1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

News 77,000 Steam accounts hijacked each month, says Valve

Discussion in 'Article Discussion' started by Gareth Halfacree, 10 Dec 2015.

  1. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,974
    Likes Received:
    1,577
  2. MadGinga

    MadGinga oooh whats this do?

    Joined:
    19 Mar 2009
    Posts:
    1,888
    Likes Received:
    105
    With 75million "active" accounts that's only 0.1% affected, and would take just over 81 years for every account to be done-over...
     
  3. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,974
    Likes Received:
    1,577
    To put it another way: you have a one-in-a-thousand chance of having your account pinched. Now, those might be long odds - but given how easy it is to use Steam Guard, I'm happier with 2FA in place. (I don't buy Valve's explanation for not using an existing 2FA platform like Google Authenticator, though, 'cos it makes no sense. I think what Valve *meant* to say there was "we developed our own 2FA platform 'cos then we can bundle it in with the Steam Mobile app and massively boost the number of installs, which will look great when it comes time to show the investors what's cookin'.")
     
  4. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,127
    Likes Received:
    299
    Have I mistakenly assumed i was using 2FA? When logging into Steam from a new device they email me a code that i have to enter, i thought that was 2FA but having read this article it's got me doubting how secure my account is. :(
     
  5. Parge

    Parge the worst Super Moderator

    Joined:
    16 Jul 2010
    Posts:
    12,857
    Likes Received:
    550
    Do Steam have investors? I thought they were a wholly private company?
     
  6. XXAOSICXX

    XXAOSICXX Member

    Joined:
    20 Apr 2011
    Posts:
    754
    Likes Received:
    14
    Valve's refusal to use an existing 2FA platform like Google/Microsoft Authenticator has left Windows Phone users like myself at a distinct disadvantage in this regard. Very frustrating.
     
  7. d_stilgar

    d_stilgar Old School Modder

    Joined:
    11 Feb 2010
    Posts:
    924
    Likes Received:
    47
    Valve is privately owned. There are no investors to impress. It would just be owners impressing themselves.

    Nope, that's 2FA. It is much easier however for a person to hijack two accounts (esp. if you're a dummy who uses the same password) than it is for them to gain physical access to your phone.

    Yeah. That's the part I hate. They assume everyone has either iOS or Android, or they know the market share for "everything else" is that they just don't care. That hurts Windows phone and anyone else from being able to compete.
     
  8. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,974
    Likes Received:
    1,577
    Arguably, that's not two-factor authentication: it's two-step verification. Real two factor authentication requires two independent things: in the case of Steam Guard, it's your password for Steam (something you know) and access to the one smartphone with the linked Steam Mobile app installed (something you have). In the case of sending an email saying "are you really trying to log in," all it's doing is checking two things you know: the password for Steam and the password for your email (both something you know.)

    Don't get me wrong, it's a lot better than not having any security on the account at all - but it's not true 2FA. Assuming you've got a compatible mobile device, I'd install Steam Mobile and use Steam Guard.
    Fair point - in that case "make Steam Mobile look better during progress reports."
     
  9. Xlog

    Xlog Active Member

    Joined:
    16 Dec 2006
    Posts:
    537
    Likes Received:
    37
    Ha. now try being Meego/Mer user. No support from anyone.
     
  10. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,127
    Likes Received:
    299
    Thanks for clarifying that, i don't have a smart phone (I'm a luddite when it comes to phones) so the two-step verification is the best I'm gona get, not that there's much value in my Steam account. :)
     
  11. liratheal

    liratheal Sharing is Caring

    Joined:
    20 Nov 2005
    Posts:
    10,373
    Likes Received:
    653
    Yes, sure. 2FA. For people with Apple/Android phones.
     
  12. leexgx

    leexgx CPC hang out zone (i Fix pcs i do )

    Joined:
    28 Jun 2006
    Posts:
    1,341
    Likes Received:
    8
    just make sure you have 2FA login enabled on your google or outlook/hotmail account (use sms way if you don't have a smartphone)
     
  13. Porkins' Wingman

    Porkins' Wingman Can't touch this

    Joined:
    23 Feb 2008
    Posts:
    2,895
    Likes Received:
    128
    I had an attempt on my account last week, some cheeky chap in Minsk supposedly. Luckily I'd initiated the email verification system for new devices, but I will install the mobile app today.

    I don't save my payment details in Steam anymore, buy I still don't want to risk access to all my juicy backlog.
     
  14. .//TuNdRa

    .//TuNdRa Resident Bulldozer Guru

    Joined:
    12 Feb 2011
    Posts:
    4,042
    Likes Received:
    109
    I don't see the point in this personally, it's great for people who want to secure their steam account further, but personally; i've already got two-factor authentication on my email, and Steam needs two step verification before anything new can log in anyhow, so i've already got two factor authentication, in a roundabout way.

    None of this, as far as I'm aware, protects against someone maliciously gaining access to the machine and running off with the steam .blob file, however, as that can supposedly allow any other machine to bypass the two-step verification, as it causes steam to treat it as if it were an already authenticated machine, just logging back in from another location, rather than a new device.
     
  15. Paradigm Shifter

    Paradigm Shifter de nihilo nihil fit

    Joined:
    10 May 2006
    Posts:
    2,062
    Likes Received:
    37
    Anyone that can gain physical access to a system has all power necessary over that system or anything on it anyway. There are ways to minimise physical exposure (encrypted disks, passworded BIOS/boot, locking the case with fancy screws) but anyone determined enough can get around that with enough time/effort.
     
  16. Corky42

    Corky42 Where's walle?

    Joined:
    30 Oct 2012
    Posts:
    9,127
    Likes Received:
    299
    If someone can make off with your steam .blob file you probably have more to worry about than just your Steam account.
     
  17. Gareth Halfacree

    Gareth Halfacree WIIGII! Staff Administrator Super Moderator Moderator

    Joined:
    4 Dec 2007
    Posts:
    11,974
    Likes Received:
    1,577
    No, you haven't. The verification email is sent in plain text, so anyone between Steam's server and your email server can grab the code in transit without logging into your email account. (Is a MITM attack likely? No, but we're not discussing likely: we're discussing 2FA.)
     
  18. Wwhat

    Wwhat Member

    Joined:
    2 Oct 2005
    Posts:
    263
    Likes Received:
    1
    What? They still make games like that? Where do you find those?
     
  19. Wwhat

    Wwhat Member

    Joined:
    2 Oct 2005
    Posts:
    263
    Likes Received:
    1
    I like that quote "These are not new or naïve users; these are professional CS:GO players, reddit contributors..."

    Uhm.. yeah those are probably all geniuses then eh, right. reddit contributors..
     
  20. Wwhat

    Wwhat Member

    Joined:
    2 Oct 2005
    Posts:
    263
    Likes Received:
    1
    When steam asked me for my cell phone number I was also 'get the hell out of here'
    And apart from me not wanting all that crap in itself I also wonder if people having more and more info on a system is a smart move, the more info there is the more attractive it becomes to hack and the more devastating to the victim if a hack succeeds.
     

Share This Page