Install Steam
login
|
language
简体中文 (Simplified Chinese)
繁體中文 (Traditional Chinese)
日本語 (Japanese)
한국어 (Korean)
ไทย (Thai)
Български (Bulgarian)
Čeština (Czech)
Dansk (Danish)
Deutsch (German)
Español - España (Spanish - Spain)
Español - Latinoamérica (Spanish - Latin America)
Ελληνικά (Greek)
Français (French)
Italiano (Italian)
Bahasa Indonesia (Indonesian)
Magyar (Hungarian)
Nederlands (Dutch)
Norsk (Norwegian)
Polski (Polish)
Português (Portuguese - Portugal)
Português - Brasil (Portuguese - Brazil)
Română (Romanian)
Русский (Russian)
Suomi (Finnish)
Svenska (Swedish)
Türkçe (Turkish)
Tiếng Việt (Vietnamese)
Українська (Ukrainian)
Report a translation problem
This topic has been locked 
Discussions Rules and Guidelines
Report this post
This application is not accepting the code. It would be nice if you guys brings back the email authenticator. Thank you
http://store.steampowered.com/news/20631/
Account and Item Theft
In December we took steps to improve account security by adding more security features, including the Steam Guard Mobile Authenticator and trade holds.
Since then, we've seen lots of users adopting the Steam Guard Mobile Authenticator (two-factor authentication) for trade and market confirmations, and now roughly 95% of daily trades use the mobile authenticator, with trade volumes as high as ever. The authenticator is the best tool that users have to protect their accounts, and the fastest and most secure way to trade items.
ok thx
Valve make sure you have a good boundary defense and a secure network and stop bugging your customers. Don't put the onus on us.
Beacuse of all the reason steam lists in these 2 posts
http://store.steampowered.com/news/20631/
http://store.steampowered.com/news/19618/
Compromised accounts and item theft
Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users. Having your account stolen, and your items traded away, is a terrible experience, and we hated that it was becoming more common for our customers.
Once an account was compromised, the items would be quickly cleaned out. They'd then be traded again and again, eventually being sold to an innocent user. Looking at their account activity, it wasn't too hard to figure out what happened, but undoing it was harder because we don't want to take things away from innocent users. We decided to err on the side of protecting them: we left the stolen goods, and we created duplicates on the original compromised account to replace them. We were fully aware of the tradeoff here. Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence.
The number of hijacked accounts continues to grow
This was an unacceptable status quo and we needed to address it. In revisiting our strategy to stop it, we found two things of note.
First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers. Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.
The "I got hacked" story is told so frequently it's become commonplace. And that makes it easy to forget its significance; compromised security of email accounts and PCs, Steam account violation, and theft. We used to hold the opinion that if you were smart about account security, you'd be protected--it's easy to assume that users whose accounts were stolen were new or technically naïve users who must be sharing their passwords or clicking on suspicious links. That's simply not the case.
What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.
We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.
How we can stop it
We've worked to improve account security features, closed loopholes, improved how and when we message users that their account is at risk, added self-locking, and created the Steam Guard Mobile Authenticator (two-factor authentication).
Two-factor authorization is the use of a separate device to confirm your identity. The security of this system is based on moving that step from your PC to a device a hacker can't access, such as your smartphone. PCs can be easily compromised, therefore a PC-based authenticator would not provide better security than a password or email authentication.
We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.
Here's the tradeoff
At this time, most people have not protected their account with this increased level of security. Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorization. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.
So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft. If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods. The Steam Community Market doesn't work well for that purpose, because purchases can't be moved around as quickly (purchased items can't be traded for 7 days), and they can't ensure the items move to an account they control.
One option proposed was to simply remove trading. The Steam Market already accounted for the vast majority of virtual goods exchanged by Steam users. We even generate revenue off those transactions, which helps cover the cost of fraud, unlike person-to-person trades. And removing trading was by far the easiest solution to implement. But we felt that was a bad choice for users. Another easy choice would have been to require two-factor authentication for trading, but that's bad for the same reasons as removing it entirely. It's important that you can give a friend a TF2 weapon when he comes to try out the game, or give a friend the last trading card she needs to craft a game badge.
