Valve has released statistics on the number of Steam accounts hijacked by ne'er-do-wells each month, as a means of encouraging users to enable two-factor authentication (2FA) on their accounts and to defend its restrictions on how items can be gifted and traded between accounts.
Valve has been under fire of late for an increasing number of restrictions to user accounts on its Steam digital distribution platform, from locking features away until you spend a certain amount of money
to blocks on cross-border trading
and gifting between non-friends
. The company has long claimed that many of these restrictions are in place to protect its users, but now it has put a number behind the risk for the first time: 77,000 Steam accounts are hijacked each month.
The figure comes from an official but anonymous blog post
warning that account hijacking can affect anyone. 'These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living.
Further claiming that 'all Steam accounts are now targets,
' Valve has advised users to take advantage of the Steam Guard two-factor authentication (2FA) system featured in the Steam smartphone application. When active, this generates random strings on a timer using a seed known only to the client and the server; when logging in to your Steam account, or when conducting certain actions such as trades, you're requested to enter the current string - something that only the person holding the linked smartphone can do.
It's a good feature, but one which few enable. 'At this time, most people have not protected their account with this increased level of security,
' Valve has claimed. 'Many don't believe that they are actually a worthwhile target for a hacker who's out to make money. Some felt they were smart enough about security to not need two-factor authorisation. And other users knew they needed it, but couldn't use it due to reasons beyond their control, like not having access to a mobile phone.
To help change this, Valve has introduced a new set of restrictions: items being traded will be held in escrow by Steam for up to three days, unless the user has been using Steam Guard for at least seven days prior to the trade. Trades between members who have been friends for a year or more will have this restriction dropped to one day.
'Once again, we're fully aware that this is a tradeoff with the potential for a large impact on trading. Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products,
' Valve admitted in the post. 'Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down. Asking users to enter a password to log into their account isn't something we spend much time thinking about today, but it's much the same principle - a security cost we pay to ensure the system is able to function. We've done our best to make the cost as small as possible, for as few people as possible, while still retaining its effectiveness.