it will be locked for a week, and they will wait for the stores to be open on the next weekday instead... So you will get the money one day after. But I think that this is negligible when you have your users feeling tricked into giving you their money...

I hope someone (from Valve?) will understand my point here. And also, if this message (not the title, it's meant to be catchy) sounds unconstructive, please tell me why in the comments, I'll do my best to correct it. Thanks :)
Legutóbb szerkesztette: 7heo; 2013. júl. 13., 17:59
< >
1630/35 megjegyzés mutatása
7heo 2013. júl. 14., 4:09 
a.t eredeti hozzászólása:
The funny thing is, in my situation, I was like "Phew, thank God the Steamguard ban is over before the sale, that would have been a pity to not be able to use the market at all during that time!" and the day before the sale I put in some new credit card number and bam! I am "banned" for a week! FML ;)

Yeah. One should make a wiki about the steam client, to warn about all those facts... Let's say we start one, do you think you would contribute and try to input what you learnt from your experience?
#16
a.t 2013. júl. 14., 4:16 
BK eredeti hozzászólása:
Yeah. One should make a wiki about the steam client, to warn about all those facts... Let's say we start one, do you think you would contribute and try to input what you learnt from your experience?
Well not really. I wouldn't have consulted a wiki personally. There are certainly many little details, that's why Steam doesn't give any warning, but not enough to create a website imo. A sticky post on this subforum would be great that would be the job of a moderator maybe?
#17
7heo 2013. júl. 14., 4:19 
Karl Marx eredeti hozzászólása:
this is the problem with horrible DRM

How you treat your customers have nothing to do with Digital Restriction Managment. Valve's Steam platform is a great step forward, giving us NON-INTRUSIVE DRMs that don't (usually) prevent the game for working.
Here, I rant about the lack of WARNINGS in the steam client (and website probably). Not about the lack of freedom you have about not being able to install your games when you want and where you want, this is yet another topic.

You can also use Good Old Games if you want to have NO DRMs at all in your games. They don't have all the titles that are in steam, but it's usually cheaper for us Europeans (since it's in dollars for everyone).
#18
7heo 2013. júl. 14., 4:20 
a.t eredeti hozzászólása:
BK eredeti hozzászólása:
Yeah. One should make a wiki about the steam client, to warn about all those facts... Let's say we start one, do you think you would contribute and try to input what you learnt from your experience?
Well not really. I wouldn't have consulted a wiki personally. There are certainly many little details, that's why Steam doesn't give any warning, but not enough to create a website imo. A sticky post on this subforum would be great that would be the job of a moderator maybe?

Yeah, well, in my case, I wouldn't have checked the forums before... So maybe the only solution is the warnings we are mentionning from the start :P
#19
Error 2013. júl. 14., 4:28 
So, for example, at the Password Reset screen you are suggesting it say something like "WARNING: Resetting your password prevents you from trading and using the Market for a cooldown period of 30 days as a security measure."? Would that have stopped you from resetting your password?

#20
7heo 2013. júl. 14., 4:30 
Shatter eredeti hozzászólása:
So, for example, at the Password Reset screen you are suggesting it say something like "WARNING: Resetting your password prevents you from trading and using the Market for a cooldown period of 30 days as a security measure."? Would that have stopped you from resetting your password?

Definitely, yes, we would have searched for the older password harder... It was just out of laziness that we did reset it.

Excepted that the warning should say:

WARNING: Resetting your password PREVENTS you from TRADING and USING THE MARKET for a cooldown period of at least five days as a security measure.

☐ Please check this box to confirm that you agree with the message above.

IMPORTANT NOTE: Additionally, this account has a disabled market access for 30 (thirty) days after the next purchase, due to a long inactivity period on the store.
Legutóbb szerkesztette: 7heo; 2013. júl. 14., 4:40
#21
7heo 2013. júl. 14., 4:48 
imho, the solution would be to have warning texts corresponding to these security mesures, in the database, and to add a binary field to mark if it has been displayed and (when it's necessary) validated (marked as "I agree", or "I understood, please continue") by the user.

And unless it has been displayed and validated by the user, they should be kept for display the next time this user has an interaction with the client/website.

It's not THAT hard to do, especially for Valve, and it would REALLY be an improvement for the users.

Please, Valve, show us you don't see us as walking wallets... You're better than that, I'm sure... You're not Apple or Microsoft, afterall, are you?
#22
TAKO 2013. júl. 14., 4:52 
They should offer optional RSA tokens, which can be used additionally to the password. Even after a reset you still require the RSA token. Due to that security measure, any restrictions after reseting the password will be obsolete.

