Steam Security and Support Issues

[CyberRedPandas]

Back in January, I was targeted for a cyber attack. I believe the primary objective of this attack was an account hijacking to refund games and use the steam wallet and market to covert it back into real money. The attack was far from subtle with the email being changed to one of a foreign domain and language also being changed before mass refunding £200 worth of games. All other accounts compromised by this attack had locked themselves down until I went through the appropriate steps to recover them however not steam.

After recovering the steam account and going through steam support I was left unsatisfied to put it lightly: Steam support simply told me to rebuy the games and then automatically closed the support thread and while I don't expect to be reimbursed, I do expect a response comprised of more than just "give us money".

While I acknowledge my own security failing and how some of steams security may have been bypassed I still think is unacceptable. The attack should have raised suspicion and would have been seen on the database and the account should have been locked down further than just email authentication when the email had been changed. This post won't achieve much but I still feel I need to voice my complaints as this is completely unacceptable in my opinion.

 

[ZedClampet]

Back in January, I was targeted for a cyber attack. I believe the primary objective of this attack was an account hijacking to refund games and use the steam wallet and market to covert it back into real money. The attack was far from subtle with the email being changed to one of a foreign domain and language also being changed before mass refunding £200 worth of games. All other accounts compromised by this attack had locked themselves down until I went through the appropriate steps to recover them however not steam.

After recovering the steam account and going through steam support I was left unsatisfied to put it lightly: Steam support simply told me to rebuy the games and then automatically closed the support thread and while I don't expect to be reimbursed, I do expect a response comprised of more than just "give us money".

While I acknowledge my own security failing and how some of steams security may have been bypassed I still think is unacceptable. The attack should have raised suspicion and would have been seen on the database and the account should have been locked down further than just email authentication when the email had been changed. This post won't achieve much but I still feel I need to voice my complaints as this is completely unacceptable in my opinion.

Steam's customer service is terrible.

You may know all the following, but since I worked in cybersecurity, I feel obligated share this information anyway.

Never use the same password for your email that you use anywhere else. If you use your email for security purposes, as most people do, you should make this password uncrackable.

You can come up with a formula that makes everything easy to remember, and yet has a different password on every account. Hackers take the easy way out, and will just move on to the next person if your passwords are different. For instance, if you have a gmail account, you could use gmailYouveGotMail3865! If you have a bank account at Citibank, you could use citibankWhoLovesMoney(numbers of your bank card pin plus !) These are easy to remember, can't be brute forced, and no hacker is going to get that lucky to guess them. The "WhoLovesMoney" is itself likely unhackable.

Never enter account information into a pop-up window or as a response to an email. Never. There are no deals or contests or giveaways worth losing your accounts over.

Never enter your Steam account information in order to link your Steam account to another service. A genuine request to link your Steam account will not require you to enter your username and password unless you have logged out of the Steam app. If this happens, close everything down and log into the Steam app and then go back and link your account without having to enter your Steam credentials.

Sorry this happened to you. That's really all I have.

 

[CyberRedPandas]

Steam's customer service is terrible.

You may know all the following, but since I worked in cybersecurity, I feel obligated share this information anyway.

Never use the same password for your email that you use anywhere else. If you use your email for security purposes, as most people do, you should make this password uncrackable.

You can come up with a formula that makes everything easy to remember, and yet has a different password on every account. Hackers take the easy way out, and will just move on to the next person if your passwords are different. For instance, if you have a gmail account, you could use gmailYouveGotMail3865! If you have a bank account at Citibank, you could use citibankWhoLovesMoney(numbers of your bank card pin plus !) These are easy to remember, can't be brute forced, and no hacker is going to get that lucky to guess them. The "WhoLovesMoney" is itself likely unhackable.

Never enter account information into a pop-up window or as a response to an email. Never. There are no deals or contests or giveaways worth losing your accounts over.

Never enter your Steam account information in order to link your Steam account to another service. A genuine request to link your Steam account will not require you to enter your username and password unless you have logged out of the Steam app. If this happens, close everything down and log into the Steam app and then go back and link your account without having to enter your Steam credentials.

Sorry this happened to you. That's really all I have.

I believe the source of the attack was a keylogger as a lot of the games I play are legacy titles that won't work out of the box and the original downloads are offline requiring the use of archive sites. I knew the risk and should have been more careful to check all the files I used however steam was the only of accounts to be actually breached with the rest being locked down.

Growing up I've received numerous lectures on cybersecurity with all of them being essentially the same and only covering a very basic understanding yet your method of making unique passwords is completely new to me. I will be implementing this in the future and only wish for it to further publicised. Thank you.

