HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Graham CLULEY @gcluley
1 Comment
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Industry News

77,000 Steam accounts are hacked and raided every month

December 11, 2015
6 Min Read
Steam Authenticator. Photo credits: Steam

Valve, the developers of the Steam online gaming platform, says that its members are facing a serious problem.

Accounts have always been hijacked on the gaming site, by hackers who have stolen passwords, but now the problem is said to have risen twenty-fold, with some 77,000 Steam accounts hacked every month.

steam

Steam accounts are hijacked when a hacker manages to break into an account without the owner’s permission. Often this is done by stealing passwords with keylogging malware, or through phishing for login credentials on fake sites.

And once a Steam account has been hijacked, it is typically raided for items and games, as well as potentially used to compromise and raid yet more Steam accounts.

According to a statement issued by Valve, stolen virtual goods are often sold through a series of compromised accounts before ultimately being sold on to an innocent user.

Valve says that “enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers”. Indeed, according to the firm, practically every active Steam account has “enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

Clearly steps need to be taken if anything is to be done to reduce the fraud occurring on Steam.

The most obvious step that users should take is to enable two factor authentication on Steam (known, in their case, as Steam Guard Mobile Authenticator).

Steam Guard Mobile Authenticator is a feature of the Steam mobile app that generates a new random code every 30 seconds. At login you have to enter the code alongside your password. The idea is that even if a hacker knows your password, they won’t know the random regularly-changing code.

Unfortunately, most Steam users have apparently not taken advantage of this increased level of security. I’m sure they all had good excuses (they didn’t think they were targets, they felt they were too smart to have their computers compromised, they didn’t have access to a mobile device), but the truth was that they were putting their account at greater risk by not using it.

For this reason, Valve has announced that it is making some changes in an attempt to make it less attractive for hackers to break into Steam accounts:

  • Steam accounts which don’t have two-factor authentication enabled will have their traded items “held by Steam for up to 3 days before delivery” – hopefully giving enough time for account owners to spot the suspicious activity, and significantly slowing down hackers who are attempting to rapidly turn stolen virtual goods into money.
  • Users who have been friends for at least one year, will find items they attempt to trade will be held for “up to 1 day before delivery” – recognizing that the trade is more likely to be legitimate because of an existing relationship.
  • If you are already using two-factor authentication, however, then you will be able to continue trading without restrictions. Hopefully this is a good incentive for others to embrace the additional security that it offers.

Valve says it recognizes that not everyone will be happy with the changes, but with some 77,000 accounts hijacked every month it’s clear that the service has a major problem and something serious had to be done to cut down on the fraud.

The company says, “We’ve done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”

It will be interesting to see what impact the change has, and how the hackers themselves will respond to what appears to be a significant obstacle in their attempts to monetise hacked accounts.

If you’ve been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.

Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

And don’t forget, each of these computers which has been infected by malware in an attempt to break into a Steam account could also be abused to compromise email accounts, bank accounts and have a myriad of other personal information stolen from them.

Yes, protect your Steam account with two-factor authentication – but harden your computer defenses generally, by ensuring you are not reusing passwords, have a decent anti-virus product in place, and are following best practices such as keeping on top of security patches and being wary of unsolicited emails.

Steam has introduced a couple of new security measures on trading. Unless you have the two-factor authentication app activated on a second device, and have had it for seven days, you’ll have to wait three days for any goods you’ve traded away to be delivered. If you’re trading with a friend of one year or more, you’ll only have to wait one day.

Why? Well, Valve’s theory is that this measure will slow down hackers trading away items from compromised accounts. In order to make money from illicitly obtained accounts, hackers need to get the goods out before the legitimate owner can report the hack and have the account frozen, you see.

Valve could just insist on two-factor authentication, but there are plenty of users who just can’t use the app for whatever reason. These users will have to swallow some inconvenience, but with any luck, the value prospect of hacking an individual Steam account will go way, way down as a result of these holds.

In a fascinating news post on Steam, Valve dives deep into its thinking. It touches on how simply replacing lost goods can affect the economy and fails to deter hackers, why it can’t use a generic authentication app, and most frighteningly, discusses the scope of the Steam hacking scene.

“Enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers,” Valve wrote.

“Practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.”

Steam hacking has become “commonplace”, Valve said, and even smart users with good security are being caught.

“What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don’t understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone,” Valve said.

“We see around 77,000 accounts hijacked and pillaged each month. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.

“We can help users who’ve been hacked by restoring their accounts and items, but that doesn’t deter the business of hacking accounts. It’s only getting worse.”

Get the two-factor authentication app.

Tagsaccount compromise steam

You may also like

Industry News

New ObliqueRAT Malware Campaign Now Integrates Steganography, Researchers Finds

18 hours ago
Industry News

Microsoft Issues Exchange Server Updates for Four 0-Day Vulnerabilities Used by Chinese Hafnium APT

2 days ago
Industry News

Android Security Bulletin: Google Issues Fix for Critical Remote Code Execution Flaw in Android System

2 days ago

About the author

View All Posts

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • Jim says:
    December 15, 2015 at 8:45 pm

    I’m with Steam and seen the message of two-factor authentication and decided I wouldn’t trust Steam with my mobile number so I’m willing to put up with some inconvenience when I do buy anything. I also un-tick the option box about keeping the credit card details saved on Steam and again I don’t trust them to keep those details safe so I’m quite willing to put up with the hassle, I wish I didn’t have to but it seems it’s in today’s world this is what we have to live with.

Biggest cyber-security events of 2015; lessons learned for a safer 2016
Watch out for malware disguised as unpaid invoices!
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
▲ 2
104.8k
Followers
Follow
2.7k
Subscribers
Subscribe
18
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

March 2021
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
293031  
« Feb    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok