Valve explains methodology behind controversial trade holds/escrow system on Steam, reveals ~75K acc - Polidicks

[QUOTE=Grandzeit;49284672]Stupidity, mostly. Stuff even all the authenticators in the world couldn't fix.[/QUOTE] One of those .scr links got one of my buddies just because he wasn't thinking one day and clicked on a link that one of his actual friends sent him. I think stuff like that isn't completely fair to pin on people.

[QUOTE=wauterboi;49284693]One of those .scr links got one of my buddies just because he wasn't thinking one day and clicked on a link that one of his actual friends sent him. I think stuff like that isn't completely fair to pin on people.[/QUOTE] Don't you need to give your PC a directory to put the downloaded file in and also have to run it? To my knowledge at least on chrome you cant just click a link and automatically download AND then execute the file, there's three steps that require human interaction for the thing to work. [sp]Maybe its just because im not a fool and I disable all that automatic download and open known filetypes stuff when setting up my browser for this very reason.[/sp]

[QUOTE=wauterboi;49284693]One of those .scr links got one of my buddies just because he wasn't thinking one day and clicked on a link that one of his actual friends sent him. I think stuff like that isn't completely fair to pin on people.[/QUOTE] donèt you need to sign up for one of thos things to work aka youre clear so long you never sign up,.

ok, this is not an ironic question or anything, I literally need it explained to me how can you let your steam details be stolen???

[QUOTE=wauterboi;49284693]One of those .scr links got one of my buddies just because he wasn't thinking one day and clicked on a link that one of his actual friends sent him. I think stuff like that isn't completely fair to pin on people.[/QUOTE] Steam has a link filter. Also it's entirely on your own when you click a masked link like Tinyurl, or a foreign link/something that looks like it's taking you to a download page. It's a shame, but you need to pay attention even when you're talking with your best friends. Chances are even they are oblivious to the hazardous file, or have had their accounts hijacked. [QUOTE=theevilldeadII;49284880]donèt you need to sign up for one of thos things to work aka youre clear so long you never sign up,.[/QUOTE] .scr download files are not the same as fake Steam sites. Shit like that can put keyloggers or worse on your machine.

[QUOTE=Grandzeit;49284908]Steam has a link filter. Also it's entirely on your own when you click a masked link like Tinyurl, or a foreign link/something that looks like it's taking you to a download page. It's a shame, but you need to pay attention even when you're talking with your best friends. Chances are even they are oblivious to the hazardous file, or have had their accounts hijacked. .scr download files are not the same as fake Steam sites. Shit like that can put keyloggers or worse on your machine.[/QUOTE] keyloggers are ancient and the simple way their work is instantly shot down by windows firewall [editline]10th December 2015[/editline] also just dont run the .scr file??? idgi yo

[QUOTE=Grandzeit;49284672]Stupidity, mostly. Stuff even all the authenticators in the world couldn't fix.[/QUOTE] And sometimes, keyloggers getting to your computer? I remember in WoW, one guy hacked people by simply making a different-colored world messages (the hax part) that tricked people into thinking they were accepted to beta-testing for WotLK. Immediately followed by other players responding like "lol scam, dont answer to him haha" etc. So I chatted up with him, said prove it you can actually hack anyone, then he logged on some absolutely random low-level poor Hunter (clearly not his account) and gave me all of his measly 200 gold as proof. He didn't change their passwords btw., kind of respectable scammer actually! So yeah, it's stupidity, but sometimes keyloggers. Or, like some really convincing scammer websites that look like the real deal; my friend lost his Steam account briefly because of this, but got everything back eventually, including expensive Dota2 items. [editline]10th December 2015[/editline] Asd, how did I even produce so much txt again... anyways fuck scammers.

why is valve so bad at their jobs if you trade an item with an expiration date it can expire while steam's still got it good

I dunno what you all are talking about, I use since it surfaced and it works fast and wonderful. There is even no need to unlock my phone thanks to the notification I always get, it is so goddamn handy. Sure I get it, its bad for people without smartphones, but other than that, it works flawlessy. Though, those people that are fine with the app are not vocal about it.

[QUOTE=elixwhitetail;49283130]Still waiting for the ability to use Google Authenticator instead of Valve's own crappy app. I don't mind 2FA, I mind being forced to use crappy apps when solutions exist already.[/QUOTE] The Steam app works fine for me, first time I've used 2 factor authentication that lets me just look at my lock screen for the code Phone is on my desk, hit enter to log into Steam, double tap phone screen (LG G4) and the code is there

I'm calling bullshit on that number / month of hacked/pillaged accounts. It's just another effort of pushing their app agenda, a marketing stunt. Why don't they bulletproof the steamguard backend? That's the real culprit, especially with cookie manipulation.

