Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware (malwarebytes.org) 88

An anonymous reader writes: On Wednesday, Valve introduced a new "trade hold" system that should prevent scammers from stealing items from Steam users' hijacked account, or at least minimize the occurrence of such incidents. Anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. The system was, understandably, not welcome by some users, and it didn't take long for scammers to take advantage of this discontent.
This discussion has been archived. No new comments can be posted.

Steam Escrow System Drives Impatient Users To Fake Trading Sites Serving Malware

Comments Filter:
  • by bigdady92 ( 635263 ) on Friday December 11, 2015 @10:42AM (#51100369) Homepage
    The title sounds like someone had a seizure during submission and mashed words into sentences.
    • by Anonymous Coward
      (The new) Steam escrow system [is driving] impatient users to [imitation] trading sites (that are) serving malware.

      Not exactly a Garden Path [wikipedia.org], but has some elements of one.
  • by NotDrWho ( 3543773 ) on Friday December 11, 2015 @10:49AM (#51100397)

    Apparently Steam has a trading feature, which exists for some reason. You can't use it for selling used games. It's only for "gifting" games and digital items.

    Nope, no one could have foreseen that a system like that would be catnip for hackers and scammers.

    And they wonder why I won't give them my credit card number.

    • by Gr8Apes ( 679165 )

      And they wonder why I won't give them my credit card number.

      I don't give anyone online my real CC, virtual numbers only, thank you.

    • I'll broaden that to pretty much the entire intertubes ... as much as it's a useful thing, it's also full of shady players who are trying to make a buck.

      From the ad agencies to people trying to sell me in-app purchases, I pretty much don't trust any of them to have any financial impact on me ... because I assume they're either all crooked, or are likely to be hacked.

      I pretty much start with the default position of assuming everything on the internet is sketchy these days, and only enable the bare minimum of

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        Doesn't matter if you give them out or not to the ad agencies. This monday I was browsing the menu of a local take out restaurant that I had never used before and decided to pass because of their prices. By Thursday (yesterday) there was an ad postcard in the mail with my full name on it (not simply addressed to resident) and I'm running firefox locked down with ghostery and noscript allowing cookies for session only and disallowing any 3rd party cookies. Another case in point I dropped my insurance Assuran

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          Geesh, loosen your tinfoil hat a little. If you own your own home, your name and address are on the public record. It's not that hard for a restaurant (or anyone else) to get names tied to addresses and target a neighborhood. I'd be willing to bet that several of your neighbors got similar cards that same day.

          • by Anonymous Coward

            The world has still degenerated into an advertising quagmire - even if they didn't have to spy.

    • by RogueyWon ( 735973 ) on Friday December 11, 2015 @11:39AM (#51100659) Journal
      These digital item trading systems which allow items to be redeemed for real money are, when linked to otherwise-useful gaming account systems, an absolute plague. They're the worst kind of incentive to spamming, scamming and outright criminality.

      It's not just limited to Steam. If you look over at Xbox Live, you'll find there have been (and to some extent continue to be) serious issues there, despite there only being a single game series that allows these kinds of trades (FIFA Ultimate Team).

      It's a funny thing; everybody knows about the Sony PSN hack. And yet very few people ended up actually being inconvenienced by that hack, save for the inconvenience of the PSN being down for a few months. What's not widely known is that there have been a number of less eye-catching but more severe compromises of Xbox Live security in recent years. The most serious exploit involved a flaw in Microsoft's phone-support protocols [kotaku.com]. It got very little publicity, because it doesn't fit with the media's perception of what a "hack" looks like, but it hit an awful lot of account and resulted in an awful lot of fraudulent credit card transactions.

      And why were the scammers doing this? Mostly, it turned out, so that they could purchase and then monetise FIFA Ultimate Team trading items. Ordinarily, there was no means to get money "out of" the Xbox Live system. So you could compromise somebody's account and use it to buy games or DLC, but you couldn't sell these on and once the original owner got their account back, you were left with nothing to show for your efforts. FIFA changed all of that and created a pretty large industry in compromising XBL accounts. Worse, besides keeping a constant eye on their account, there was nothing at the time that users could do to protect themselves; there was no need to get people to divulge a password or click a dodgy link - the scammers were going straight to MS's flawed support services.