 

[Zloth]

That reminds me...

Whenever I put in my credit card info, I always leave out all instance of one digit. Once I get the rest of the number in, I use the mouse to select the location(s) of the digits I left out in the number, then put those in. For instance, if my credit card number was 12345678900987654321, then I might type in 123457890098754321, then I would put the 6s in by using the mouse to select the locations. My theory is that, even if a key logger is recording mouse clicks, it's only going to have an x/y coordinate for where I'm clicking. They might still be able to figure it out, but it's going to be vastly harder to parse than the people that just put the number in straight up. (You don't have to be faster than the lion, just faster than the other guy running from the lion.)

Is that theory even remotely true, or is it just a load of copium?

 

[Pifanjr]

That reminds me...

Whenever I put in my credit card info, I always leave out all instance of one digit. Once I get the rest of the number in, I use the mouse to select the location(s) of the digits I left out in the number, then put those in. For instance, if my credit card number was 12345678900987654321, then I might type in 123457890098754321, then I would put the 6s in by using the mouse to select the locations. My theory is that, even if a key logger is recording mouse clicks, it's only going to have an x/y coordinate for where I'm clicking. They might still be able to figure it out, but it's going to be vastly harder to parse than the people that just put the number in straight up. (You don't have to be faster than the lion, just faster than the other guy running from the lion.)

Is that theory even remotely true, or is it just a load of copium?

The problem is that once you're done your credit card number can still be intercepted as it's being send to wherever it is you're sending it to.

 

[ZedClampet]

@Zloth Sounds right. But if you have a keylogger on your system, you've already lost the game. We didn't do anything on "living with malware"

The only keylogging software I've ever actually experienced (in testing) was pretty obvious, caused slight typing lag and could be easily found in your Task Manager under the enabled start-up programs.

 

[Kaamos_Llama]

Just curious, but how secure is 2FA in general?

 

[Pifanjr]

Just curious, but how secure is 2FA in general?

It helps because hackers can no longer log in to your account simply by getting your username and password (unless you use email for 2FA and reused your email's password of course). It's still susceptible to fake login pages though.

 

[BeardyHat]

Just curious, but how secure is 2FA in general?

Saved my butt recently. Think my Microsoft password got pilfered in the relatively recent LastPass breach, as I'd been getting 2FA requests on my Outlook app from Russia.

Thankfully easy enough to deny and I went and changed my password.

 

[Kaamos_Llama]

Saved my butt recently. Think my Microsoft password got pilfered in the relatively recent LastPass breach, as I'd been getting 2FA requests on my Outlook app from Russia.

Thankfully easy enough to deny and I went and changed my password.

I have it set up on everything important, to my phone number/Authenticator apps.

Only thing that sucks about it a bit is when I broke the screen on a phone and couldnt update the Google Authenticator to the new phone without the old one being functional. Cant remember how I got around that now, but managed somehow.

 

[DXCHASE]

I had a somewhat small scam happen to me from another steam user. I was messaged by someone i played Counter Strike 2 with and trusted and they asked me if i wanted to play in a tournament, i said let me check it out, but i guess even just going to the website it gave them my login info and access to whatever skins and loot boxes i had in my account because thats all i literally did.

I lost 0 dollars in actual money, but probably like 20-30 bucks in skins/boxes before i stopped them. They are roughly 2-3 bucks, but i have like 2 pages of boxes that places that value well over that, so i didnt lose everything.

I have 2-3 skins that didnt get taken though that were a good 60-70 worth (all bought with money i made selling other skins and boxes), but still, i lost some stuff and steam was just like "SUCKS TO BE YOU DUMMY". I messaged the guy that originally sent me the message and he was floored to find out his account had messaged a bunch of his friends. Idk if he lost anything or not.

I was only made aware from another friend that said i was messaging them weird counter strike stuff. So id say the hacker had roughly 15 minutes of my account accessed which was enough time to trade away stuff i had in counter strike inventory, but i stopped it there and was able to message the 7 or 8 people that were sent messages from my account, changed email/passwords/authenticator etc.

So its like, yea i guess i shouldnt have clicked that website link, but i also feel that steam somehow should be able to stop this stuff or at least re-imburse me because you can clearly see i "traded" stuff with a very sketchy profile.

Oh well, lesson learned.

 

[red_5ive]

I have it set up on everything important, to my phone number/Authenticator apps.

Only thing that sucks about it a bit is when I broke the screen on a phone and couldnt update the Google Authenticator to the new phone without the old one being functional. Cant remember how I got around that now, but managed somehow.