:headcrab:
#23
Belasco32 2013. júl. 14., 4:55 
Ilmyr eredeti hozzászólása:
STEAM SUPPORT IS THE WORST! (Steam, how about you improve that?)

I have to take exception to this, EA's support is, hands down, the worst. I'm not defending Steam's support, just saying, they aren't as bad as EA...because I'm pretty sure that's not possible. /shoulder-chip

That said, this is a significant problem that is clearly going to hit Valve in the wallet at least to some extent, which often over shadows security concerns. In my experience, for every person who bothers to speak up about an issue like this several others simply walk away, and those lost tend to do a great deal of word-of-mouth complaining rather than addressing the issue with the people who could fix it.
#24
7heo 2013. júl. 14., 4:57 
Just for the sake of readibility: RSA[en.wikipedia.org] is related to public key cryptography[en.wikipedia.org]; a method allowing (among other things) the use of a private key (which HAS to be kept secret) and a widely available public key as an authentication over the network.
#25
7heo 2013. júl. 14., 5:03 
Belasco32 eredeti hozzászólása:
Ilmyr eredeti hozzászólása:
STEAM SUPPORT IS THE WORST! (Steam, how about you improve that?)

I have to take exception to this, EA's support is, hands down, the worst. I'm not defending Steam's support, just saying, they aren't as bad as EA...because I'm pretty sure that's not possible. /shoulder-chip

Yeah. I didn't try EA's support, but I would expect that, true.

Belasco32 eredeti hozzászólása:
That said, this is a significant problem that is clearly going to hit Valve in the wallet at least to some extent, which often over shadows security concerns. In my experience, for every person who bothers to speak up about an issue like this several others simply walk away, and those lost tend to do a great deal of word-of-mouth complaining rather than addressing the issue with the people who could fix it.

Yes. I spoke with MANY people stating that this had happened to them. But I just fail to bring them here and have them contribute; they have many reasons to not do so.

Another point: As mentionned before, I should contact the Steam support for addressing that issue. I don't think it would work. Not because the Steam support is necessarily bad; but because they must be knee deep in tickets at the moment, just because of the summer sales.

So I will try to bring this thread to Valve's attention one way or another; but my feeling is that something should definitely be done about it.
Legutóbb szerkesztette: 7heo; 2013. júl. 14., 5:07
#26
7heo 2013. júl. 18., 15:17 
Okay, some update:

  • The steam support answered my roommate, saying that the notices aren't even correct, and that while they say "Locked for five days" it's actually locked for 30 days whenever the account was not active for a long period, regardless what the notice says. So prior of having warning messages, one good thing would be to have correct notices...

  • Now, the steam support also answered my request, about the "I spent all my wallet topup, how comes that it's required to validate 0E?"; and they simply stated that they couldn't do anything about any delay. About the fact that I asked them to relay the information to the steam development team, they remained silent, for now.

So even prior to have correct notices (and then, warnings); it would be really appreciable to have a public (as accessible from a steam account) ticket system; more or less like "get satisfaction" or any customer system. And I'm not talking about a messy "suggestion" forum, where everything is so easily buried down and forgotten...

I still hope valve would do something about this. For example, they could take example on GOG, with their awesome wishlist[www.gog.com] system.

Please valve, don't let us down on this one... The community could greatly improve the Steam platform.
Legutóbb szerkesztette: 7heo; 2013. júl. 18., 15:21
#27
Sayori 2013. júl. 18., 16:39 
Go on. Explain why SSL is flawed and why not to use mainstream payment gateways.
So many security experts these days....
#28
7heo 2013. júl. 19., 0:11 
Yay, here the trolls come! I missed you guys!</sarcasm>

Muppet among Puppets eredeti hozzászólása:
Feedback is good when you still know what you just read. No one can remember a wall of text next to other posts.
Yet people answered to it...

Muppet among Puppets eredeti hozzászólása:
Rule of thumb: When acting with "machines" dont create to difficult scenarios which are dedicated to be tricky when problems happen.

Rule of thumb: when developping the UI in a software, always inform the user BEFORE a choice does irreversible actions.

Muppet among Puppets eredeti hozzászólása:
The feedback that is important:
Give warnings BEFORE money gets added to your account.

One can also to that, but everyone knows (windows vista, or seven, I cannot remember), how obviously uncessary warnings can be annoying.