      Back over on the PC, Valve have been very slow in waking up to the issue of compromised accounts. I suspect it's only the growing prospect of a number of countries' consumer protection authorities taking enforcement action against them that's prompted this recent action. The option they've gone for is slow and over-burdensome. I was disappointed to read in their statement announcing it that they had considered but rejected the idea of just scrapping these trades. Sadly, given they cream off a good chunk of each transaction, that was too much to hope for. But for as long as it is possible to launder money out of Steam, large-scale attempts to illegally access accounts will continue.
    • by phorm ( 591458 )

      Also for trading in-game items, such as DOTA2 "loot", which to some may have a monetary value if it's a rare, etc.
      There's been lots of scams trying to trick people out of their loot, etc. Often these may be done by somebody who hacks an account to sell somebody else's stuff, does a trade, and quick trades/sells off the valuable stuff again. This is why they put they delay in there in the first place for those that aren't using extra measures to protect their account(s).

  • by truck_soccer ( 4286027 ) on Friday December 11, 2015 @11:01AM (#51100465)
    Anyone stupid enough to trade STEAM ITEMS through any service that isn't STEAM gets no sympathy. Are people getting dumber or am I getting less tolerant?
    • Are people getting dumber or am I getting less tolerant?

      It can be two things! ;-)

      Of course, the reality is accessing the internet is far easier than understanding the security issues, since people don't seem to be paranoid enough by default. Far too many people just think "oh, it's the internet, it's a warm and inviting place".

      Anything which can be scammed, will be scammed. The internet just magnifies this by a zillion.

      If people had to be as paranoid in real life as they need to be on the internet, they'd

      • Are people getting dumber or am I getting less tolerant?

        It can be two things! ;-)

        We'll, he used "or" and not "xor", so that's a given. :D

    • What's happening is Valve has done a 180. The entire reason they introduce certain features (such as the market) is to provide an official, difficult-to-get-scammed way of doing things so that people won't have to go to untrustworthy third parties.

      But then, they started implementing more and more restrictions on these things. e.g. the only way to trade certain things is to "gift" them which is a one-way transaction where the only guarantee that the other party will actually follow through is the word of an

      • Shit, I still remember when Valve was a games developer. They were damn good, too.
    • It depends on whether people are likewise stupid enough to spend $1000 over the course of two years on replacing their current phone with an Apple or Google phone just to be able to trade items in a timely fashion.

      I've gathered from the instructions page [steampowered.com] and the FAQ page [steampowered.com] that the authenticator requires an iPhone with a valid cellular subscription or an Android Phone with Google Play with a valid cellular subscription. As far as I can tell based on these pages, the authenticator cannot* be obtained on Android devices without Google Play, such as devices running Amazon Fire OS or Replicant OS. The authenticator does not work on devices running Windows Phone, on feature phones, or on landlines. Based on repeated references to phone numbers, it is unclear whether the authenticator works on tablets or on phones with an expired cellular subscription. How many people are willing to buy an iPhone or an Android phone with Google Play just to confirm item trades?

      * Lawfully.

      • I tried to switch to the Steam Guard Mobile Authenticator, however two things prevented me from choosing this option:

        1. As you say, it requires cellular service. For devices that can communicate directly with servers via Wi-Fi, this is a stupid design decision.

        2. This option requires you to use the Steam Guard Mobile Authenticator every time you log in, vs the email option which is only required if you log in from a new system or a new location.

  • by LanMan04 ( 790429 ) on Friday December 11, 2015 @11:09AM (#51100499)

    My son plays TF2 and doesn't have a cellphone yet (11 years old).

    If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet. Even if we had been friends for that long, it would take a full 24 hours because he doesn't have the "mobile authenticator". Every time. He doesn't even have a phone, you jackasses!

    And now *I* have to have the stupid authenticator turned on if I want to trade with randoms on the internet. Dude, my account is secure! I get email notifications of trades, which show up instantly on my phone.

    It's way way way overkill, with no way to opt out. Sucks.

    • My son plays TF2 and doesn't have a cellphone yet (11 years old).

      Then how should he call you for a ride home, especially now that payphone operators have been removing payphones? Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA. In any case, the FAQ [steampowered.com] states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

      It's way way way overkill, with no way to opt out.

      Then opt out of Team Fortress 2 in the

      • Besides, Team Fortress 2 is rated M. It's not intended for 11-year-olds. Nor is online play intended for anyone under 13 anyway because of COPPA.

        It's really easy to turn off blood/gibs using a few commands on launch, as well as muting incoming voice chat. Once you're past that you have a cartoon-y FPS that really isn't bad. He isn't allowed anywhere near realistic FPS games (CoD, or L4D, etc).

