Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Steam tightens security to stem tide of 77,000 monthly hijackings

14 Dec 2015 1 Data loss, Security threats

Post navigation

Previous: Monday review – the hot 28 stories of the week
Next: Google extends Safe Browsing to Android Chrome
by Lisa Vaas

When it comes to virtual loot, gamers like bling.

Take weapon skins: as Rock, Paper, Shotgun’s Emily Richardson explains, when it comes to top-notch tactical fashion, for many players, drab, mud-hued camouflage doesn’t cut it.

Richardson:

[Weapon skins are] bright, they’re weird, they’re occasionally very expensive. Some of us don’t care for them, but many more do. They’ve been a phenomenal success, so much so that the rarest knives sell for more than the Steam wallet’s cap of $500, and betting and trading sites are springing up all over the web.

In other words, virtual loot is worth very real money, and it’s attracting gaming account hijackers like flies to honey.

Valve, the developers of the Steam online gaming platform that Richardson mentioned, said on Wednesday that account hijacking has become an epidemic, with “around 77,000 accounts hijacked and pillaged each month.”

Valve said that account theft has exploded since the service launched item-trading back in 2011:

With the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users.

It’s not just a few random attackers. At this point, it’s a flourishing criminal enterprise, the company said:

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items.

The victims aren’t gaming newbies or naïve users, Valve said.

All users, regardless of how savvy or experienced they are, are up against a relentless force of hijackers who target every account, not just the ones whose owners don’t understand how to stay safe online, Valve said:

These are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.

To help gamers fend off scammers, Valve last month introduced a waiting period for gamers who wanted to trade items.

The idea was to slow down the thieves, preventing quick transfer or liquidation of the items while also giving users some time to discover that their account’s been compromised.

Granted, two-factor authentication (2FA) should help.

To that end, Valve created the Steam Guard Mobile Authenticator: a feature of the Steam mobile app that generates a new, random code every 30 seconds.

It works like other 2FA generators: users have to enter the random code at login, along with their password.

That should help to fend off would-be account hijackers, given that even if they’ve gotten their hands on a password, they won’t have the constantly updated, ever-changing code.

But although 2FA makes tons of sense, not all users can use it – for example, those who don’t have a mobile phone.

So while Valve thought that 2FA would protect anyone who could use it, it came up with these other changes for trades, all of which the company implemented on Wednesday:

  • Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
  • If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
  • Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

The upshot: if you’re using 2FA, you can keep trading as always.

If not, you’ll have to wait up to 3 days for trades to go through, which will give you time to figure out if you’ve been hacked and to get your account back before intruders can steal your stuff.

At Naked Security, we talk about 2FA a lot.

We applaud companies that give this powerful tool to users, and we encourage users to plug it in when possible.

So kudos to Valve for these moves, which its post clearly shows were well thought out.

But remember, there are other steps to take to keep accounts from getting hijacked, including picking a strong, unique password – in other words, don’t reuse passwords.

Also, be wary of clicking on what could be phishy links in emails. And, of course, always stay on top of security patches.

Image of steam courtesy of Shutterstock.com

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Home

Sophos Home

Protect personal PCs and Macs
Hitman Pro

Hitman Pro

Find and remove malware
Sophos Intercept X for Mobile

Intercept X for Mobile

Protect Android devices

Post navigation

Previous: Monday review – the hot 28 stories of the week
Next: Google extends Safe Browsing to Android Chrome

One comment on “Steam tightens security to stem tide of 77,000 monthly hijackings”

  1. Mahhn says:
    December 14, 2015 at 2:18 pm

    I’d like to read “To help gamers fend off scammers, Valve is going to stop Freimum purchases”
    But there is to much money in bleeding out the gamers.

    Reply

What do you think? Cancel reply

Recommended reads

Jan25
by Paul Ducklin
0

Naked Security Live – Don’t let digital jokes turn into digital disasters

Mar17
by Paul Ducklin
3

Bitcoin scammer who hacked celeb Twitter accounts gets 3 years

Apr12
by Paul Ducklin
6

Apple and Google block official UK COVID-19 app update

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2021 Sophos Ltd. All rights reserved. Powered by WordPress VIP