Valve tries to curb Steam account hijacking with 'trade holds,' two-factor security

Users without two-factor authentication must now wait a few days for trades go through.


Valve is taking some drastic measures to prevent Steam account hijacking and item theft.

Starting now, users will need to enable two-factor authentication if they want item trades to go through immediately. Otherwise, they’ll have to wait up to three days for transactions to clear. (If both parties to the trade have been friends for at least a year, they’ll only have to wait one day.)

The idea is that users would have time to see and stop a trade in the event of a hack. And with two-factor authentication, unauthorized access is less likely in the first place, which is why those users are getting an exemption.

Why this matters: As Valve noted in a Steam news post, item theft has become a big business, with roughly 77,000 accounts “hijacked and pillaged” every month. Rare collectible items in games like Counter Strike: Global Offensive can fetch thousands of dollars, motivating hackers to target as many people as they can, and then offload their haul to innocent buyers. Valve doesn’t punish those buyers by taking away their purchases, but also usually restores a victim’s items after a hack. This in turn devalues the entire market, and doesn’t solve the underlying problem.

Can’t please (or defend) everyone

The option of two-factor authentication or a trade escrow seems like a decent fix for an ailing system, but not everyone is happy. A couple of user petitions have popped up on and iPetitions, the latter of which is nearing 30,000 signatures.

The petitions are not especially well-articulated, but one issue appears to be the authentication method Valve is using. Rather than go with a generic solution based on SMS or a third-party app like Google Authenticator, Valve is baking two-factor authentication into its own Steam app. The app allows users to view pending trades on their phones, and Valve argues that it’s more secure than email or password-based authentication. (Valve doesn’t really explain why an SMS-based system wouldn’t work.) In any case, the petitions point out that there’s no Steam app for Windows Phone, and not everyone has a smartphone to begin with.

Of course, those users can still deal with the waiting period, but the counter-argument is that third-party trading sites like Opskins and betting sites like CSGOShuffle will be hindered, and that trading as a whole will diminish. (A related theory is that Valve is trying to clamp down on off-site trading and boost its own revenue.)

Meanwhile, some hackers are already trying to turn the trade escrow news into an opportunity. As MalwareBytes has documented, a fake version of CSGOShuffle has emerged, prompting traders to download an application if they want to skip the three-day waiting period. This application turns out to be malware.

This story, "Valve tries to curb Steam account hijacking with 'trade holds,' two-factor security" was originally published by PCWorld.