[QUOTE=zerosix;49285177]The Steam app works fine for me, [B]first time I've used 2 factor authentication that lets me just look at my lock screen for the code [/B] Phone is on my desk, hit enter to log into Steam, double tap phone screen (LG G4) and the code is there[/QUOTE] There's a good reason most don't allow you to see the security code without first unlocking. Y'know, going against the whole idea of [I]'secure'[/I] and everything.

[QUOTE=PsiSoldier;49285352]There's a good reason most don't allow you to see the security code without first unlocking. Y'know, going against the whole idea of [I]'secure'[/I] and everything.[/QUOTE] Still beats downloading a fricking emulator.

I never thought i'd get hacked and then i logged into gmail on a college computer, week later all items gone.

Always saddens me that Windows Phone never gets the desired love as it should, but I might be able to do an unofficial client based off Jessecar96's [URL="https://github.com/Jessecar96/SteamDesktopAuthenticator"]Steam Desktop Authenticator[/URL] if it's okay with him.

[QUOTE=elixwhitetail;49283130]Still waiting for the ability to use Google Authenticator instead of Valve's own crappy app. I don't mind 2FA, I mind being forced to use crappy apps when solutions exist already.[/QUOTE] Lol, why Google Authenticator ? Steam's one works perfectly fine. Hell, even the entire app is fine. I don't get it why everyone is making such a drama about it...

[QUOTE=Coolboy;49285101]I dunno what you all are talking about, I use since it surfaced and it works fast and wonderful. There is even no need to unlock my phone thanks to the notification I always get, it is so goddamn handy. Sure I get it, its bad for people without smartphones, but other than that, it works flawlessy. Though, those people that are fine with the app are not vocal about it.[/QUOTE] The funny thing is for the majority of users there should be nothing to complain about. I get there are those without smartphones (a PC gamer without a smartphone in 2015? Whatever), or using esoteric operating systems ([url=http://www.idc.com/prodserv/smartphone-os-market-share.jsp]97% of all smartphones worldwide are either on Android or iOS[/url]), but for everyone else not leveraging dual factor authentication when you have the ability to is frankly foolish. This should be a total nonissue because the majority of users should be using Steam Guard anyway. [editline]10th December 2015[/editline] [QUOTE=NassimO PotatO;49285451]Lol, why Google Authenticator ? Steam's one works perfectly fine. Hell, even the entire app is fine. I don't get it why everyone is making such a drama about it...[/QUOTE] It's a minor annoyance. I'm already using Authenticator for several services so it's a pain to have yet another app, but it makes sense given Valve's explanation of using it to verify trades, which makes a lot of sense.

[QUOTE=CyrusTehSage;49285420]I never thought i'd get hacked and then i logged into gmail on a college computer, week later all items gone.[/QUOTE] Gmail is the bigger security risk. That's why I have 2 factor auth on my Gmail account as well. I think a lot of people don't realize how big of a problem having your Google account hacked can be, especially if you use Chrome to sync everything. If you dont disable search history etc, getting into someone's Google account can net you: - Emails, obv - All of their synced saved logins/passwords for any site they regularly visit - Their entire Google search history - Their entire location history (If android phone) It happened to some guy I know, they sifted through his search history and found all the weird porn and weird searches he had looked up over the years. The computer was his but I think used by his whole family so syncing ended up leaking stuff like his dad's credentials for logging in on his work's website, his siblings Facebook details etc. Also it might be a little bit extra hassle, but it isn't exactly rocket science to download an Android emulator and just use that.

[QUOTE=Dr. Haxx;49285324]I'm calling bullshit on that number / month of hacked/pillaged accounts. It's just another effort of pushing their app agenda, a marketing stunt.[/QUOTE] What could they gain from people using their mobile app?

I know 2FA is great for security and I cannot think of a time when I wanted to play something and didn't have my phone with me, but I just can't help but feel its going work swimmingly 99 times out of 100 and the one time I absolutely need to access Steam I won't have my phone or something will go wrong.

[QUOTE=elixwhitetail;49283130]Still waiting for the ability to use Google Authenticator instead of Valve's own crappy app. I don't mind 2FA, I mind being forced to use crappy apps when solutions exist already.[/QUOTE] They don't want to do it, because they fear an attacker would just hide the real trade. They want an app that shows what you're actually trading. But yeah, shitty they don't actually support more platforms. Particularly those that have around 10%+ in some countries.

