Steam tightens security to stem tide of 77,000 monthly hijackings

When it comes to virtual loot, gamers like bling.

Take weapon skins: as Rock, Paper, Shotgun’s Emily Richardson explains, when it comes to top-notch tactical fashion, for many players, drab, mud-hued camouflage doesn’t cut it.

Richardson:

[Weapon skins are] bright, they’re weird, they’re occasionally very expensive. Some of us don’t care for them, but many more do. They’ve been a phenomenal success, so much so that the rarest knives sell for more than the Steam wallet’s cap of $500, and betting and trading sites are springing up all over the web.

In other words, virtual loot is worth very real money, and it’s attracting gaming account hijackers like flies to honey.

Valve, the developers of the Steam online gaming platform that Richardson mentioned, said on Wednesday that account hijacking has become an epidemic, with “around 77,000 accounts hijacked and pillaged each month.”

Valve said that account theft has exploded since the service launched item-trading back in 2011:

With the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users.

It’s not just a few random attackers. At this point, it’s a flourishing criminal enterprise, the company said:

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items.

The victims aren’t gaming newbies or naïve users, Valve said.

All users, regardless of how savvy or experienced they are, are up against a relentless force of hijackers who target every account, not just the ones whose owners don’t understand how to stay safe online, Valve said:

These are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

To help gamers fend off scammers, Valve last month introduced a waiting period for gamers who wanted to trade items.

The idea was to slow down the thieves, preventing quick transfer or liquidation of the items while also giving users some time to discover that their account’s been compromised.

Granted, two-factor authentication (2FA) should help.

To that end, Valve created the Steam Guard Mobile Authenticator: a feature of the Steam mobile app that generates a new, random code every 30 seconds.

It works like other 2FA generators: users have to enter the random code at login, along with their password.

That should help to fend off would-be account hijackers, given that even if they’ve gotten their hands on a password, they won’t have the constantly updated, ever-changing code.

But although 2FA makes tons of sense, not all users can use it – for example, those who don’t have a mobile phone.

So while Valve thought that 2FA would protect anyone who could use it, it came up with these other changes for trades, all of which the company implemented on Wednesday:

• Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
• If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
• Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

The upshot: if you’re using 2FA, you can keep trading as always.

If not, you’ll have to wait up to 3 days for trades to go through, which will give you time to figure out if you’ve been hacked and to get your account back before intruders can steal your stuff.

At Naked Security, we talk about 2FA a lot.

We applaud companies that give this powerful tool to users, and we encourage users to plug it in when possible.

So kudos to Valve for these moves, which its post clearly shows were well thought out.

But remember, there are other steps to take to keep accounts from getting hijacked, including picking a strong, unique password – in other words, don’t reuse passwords.

Also, be wary of clicking on what could be phishy links in emails. And, of course, always stay on top of security patches.

Image of steam courtesy of Shutterstock.com