I got a new phone last fall, and stupid me forgot to do update Google Authenticator before wiping my old phone. I don't remember how I got around it, either. I think I had to sign in to my account and unlink my prior device or something a long those lines.

 

[Kaamos_Llama]

I got a new phone last fall, and stupid me forgot to do update Google Authenticator before wiping my old phone. I don't remember how I got around it, either. I think I had to sign in to my account and unlink my prior device or something a long those lines.

Could well be that, which kind of makes it quite a bit less secure.

Quick search shows that generally people say Google is the worst Authentication app anyway, should look into that really.

 

[red_5ive]

Could well be that, which kind of makes it quite a bit less secure.

Quick search shows that generally people say Google is the worst Authentication app anyway, should look into that really.

Oh for sure. I was more than a bit concerned when it didn't seem to be too much effort to get around it. I was frustrated at first, but then I remember feeling like, "wait, that was it??!!!".

But on the other hand, I feel like other options won't help much anyway being that as a long-time Android user, Google has had my information to begin with almost 15 years running. I mean, who needs a keylogger when Google is already snooping in on your business.

 

[Kaamos_Llama]

Having strong passwords on top of any kind of 2FA probably keeps you fairly safe. Can always be safer I'm sure.

I also check in on haveIbeenpwned every now and again, and use secondary Email adresses for some accounts to try and mitigate things. None of that protects you from phishing if they catch you on a bad day and you fall for it unfortunately.

 

[Pifanjr]

None of that protects you from phishing if they catch you on a bad day and you fall for it unfortunately.

Which is why phishing has become much more common over the last few years. Some Googling suggests about 95% of companies have been targeted by phishing attempts and almost all of them had at least one breach because of it.

I've personally only received one phishing email that I can remember on my work account and that was a test from our IT department.

 

[red_5ive]

Which is why phishing has become much more common over the last few years. Some Googling suggests about 95% of companies have been targeted by phishing attempts and almost all of them had at least one breach because of it.

I've personally only received one phishing email that I can remember on my work account and that was a test from our IT department.

My wife was a victim of it a couple of years ago, and had a negative impact on her business. Thankfully she's mostly recovered. It's sickening how easy it is to fall for it if you don't have your guard up. Even with all the security training I've had over the years (and I hate to admit I'm in the tech field and should know better), still I almost fell for it a couple of times just because my guard was down. And some of the breaches they mention in those trainings are scary.

 

[red_5ive]

I crack up at some of these reatiler's website authentication feature like Home Depot. After you enter your username, you will be asked to enter the passkey that was just automatically emailed to you. but you have an option to enter your password instead. If you choose to enter your password instead, at the next screen it will ask you for the passkey they just emailed you.

 

[Zloth]

Now that extended characters are allowed in URLs, even having your guard up might not be enough. If you're expecting a package from the United Parcel Service and get an email from UΡS.com, are you going to realize that the P is really a capital rho? (I presume UPS covered that one, but you get the idea.)

 

[ZedClampet]

Now that extended characters are allowed in URLs, even having your guard up might not be enough. If you're expecting a package from the United Parcel Service and get an email from UΡS.com, are you going to realize that the P is really a capital rho? (I presume UPS covered that one, but you get the idea.)

You can copy and paste the address into this: https://transparencyreport.google.com/safe-browsing/search?hl=en

There is also an extension you can use while browsing, I think. Ublock will stop you from going to these websites as well.

Nothing is 100 percent, but these are helpful tools.

As far as browsers, you can enable punycode display in most browsers except for Chrome. Chrome should automatically fix the address, but you can download an extension that will warn you if the address uses punycode. This won't really help in an email, obviously.

****
In a banking setting, you were not allowed to even open a phishing email, much less respond to it. When we did audits, if I sent you a phishing email and you opened it, you were in violation. This goes back to an Outlook vulnerability that doesn't exist anymore.

I think I was the only employee to never open a phishing email during audits (we, the auditors, were constantly being audited, too). I even got the CEO to open a phishing email.

People were constantly trying new things to fool us. Even now my brain is so suspicious of everything I'm not even sure what it would take to make me respond to a phishing email. I delete 99 percent of everything I get without opening it. It's not so much being savvy as it is taking the nuclear option

 

[Zloth]

In a banking setting, you were not allowed to even open a phishing email, much less respond to it. When we did audits, if I sent you a phishing email and you opened it, you were in violation. This goes back to an Outlook vulnerability that doesn't exist anymore.

I'm still nervous about them. I only preview the first two lines in the list instead of having the big window of a preview. However, to report a phishing email, I have to open the email for the button to appear!

 

[Brian Boru]

I'm still nervous

I haven't used it myself, but Windows Sandbox might be of use in nervous situations.