SMiThaYe

Steam
Protect Your Steam Account from Hijacks

13 posts in this topic

Protect Your Steam Account from Hijacks


I'd advise anyone to visit their Steam profile and change the privacy setting to ensure that comments are for friends only. You all know my nickname and pointless hiding it, take reasonable precautions and you'll be fine.

  • Hover over your name in Steam as follows and select Profile

    an9z0bN.png
     
  • At the top of the page on the right under your Steam level and badge, press Edit Profile

    i0z6tfr.png
     
  • You'll come to your Edit Profile page (aka My Profile), no options will change on this page as we need to change Privacy Settings. Go ahead and click on My Privacy Settings

    q34bVrG.png
     
  • Now we are in My Privacy Settings you can change the options as advised unless you have changed these. Switch Comment Permissions as follows to Friends Only.

    xG1r8bc.png

    Profile Status - Leave your profile open as Public, there is no risks and can stop certain apps or streaming services from working.

    Comment Permissions - Set to Friends only and means only your friends, who you trust, can leave comments. Unless you know that person, don't click ANY links. In Steam there is not the usual protection you get from browsers, its like running around naked on there!

    Inventory - My profile used to be fairly open, however since we also get trade scams I only allow friends to view my Inventory (maybe Steam should default to this option). Same can be said for Comments and the point of this post.

    Both together means no-one can scam you unless you click on links in forums, websites then that's down to bad luck and lack of security installed. Chrome has built-in Malware protection, used alongside Malwarebyte's and your paid for security suite you should be protected.
     
  • Showcase Panel - potential issue
    EDIT: Another point I should add. Remove Games Collector Showcase 
    panel and replace it with something else, say Favourite Game Showcase or Rarest Achievement Showcase panels. Right there you are showing how valuable your account is (number of games, DLCs) to whom ever it maybe good/bad that happens to stumble upon your account. Yes you could go into lockdown mode aka Private if you were that worried but Steam works best when your account is Public. Don't deliberately have this panel enabled, let other members check your account is legit too. For example, making friends, gaming, trading, or if you are managing a public Steam Group or creating your own mods. Whatever you decide is down to you, let common sense prevail :)

 

Over the past few months I had a lot of random 0-level accounts (likely bot accounts) leaving hijack link attempts disguised as image links and all leaving identical messages where only the image link changed. Links to images are made to look legit but are far from it. Steam should be doing far more to protect us and they are not, at least let me report these as my only option is to delete the many suspicious comments. If you get spam texts you can report these to your provider and they ban the numbers to stop further harm, we are neither being protection at the first instance on our profile page, being able to report it, or Steam having sufficient protections in place.

 

Edit: Not related to hijacks but worth pointing you in the direction of this detailed Steam Guide by Jimo entitled Avoiding Common Scams.

Edited by SMiThaYe
added guide bonus Avoiding Common Scams
2

Share this post


Link to post
Share on other sites

I have only Friends Only permission to comment on my profile since the beginning, although with Workshop files, anyone can comment my work.

Tbh, furtunately I never had any problem with Steam, related to security protection.

0

Share this post


Link to post
Share on other sites

Update OP with section titled "Showcase Panel - potential issue"

0

Share this post


Link to post
Share on other sites

Do WhyCry's style, and make your own Steam profile private, even for friends :P

0

Share this post


Link to post
Share on other sites

Do WhyCry's style, and make your own Steam profile private, even for friends :P

I know *sigh* 

WrgI68J.png

He could change profile status if he wanted, one up from total lock-out to friends only. "Why?" he may ask, well I may want to check his games collection before asking him if he wanted a game ;) Perhaps there should be a whitelist of friends you know better than others to keep your profile open otherwise initial rule applies.

There is however an exception to all this, when your chosen family members play games (not that often) and I insist they play in offline mode to avoid being pestered :P

0

Share this post


Link to post
Share on other sites

I don't even know when I made it private and how. 

