Valve: 77,000 Steam Accounts Hijacked Each Month
We’ve all heard the stories of people who have been victim to digital theft and account compromise. New details from Valve, who is working to combat the problem, shine a light on just how pervasive the issue is.
In a new post on Steam, Valve shares details about its recent Steam Authenticator feature (similar to Blizzard’s Battle.net authenticator app or standalone fob). The company is recommending users implement this extra layer of protection to safeguard their accounts and item transactions.
“We see around 77,000 accounts hijacked and pillaged each month,” Valve says. “These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.”
Users accounts are accessed. Items in inventory are sold off to innocent users and new purchases are made on the marketplace to be offloaded, too. In the past, Valve would leave the stolen items with innocent purchasers to protect those users who believed they were engaging in an above-board transaction.
Instead, the company would duplicate the item and return it to the original owner. The problem is that the Steam economy is alive. It functions like any other with limited amounts of commodities available. Duplicating rare items drastically devalues the good, hurting anyone who owns one.
That’s why Valve is taking additional precautions to prevent the trade or sale of goods from hacked accounts. The authenticator isn’t the company’s first step in protecting users. It’s just the latest. The company has issued access codes via email for those users requesting two-factor authentication.
It also prevents purchased items from being traded for seven days. This creates a window such that an owner of a compromised account can identify the fraudulent purchases and act before the items have been moved to someone else.
The new authenticator system doesn’t just protect account access. It works to authorize trades on the system, too. If you have an authenticator active for at least week, you can trade as normal. However, if you don’t enable that on your account, you’ll be subject to an up to three-day waiting period before the trades will finalize.
This functions as a forced escrow service, giving users a chance to act if something appears awry. Valve says that these protections help all users, as the Steam marketplace has become big business.
“First, enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers,” the company writes. “Second, practically every active Steam account is now involved in the economy, via items or trading cards, with enough value to be worth a hacker's time. Essentially all Steam accounts are now targets.”
Valve is aware that this is a tradeoff. The company recognizes that waiting periods and the additional step of using an authenticator will have direct impact on the friction of implementing trades and ultimately their frequency (at least in the short-term).
“This is one of those times where we feel like we're forced to insert a step or shut it all down,” Valve says. “Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.”
While this is going to be a hassle for people, it’s ultimately in service of protecting accounts and items with real world monetary value. This is a smart trade-off, and users should implement the authenticator via the Steam mobile app.
Valve is doing the responsible thing to protect its economy, from which it too benefits greatly. The irresponsible thing would be to let the problem go unaddressed. This will help users, ensure the economy can continue to function and, if all goes to plan, help Valve reduce the amount of resources it has to put behind account recovery.