Muppet among Puppets eredeti hozzászólása:
It shouldnt be normal to use friends accounts btw..... for safety.

Yeah, I'll tell all my friends to NOT use their account then. (please read before posting next time).

Just for reference:

BK eredeti hozzászólása:
He told me that there were absolutely no problem, and that he would even do that for me, as long as I pay for my stuff.
Legutóbb szerkesztette: 7heo; 2013. júl. 19., 0:15
#29
7heo 2013. júl. 19., 0:44 
Sayori M.D. eredeti hozzászólása:
Go on. Explain why SSL is flawed and why not to use mainstream payment gateways.
So many security experts these days....

It doesn't take a security expert to see that SSL is flawed.
So many superlicious people these days....

Okay, so I'm gonna explain. In addition to the possibility that SSL can be stripped (SSLstrip, see the second part), SSL is based on certificates, that are part of a chain. This chain has too extremities: the service you consult (obviously), and the CA (certificate authority).
The problem is with the latter. A root certificate which is "said" to be the one of a certificate authority is always delivered to you via the network (and unencrypted, most of the time, afaik). Moreover, it is included in your browser, or linux distribution, or OS, or whatever.

This root certificate collection is by NO MEAN secure. It can be changed "on the fly" by any peer along the path from your computer to the point where you get these root certificates. That means, by your internet provider, by the goverment, by any companies that sells transit/peering, etc.

Also, the list can be altered by the distributor without you knowing (i.e. by the browser distributor, OS distributor, etc.), leading to the same problem.

Of course, changing a root certificate doesn't mean that the SSL checks will fail if you connect to the RIGHT server (i.e. the true service you wanted to reach)... But it won't also fail if your data is spied along the way, or else (can be altered, too, yes).

That, in addition to the DNS spoofing that is also possible with distributing an OS (sets the DNS servers), a browser (you can skip the OS DNSes and use the ones you want), or by being an ISP (what, ISPs provide DNS services?! ORLY?!!!); this can be a real hole. A big one. Huge even.

Bottom line (for part 1): Don't trust ANY key you didn't check by two different channels, them being meeting physically, or even (necessary sometimes) via phone or postal mail (can be spoofed too, but more difficult for the attacker).

Now, the second part. Why could one try to avoid mainstream payment gateways??? (yes I'm glad you used that term; I wouldn't have came with a more suited one myself).

Because they are mainstream, you dumb. If everyone uses the same set of services, it makes these services too powerful. Money does not exist. It's an abstraction of your mind. Paper exist. Metal exist. Money does not. So by everyone using the same services, everyone will trust the same services. By placing everyone's trust at the same place, you give them the power to change things for everyone at the same time. Here comes problems. That is valid for all the centralized services such as (non exaustive list): paypal, google, yahoo (not that used, so less bad), apple, microsoft, etc.

Ever heard of prism? Snowden? Well, that's because of these exact habits that prism is/has been possible.

Internet is not meant to be centralized that way. It's a network in which each node is BIDIRECTIONALLY connected to the other. Please understand that part. The real internet is peer to peer. I never said illegal downloading, or even illegal. Just peer to peer.

Now, for reference: I don't have the time to do it (I spent nearly half an hour on this post, so that's enough), but if you do serach for "sslstrip paypal", you will notice that paypal did try to harm the guy behind SSL strip for releasing this flaw and the related exploit to the general public.

Now I already imagine you stating that "that is normal, if you attack paypal, you will get blamed, etc etc". Please think. If a flaw exists, the only acceptable outcome is to have it corrected. Not HIDDEN, corrected. So that guy did great. Paypal did not.

Now paypal is not the only problem (by far), and yes, I'm aware that I use Steam, a centralized platform. But here it is: I'm not enchanted by the fact that I use a centralized platform, but I agree to do so because the previous alternatives were way worse (remember starforce?) and because steam's reach is only video games (okay, they can profile you through games usage exactly the same way google can profile you through emails and chat, that's true, but well, I hope they don't do that). And well, having a linux client does greatly help about that point. And as I said before, I spent way too much time answering a troll this time.

My two cents.
Legutóbb szerkesztette: 7heo; 2013. júl. 19., 0:53
#30
< >
1630/35 megjegyzés mutatása
Laponként: 1530 50

Összes téma > Steam fórumok > Steam Community > Téma részletei
Közzétéve: 2013. júl. 13., 16:26
Hozzászólások: 35
Új téma nyitása

Hozzászólási szabályok és irányelvek