0

Share this post


Link to post
Share on other sites

I don't even know when I made it private and how. 

​About a couple years ago iirc. To change it click your name + profile in the dropdown options, then edit profile (go to My Privacy Settings) and change from Private to Friends Only. Follow the rest of the settings as advised in OP to keep your account safe.

0

Share this post


Link to post
Share on other sites

Keeping this all in one thread, Valve has helpfully posted details on how to further protect your Steam account.

To ensure that the message is very clear, I will post it in full. What I posted previously in this thread still stands and goes hand-in-hand with Valve precautions.

We've seen a lot of Steam users lose access to their Steam accounts. Most often it’s because an attacker has compromised a user's email account. That email account can then be used to change the password and email address on that user's Steam account, blocking access to their games and items.

There are several methods attackers use that are hard to combat: malware in the guise of other programs like a ‘TeamSpeak update or missing audio codec’ or a ‘CS:GO weapon upgrader!’, malware disguised as images and screenshots, identifying users who reuse passwords on their Steam and email accounts, or via an exploit in their web browser or operating system.

It's a complicated situation and even very sophisticated Steam users can fall victim. Any Steam user who has made a purchase or earned a trading card has value in their account and should use these new features to protect it and all the time invested. 
 

Account recovery with a phone number


Add a phone number to my account
Read the FAQ

By associating a phone number with your Steam Account you can easily regain access if:

  • You forget your password
  • You lose access to your email account
  • You get a new smartphone or lose your mobile authenticator
  • Your account is compromised 

Steam can send you a text message to get you back into your account.

 

Steam Mobile Authenticator through the Steam Mobile app


Get the Steam Mobile app
Read the FAQ

Using the Steam Mobile app on iOS or Android, you can:

  • Confirm log ins to your Steam account
  • Confirm trades
  • Confirm Community Market listings 

Using a second device (aka 2 factor authorization) makes it very difficult for an attacker to access your account, even if they obtain your password, without physical access to your mobile device.

You can manage your Account Security and phone number anytime from your Account Details page.

Source

 

0

Share this post


Link to post
Share on other sites

I'm using steam authenticator, It's quite clever, it pops up on the phone screen when steam requires new code.

0

Share this post


Link to post
Share on other sites

If it's worth saying, say it more than once...

Quote

What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.  We can help users who've been hacked by restoring their accounts and items, but that doesn't deter the business of hacking accounts. It's only getting worse.

Update from Steam has been published on why accounts are compromised and tweaks made to operations protect accounts. It's now viable for groups of skilled darknet hackers to consider this a lucrative job opportunity, flash enough neon lights and the hackers will come (I'd advise avoid showing your full or partial inventory in screenshots/videos). This is why I created this thread to help prevent you from becoming a victim and share useful tips.

There are around 77,000 accounts being hijacked nearly every month, it's a growing problem and why it's so important to enable Steam Guard. At one point there was also consideration over removing the Steam Market to take away the possibility for potential hijacks but was thought to be an over-reaction, knowing Gabe Newell, he'd strongly opposed this.

Install Steam on your mobile and activate to protect your account and Steam Market transaction. A two-factor authentication protects your account and any transactions / allowing access to your account on other devices for piece of mind. IMPORTANT: If you are changing the mobile number you are using for Steam Guard, deactivate Steam Guard first on the phone you no longer wish to use it on, you can't enable it on another number without deactivating first as this is for your protection. For those on PAYG and not contract, ensure you use the phone regularly to avoid the simcard being deactivated, I know some that use spare mobiles but this is unwise.

Quote

We felt that two-factor authentication was secure enough that it would protect anyone who enabled it, so the problem was the accounts that couldn't enable it (e.g. no mobile phone access). In the end, we arrived at the changes we're deploying today:

  • Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.
  • If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.
  • Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

Source

0

Share this post


Link to post
Share on other sites

Christmas DDOS attack, Valve explains

Some may have missed this announcement from Valve yesterday, full statement (end of this post) explains the issue over why so many people were seeing other account information with incorrect caching protocols.