We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:
Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.
This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items.
A difficult balance
Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products. Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.
Hopefully this post has given you some insight into the problem, and why we've taken this approach. As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts.
Recently we walked through our thinking on account security and trading http://store.steampowered.com/news/19618/, and introduced some new tools for users to protect their accounts. Now that we've had some time to gather data, we'll be making a few more changes to account security, market transactions, and our account restoration process.
Below are the changes that will take place on March 9th. If you are already protected by the Steam Guard Mobile Authenticator (or if you add the security feature to your account today), the first two points below will not impact you:
Trade hold duration will be increased to 15 days (for long-time Steam friends the duration will remain 1 day)
Listing on the Steam Community Market will have a hold of 15 days before an item can be sold
Steam Support will no longer restore items that have left accounts following a successful trade or market transaction (a process that previously created duplicates of original items)
To help understand these changes, we wanted to walk you through the results we've seen so far and our reasoning behind these next steps.
First, it's worth revisiting our goals behind the two main ways customers interact with in-game economies on Steam: Trading and the Steam Community Market. Our primary goal for Trading is to allow customers to easily exchange items with their friends. Our goal for the Steam Community Market is to provide customers with a way to sell any unwanted goods to other players. Both systems work well for these purposes, but they can be a source of pain if the security of your account is ever compromised.
Account and Item Theft
In December we took steps to improve account security by adding more security features, including the Steam Guard Mobile Authenticator and trade holds.
Since then, we've seen lots of users adopting the Steam Guard Mobile Authenticator (two-factor authentication) for trade and market confirmations, and now roughly 95% of daily trades use the mobile authenticator, with trade volumes as high as ever. The authenticator is the best tool that users have to protect their accounts, and the fastest and most secure way to trade items.
Trade Holds
For users who have yet to transition to the Steam Guard Mobile Authenticator, trade holds provide a way to continue to exchange items. Items in a trade hold are held by Steam for a period of time before delivery. This allows users whose accounts have been compromised to quickly cancel any fraudulent trades to recover their items. Trade holds are effective, but unfortunately the current three-day hold fails to protect users who log in less frequently and who need more time to identify a problem. So we'll be adjusting the system to accommodate the majority of customers by increasing trade holds to 15 days.
If you're exchanging items with a friend, and you've been friends for more than a year, don't worry - the trade hold duration is still one day.
Market Holds
Trade holds have been successful, but until now they've been limited to trades. If the Steam Guard Mobile Authenticator was not enabled on a user's account, it was still possible for a hacker to quickly liquidate a user's inventory through the Steam Community Market. To further protect users who haven't enabled the authenticator, holds will now also apply when you list items on the Steam Community Market. Market listing (like trades) will still be instantaneous if you're using the Steam Guard Mobile Authenticator.
Item Duplication
Since the last account security update, we've made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we'd hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.
Our work isn't finished, but we've seen enough progress in account security to finally address an old problem: item duplication. Currently, if an account is compromised and items have been lost through a successful trade or market transaction, we would manually restore the items, creating duplicates of the original items in the process. That process of manual restoration and duplication has the negative side effect of changing an item's scarcity - as more copies of the item are created, the value of every other similar item is reduced. In addition, it created a method by which users could be rewarded for faking account hijacks.
While we'll continue to assist users with the recovery of their account if they encounter an issue, beginning March 9th we will no longer be manually restoring items that have left the account due to a successful trade or market transaction.
Balance
There's a delicate balance between account security and the convenience of interacting with the market or trade. Any time we make changes, there's the risk of significant disruption. We recognize that today's changes will be inconvenient for users who have yet (or are unable) to use the Steam Guard Mobile Authenticator. But if you're a high volume trader (who our data shows is likely using the authenticator already), or a trader who likes to exchange items with friends, these changes won't really affect you at all. We believe these steps are necessary to ensure that accounts are made more secure, that users are empowered to identify and solve problems, and that the economic systems enjoyed by millions of customers are not compromised by people with malicious intent.
Account security is an issue that affects everyone, and we hope this post has helped to explain our goals and reasoning as we move forward. Please continue to provide your feedback and account security ideas in the Steam forums and elsewhere on the web.