        In any case, the FAQ states that you can put multiple accounts on one phone. The one downside to putting your son's TF2 account on your phone is that it links the identity associated with your Steam account to his.

        Cool, thanks!!

        Then opt out of Team Fortress 2 in the first place.

        Come on, you can do better than that.

        • as well as muting incoming voice chat

          It's not voice chat as much as text chat. The rationale behind the COPPA law and various kid-friendly games' restrictions on chat is that young children allegedly cannot be trusted to share their personally identifying information with would-be abusers. Some games even block use of number words, such as "two" and "three", because that lets users give out their age or home address.

    • by BenJeremy ( 181303 ) on Friday December 11, 2015 @11:47AM (#51100715)

      I understand your frustration, but something had to be done. My son had his account stolen. It took us over a week to get it back, and in the meantime, the scammer who tricked my son into giving up his password (I tried to teach him better beforehand, but at least his experience means he actually listens to me now) and took over his account sold it to some Russian kid, who was probably out a bit of cash when the account was returned (my son's account had over 600 games at the time).

      He didn't have anything in his inventory worth trading out, at least... there wouldn't have been anything left if there was. With this system, at least that wouldn't have been as much as a worry.

      The authenticator is a fine system. You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator; no need for a cell phone these days. It's never too early to take measures that can enhance your son's security now, and even better when such measures can be carried with him for the rest of his life, too.

      I hope Steam also improves the way they handle account thefts - it would be a simple thing to check logs against IPs and international locations to see fishy activity once a complaint is raised and act immediately to, at least in the short term, freeze the account until things get sorted. From Day One Steam has not allowed the trading or sale of Steam Accounts in their TOS, so a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system. Likewise, actions like trying to trade out all the items in the inventory should also signal a possible fraudulent activity. There are probably a good dozen automated ways Steam could detect potential account theft and squash it without ever inconveniencing the customer.

      • by tepples ( 727027 )

        You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator

        This won't work if the SMS verification backend used by Steam is one of the several that explicitly block non-cellular SMS numbers because they have been "abused" in this manner.

        it would be a simple thing to check logs against IPs and international locations

        Which opens up the "I can't play games while on vacation or a business trip. Is Steam region locked?" debate if not carefully thought out.

        • You can probably set up an alternative that allows SMS messages, like Ring.to or Google, that your son can use as the authenticator

          This won't work if the SMS verification backend used by Steam is one of the several that explicitly block non-cellular SMS numbers because they have been "abused" in this manner.

          Scammers aren't using the SMS to jack the system, but in theory, they could add an SMS once they hijack an account; then again, they could use any SMS, including something keyed off of burner phone. They can already do that. Blocking SMS services doesn't help Steam fight fraud.

          At least if his son has the authenticator set up through some sort of SMS service, then he at least has more security.

          it would be a simple thing to check logs against IPs and international locations

          Which opens up the "I can't play games while on vacation or a business trip. Is Steam region locked?" debate if not carefully thought out.

          I'm talking about using location in conjunction with sudden account changes, not about where the account is used. Detection has to be tweaked to eliminate such obvious false positives. It's about confirmation and likelihood.

      • Fair enough, I suppose.

        I just wish there was a "I really know what I'm doing, and sign away all recourse/, I don't want to use this thing" button. :)

      • a user suddenly changing names and accessing an American account from Russia should raise a red flag that is easy to spot by the system.

        So if you travel with your computer you will be immediately locked out of your steam account for x number of days.

    • by wbr1 ( 2538558 )
      Simple solution. Have his mobile authentications go to YOUR phone, or to a Google Voice number you control. On personal machines he should stay logged in and not have to use it and bother you but rarely.
    • I'm pretty sure that you can use Google Voice as a mobile authenticator.
      • Oh! I thought it *had* to be the smart phone app. I wouldn't mind getting the code via SMS I suppose.

        • Sorry you do have to have an Android device to run the app. But from what I can tell, it doesn't need to be running on a phone. I'll try it out and let you know. I have an old Nexus 6 with no SIM card for a perfect test.
    • Comment removed based on user account deletion
      • Your kid cannot wait 3 days for some stupid steam item?

        I mean, he *could*, but it's unnecessary in my situation. It worked perfectly fine for me for years.

        And people wonder why suckers are getting scammed, see the perfect example of a spoiled impatient user above.