In short, genuine users seen other users traffic cache after the initial DDOS attacks before Valve quickly decided to completely cut access to their network to fix this issue and allow the attacks to falloff. I didn't raise this here as I awaited as to what their investigations revealed but until yesterday there was no advise either way. However, you could tell if you were affected if your account showed other games you don't own and friends are listed that you don't recognise or even showing pages in other languages.

Going forward: IF this occurs and you are at all worried although very unlikely in future, don't browse on Steam, Workshop, Marketplace, view account information. Fine to play games or stay in game. Not aware of anyone that had played games on accounts other than their own or via Family Share, however any infractions outside your control due a compromise account should be raised with Valve via this page where there is genuine concern.

Note that other popular gaming platforms are targeted by hacking groups, they claimed (they shall remain unnamed) this is to raise security awareness but in doing so put so many ordinary consumers at risk. Push hard enough and sure enough you'll find faults. The issue is that these groups one-up each other, or team-up leading to even larger loads - well above peak periods - putting the hypothesis of better security in ridicule.

Quote

Early Christmas morning (Pacific Standard Time), the Steam Store was the target of a DoS attack which prevented the serving of store pages to users. Attacks against the Steam Store, and Steam in general, are a regular occurrence that Valve handles both directly and with the help of partner companies, and typically do not impact Steam users. During the Christmas attack, traffic to the Steam store increased 2000% over the average traffic during the Steam Sale.

Source

0

Share this post


Link to post
Share on other sites

Follow up: Christmas DDOS attack, Valve apologises 

I'm posting this as a update to the DDOS attack on the 25th December (outline in previous post above) as Valve has today (4th March) sent emails to those who were affected.

They've apologised and rightly so, however a lack of trust may put off a small number of people from further purchases - perhaps a Steam digital wallet code as a gesture of good will?

If you don't receive an email this week you can count yourself lucky, or perhaps fortunate that you didn't access Steam during the time of the caching issue (11:50 ~ 13.20 PST). However if you one of the 1700 accounts accessed by a single IP you shall receive a copy of this email (below) along with instructions on what to do next. Don't worry it's not mine, I've checked the link and it's legit (plus I have a lot of good security tools to check for exploits) however be careful about clicking links in yours if unsure.

Steam support email...

Spoiler
Quote

Dear Steam User,
 
As you may know, for a brief period on December 25th, a configuration error resulted in some Steam users seeing incorrectly cached Steam Store pages generated for other Steam users. If you are not familiar with the issue, an overview of what happened is available at http://store.steampowered.com/news/19852/ .
 
If you accessed the Steam Store between 11:50 PST and 13:20 PST on December 25th, your account could have been affected by this issue. If you did not use the Steam Store during that time, your account was not affected.
 
Between the times above, a requested web page displayed during your Steam Store checkout process may have been incorrectly displayed to another Steam user in your local area. This page may have included billing information previously saved to complete future purchases including your full name, billing address and billing phone number. It may have also included the last two digits of a credit card number or a PayPal email address, if previously saved for future purchases. It did not include full credit card numbers, Steam account passwords, or other information that would allow another user to complete a transaction with your billing information.
 
We are contacting you because an IP address previously used by your account to access Steam made a web page request as described above. Because IP addresses are commonly shared for home networks, mobile devices and by internet providers, we are unable to verify that your account was actually the one that made this request. For example one affected IP address was previously used by over 1,700 Steam accounts. Consequently we are notifying all users who have previously used this IP address.
 
This event did not make it possible to compromise your Steam account or make a fraudulent transaction from your account, but we want you to be aware of what information could have been seen by another Steam user.
 
We're sorry this happened and have taken steps to prevent this problem from occurring in the future.
 
If you used the store between 11:50 PST and 13:20 PST on December 25th and you have questions please email cachingissue@steampowered.com.
 
- Valve

 

 

0

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now