[QUOTE=Fetret;49286392]I know 2FA is great for security and I cannot think of a time when I wanted to play something and didn't have my phone with me, but I just can't help but feel its going work swimmingly 99 times out of 100 and the one time I absolutely need to access Steam I won't have my phone or something will go wrong.[/QUOTE] Yeah you won't be able to access your account. Not fun, but certainly reasonable.

It's scary for me they even started discussing about removing trading completely only because they don't have anything from it. Valve seems to show it's selfish nature. On the other hand, I don't find this authenticator that bad. But I can't stand 3 day waiting time for traded good, in which time some random faggot can just change their's mind and cancel the trade.

While I'm fine with this type of 2FA, why can't they send these codes via an SMS, like what Google, Tumblr, Dropbox and other services do, or at least have an option for that? Sure, sometimes I have to wait half an hour for those to arrive, but you're tying your phone to an account anyway and it gives non-smartphone users an option. Would those be easier to intercept or something? I'm not exactly tech-savvy.

[QUOTE=BluesLS;49287777]While I'm fine with this type of 2FA, why can't they send these codes via an SMS, like what Google, Tumblr, Dropbox and other services do, or at least have an option for that? Sure, sometimes I have to wait half an hour for those to arrive, but you're tying your phone to an account anyway and it gives non-smartphone users an option. Would those be easier to intercept or something? I'm not exactly tech-savvy.[/QUOTE] Non smartphone users or non Android/iOS users option is emulating the app.

[QUOTE=BluesLS;49287777]While I'm fine with this type of 2FA, why can't they send these codes via an SMS, like what Google, Tumblr, Dropbox and other services do, or at least have an option for that? Sure, sometimes I have to wait half an hour for those to arrive, but you're tying your phone to an account anyway and it gives non-smartphone users an option. Would those be easier to intercept or something? I'm not exactly tech-savvy.[/QUOTE] Because, just like with Google Authenticator, you can't confirm on the device that the trade you're seeing in the computer screen is the same as the one you're doing. Which is a trick you can only do with a fake URL looking like steam's, which goes back to problem #1 of people not double-triplechecking where they do important things like logins and trades.

I am torn with issues like these. Similarly with 80GB sized game downloads and bandwidth caps, I am not affected by this issue and I don't think people should be in this day and age. I think people should have smart phones, or ISPs who don't cap internet so low monthly. But, still those people exist. I don't think they should be considered though, and it doesn't seem they are. Hope it's just seen as adaptive pressure.

[QUOTE=Coment;49287804]Because, just like with Google Authenticator, you can't confirm on the device that the trade you're seeing in the computer screen is the same as the one you're doing. Which is a trick you can only do with a fake URL looking like steam's, which goes back to problem #1 of people not double-triplechecking where they do important things like logins and trades.[/QUOTE] [QUOTE=Blade Rx69;49287834]Because they're assuming worst case scenario where a hijacker has control of computer, but you don't know. This is a fair assumption, it's how most people get hijacked. So say you get a trade offer, where they offer a red hat for your blue hat. You like this trade, so you get the verification code and put it into steam to accept. Now your entire inventory is gone. What happened? Well this was a clever hijacker, the trade was actually for your entire inventory, but he made it so that you only saw that you lost the blue hat. You couldn't verify this in the generic service as they only sent the confirmation code.[/QUOTE] Oooh, right, I forgot that this is also for trade confirmations and stuff, not just logging into the account.

[QUOTE=BluesLS;49287777]While I'm fine with this type of 2FA, why can't they send these codes via an SMS, like what Google, Tumblr, Dropbox and other services do, or at least have an option for that? Sure, sometimes I have to wait half an hour for those to arrive, but you're tying your phone to an account anyway and it gives non-smartphone users an option. Would those be easier to intercept or something? I'm not exactly tech-savvy.[/QUOTE] Because they're assuming worst case scenario where a hijacker has control of computer, but you don't know. This is a fair assumption, it's how most people get hijacked. So say you get a trade offer, where they offer a red hat for your blue hat. You like this trade, so you get the verification code and put it into steam to accept. Now your entire inventory is gone. What happened? Well this was a clever hijacker, the trade was actually for your entire inventory, but he made it so that you only saw that you lost the blue hat. You couldn't verify this in the generic service as they only sent the confirmation code.

[QUOTE=Take_Opal;49287829]I don't think they should be considered though[/QUOTE] You're right. How dare people have different phones. They shouldn't be allowed to trade or instead resort to downloading a potentially malicious program which renders the entire process useless since you no longer use two different devices anyways. Valve really shouldn't give a shit about them, even if they could easily have settled with an alternative or ported their app. Let's all put this behind us and forget it even happened and press people into buying new devices, all due to a large part of the userbase which will likely still end up getting phished after all these extra forced safety steps.