        Fuck you, dude. I'm not spoiled. I'm a grown-ass adult who takes security seriously and has never had a problem with Steam item trading. I've never had an online gaming account of any kind taken over. Ever. This is overkill, at least in my case.

        because email is EASY TO COMPROMISE dumbass, its a HELL of a lot harder to snatch your phone throug the Internet.

        Yes, I am aware that it's much harder to spoof 2-factor auth. But if I submit a trade offer, I *instantly* get an email after pressing the submit button. I then

        • by tepples ( 727027 )

          I imagine that the Gmail accounts of a lot of people not named LanMan04 are so "easy to compromise". For example, do most people subscribe to multiple email services through which they can obtain "multiple back-up email addresses"? And how are you going to respond to a takeover alert while you are in bed?

          • I understand your point. I just want a "I know what I'm doing and accept the risk, now fuck off" button so I don't have to use the authenticator.

            That's all.

            • by tepples ( 727027 )

              I just want a "I know what I'm doing and accept the risk, now fuck off" button

              I'm under the impression that some countries' consumer protection statutes and some payment processors' terms of service forbid companies to offer such a button because scammers are likely to trick marks into clicking it.

    • If I want to send him something from my account, it takes THREE DAYS because we "haven't been friends for a year" yet.

      Not, THREE DAYS! My god, how does he survive?

    • by phorm ( 591458 )

      OH NOES, he has to wait for gifted items a whole three days. Add the f'ing authenticator to a device you own, or if he has an iPod etc you can use that too so long as the initial SMS (during setup) goes to a mobile device.

      Your son not getting a few TF2 items is much less an issue than the account hacks, fraud, and scams that were going on before this (which is why they made the change in the first place).

    • The stupid part of the whole thing is that I already had a mobile authenticator: it sends the code to my email and I can read the email on my phone. Hell, it's a lot easier and faster to open the always-running-in-the-background mail app than find the Steam app, wait for it to load, and get the code from it.
  • by Joe Gillian ( 3683399 ) on Friday December 11, 2015 @11:26AM (#51100565)

    Valve really bought this problem upon themselves by introducing trading and not having a first-party trade listing service that does not involve real-world money. Right now, most people list their trades on third-party sites over which Valve has little to no control. This is where you'll see the vast majority of people getting phished or scammed out of their items or accounts.

    Contrary to what Valve says, a lot of the items I've seen stolen have been stolen through phishing or other social engineering, not through actual hacking. I've seen people go to ludicrous lengths to steal someone's stuff: case in point, a TF2 scammer I busted late last year who was using offers of PayPal money (which is pretty much a guaranteed way to get your stuff stolen as PayPal does not recognize digital items) to lure people into trading their items to him (ie; "Give me your item and then I'll send you the hundreds of dollars I promised you").

    The scammer was a 14-year-old kid (at the time) and had scammed at least twenty people out of thousands of dollars of items. He wasn't actually successful in selling most of them, largely due to third-party reputation sites like SteamRep catching onto his game and marking him as a scammer fairly early on, but even after that mark had been placed on him he was still able to continue scamming.

    Really, 99% of the problems with trading could have been solved if Valve had just put up a first-party listing service.

  • Have users create a secondary, "sudo" password, that prevents any major account changes (like the main password, associated e-mails or SMS accounts) without presenting that password, too.

    In theory, a user should never give out that password, or ever be required to use it, unless on Steam itself.

    Sadly, many people are taken in by the fake steampowered websites "http://steempowered.com" and lured in with the promise of free games. This is why they made changes (filtering some web sites) to their chat windows

    • by tepples ( 727027 )

      A secondary password can be keylogged. The Steam authenticator actually displays the trade details on the smartphone's display.

  • Every time I see a reminder about setting up a sms account, I go to support and raise a ticket, I explain that I have no sms phones and would like a phone number to discuss the issue.

    they reply that they are unable to provide a phone number to resolve the issue - at which point I remind them that I am unable to provide them with an sms number, and then I again ask for a phone number to discuss the issue.

    Now if everyone did that,.....

  • A few weeks ago Steam started redirecting activity to a message about giving them a mobile phone number that you had to oblige/skip to get to what you were trying to reach. Then a couple of weeks later it got more aggressive. Then they started offering small discounts to anyone who gave a number. Then came the warning that without giving up a phone number they were going to hold purchased items (virtual items like trading cards and TF2 hats) for three days. Even if their intentions were simply to reduce s

The 11 is for people with the pride of a 10 and the pocketbook of an 8. -- R.B. Greenberg [referring to PDPs?]

Working...