Tech

Steam ramps up security: 77,000 accounts a month hijacked

Account hijacking is getting out of hand, so Valve has taken drastic measures to cut down account and virtual item theft.

Written by Charlie Osborne, Contributing Writer Dec. 11, 2015 at 3:13 a.m. PT

Valve has admitted up to 77,000 gamer accounts a month on Steam are being hijacked and plans to clamp down on rampant item theft with new security measures.

The theft and sale of virtual items are nothing new, with the rarest items sometimes fetching thousands of dollars.

For some, hijacking accounts and the theft of virtual items is a real business, since traditional money can be used in trade for virtual items.

Couple this with poor security practices and innocent gamers, and you have a criminal ecosystem which is difficult to destroy.

In an advisory posted Wednesday, Steam said account theft has existed on the platform since the company's inception, but with the addition of Steam Trading, the problem is spiralling out of control.

Steam Trading is used to trade in-game items, games and virtual cards stored in your Steam account. Unfortunately, this relatively new functionality has made the theft and transfer of items far easier once an account is hijacked, leading to account thefts and items pinched becoming the top complaint of gamers.

With 77,000 accounts cleaned out in this way every month, Steam was left with a problem. Items would be traded, over and over, until eventually being sold to an innocent user in many cases. This leaves an innocent purchaser and an unhappy user who was the original owner of the item.

However, Steam couldn't simply transfer the item back, as this wouldn't be fair for the innocent parties -- and so the item was duplicated and one sent back to the original owner instead.

This, in turn, created another trade-off -- the devaluation of certain items in the Steam ecosystem as more and more copies were made.

"We were fully aware of the tradeoff here," Steam says. "Duplicating the stolen items devalues all the other equivalent items in the economy. This might be fairly minor for common items, but for rare items this had the potential to significantly increase the number in existence."

It is no longer the case that lax account security, handing out your passwords and clicking on malicious links are the only ways to become a victim. Instead, Stream says there is a "highly effective, organized network in the business of stealing and selling items," which means every Steam account is now a target.

Professional players, Reddit contributors and item traders are often targeted by the group, which is happy to spend months attempting to gain access to particularly valuable accounts.

Featured

Steam says the company has been working on improving account security features to get this epidemic under control. Loopholes are being closed, self-locking has been introduced and Steam Guard Mobile has been launched, which gives users the opportunity to use two-factor authentication to protect their accounts.

Two-factor authentication is the use of a secondary device, such as a tablet or smartphone, to better protect online accounts. As cyberattack rates go up, many companies -- including PayPal, eBay and Google -- have made 2FA an option. Steam did debate removing trading altogether, but now the firm has its own 2FA variety, users can see the contents of a trade on their device and confirm it there -- stripping the ability of hackers to quickly clear out an account and get away with the profits.

However, this isn't quite enough. The gaming platform has also stipulated that 2FA must be turned on for at least seven days when a trade takes place, and a confirmation sent approving the trade before the item is delivered. If not, items will be held by Steam for three days -- unless you've been the friend of the recipient for at least one year, when this delay is shaved down to one day.

Steam said:

"This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always.
Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items."

The problem is the balance between functionality and security. You don't want to turn off consumers who demand an easy-to-use service, but at the same time, a broken system which allows rampant theft would end up destroying itself eventually anyway.

"We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness," Steam says.

"As always, we'll continue to read the community's discussions throughout the Steam forums and the web at large, and we look forward to hearing your thoughts."