Account theft is a common and long-standing problem for all kinds of online gaming services, as I can personally confirm after checking all my Diablo III loot from a hacker a few years ago. But Valve says the problem is reaching epidemic proportions on Steam, with “about 77,000 accounts being hijacked and looted every month”. Since the service launched item trading features in 2011, Valve says the problem of account theft “has increased twenty-fold as our users’ number one complaint… What used to be a handful of hackers is now a highly effective, organized network, in the field of stealing and selling items.”
It is not difficult to understand why the problem is increasing. Items in games such as Team Fortress 2 and Counterattack: GO can be worth a lot of real money on the secondary market, not to mention the inexplicably popular virtual trading cards floating around the social network Steam. As Valve puts it “virtually every active Steam account is now involved in the economy, through items or trading cards, with enough value to be worth a hacker’s time. Essentially all Steam accounts are now targets.” Goods transferred from stolen accounts can also be relatively easily offloaded to unsuspecting legitimate customers, making it difficult to reverse the theft once discovered.
Now Valve is taking extra steps to reduce the value of these hacks as they occur. By default, traded items are now “held” by Valve for “up to three days” – hopefully enough time to give users a chance to discover that their account has been compromised (and prevent rapid item transfer/liquidation by the hackers). Users who have enabled two-factor authentication are exempt from this restriction, as their accounts are theoretically safe from most hacking attempts. Transactions between users who have been friends for a year or more are only held for “one day maximum” even without two factors as that implies a real relationship between the traders.
Valve said it was considering simply requiring all merchants to have two-factor authentication enabled, but said this would unfairly exclude users who cannot use the feature due to not having a compatible mobile phone. Aside from that, this seems like a good compromise to encourage stronger security practices among Steam users while also discouraging hackers from easily taking advantage of the service’s lowest hanging, least secure fruit.