Gaming vendor Valve is admitting that it has a problem with account theft in its Steam gaming community and is now taking steps to protect users. Whether or not the new user protections put in place by Valve are enough to protect Steam remains to be seen.
“We see around 77,000 accounts hijacked and pillaged each month,” Valve stated in a post explaining its new security efforts. “Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It’s a losing battle to protect your items against someone who steals them for a living.”
A key target for account hijackers has been the Steam Trading community, which enables users to trade items with each other.
Valve is now introducing a two-factor authentication (2FA) system for Steam accounts called Steam Guard Mobile. The basic idea behind all 2FA systems is that by having a second factor, or device, that a user needs to have in order to gain access, the risk of account theft is reduced. Rather than simply plugging into an existing 2FA technology, Valve created its own for Steam. Among the popular 2FA technologies in use today is Google’s Authenticator.
“Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn’t intend to,” Valve stated. “This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades.”
Security experts contacted by eWEEK are not surprised by the new security effort from Valve to protect Steam users. According to Mark Stanislav, senior security consultant at Rapid7, Steam and other gaming platforms that involve digital currency have always been an attractive target for criminals. Although Steam is a target, Stanislav noted that only a small percentage of Steam’s approximately 125 million users have had an account hijacked. With approximately 77,000 stolen accounts a month, that represent less than 1 percent of the user base being compromised.
“While this amount is of course a big problem and nontrivial, it shows just how much opportunity attackers have to be successful against a population that immense,” Stanislav told eWEEK.
Rob Sadowski, director of marketing at RSA, the security division of EMC, commented that any service or system where there is potential for financial gain is a target, and the popularity of Steam with the volume of in-game commerce makes it a high-value target. Opportunity is created by the fact that there may not be the type of robust security and fraud controls found in more “conventional” transaction systems—for example, banking—and as such, gaming platforms may be easier to exploit, he said.
“It should also not be overlooked that users may not perceive the same level of risk for their gaming accounts or virtual goods as they would for a banking account or financial transactions,” Sadowski told eWEEK. “So they may be less careful or circumspect in terms of protecting their gaming accounts.”
Regarding the new Steam Guard Mobile two-factor authentication system, Sadowski said strong authentication can be a very effective control to ensure that users are who they say they are.
“However, authentication should be augmented by additional fraud monitoring and controls that can analyze user behavior and highlight high-risk activities that may indicate patterns of fraud or abuse,” Sadowski said.
Stanislav also is optimistic that the Steam Guard Mobile 2FA system will be successful at protecting users, though there are past cases in the gaming world where such systems were defeated.
“Early last year, we saw a piece of malware that would actually intercept two-factor authentication codes for the game World of Warcraft,” he said. “This issue is exactly why Steam implements a process where the user doesn’t simply transmit a code generated on their mobile device into their PC, which may already be infected, but instead performs that authentication action out-of-band via their phone directly to the Steam infrastructure.”
In Stanislav’s view, the method and implementation of Steam’s 2FA system should result in a vast reduction of digital theft if widely used by gamers.
“There’s always a risk that new security issues will be found that could allow an attacker to work around this security control, find weaknesses in the mobile application or social engineer the gamer into doing an action that weakens account security,” Stanislav said. “Still, these new avenues are much harder for your average criminal to achieve and perhaps may result in them looking for a different platform or population to target due to the complexity for success.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.