Why are my Video Games Safer Than my Bank Account?
Valve software has implemented one of the most popular two-factor authentication(2FA) clients in the world. They use their mobile app to handle 2FA for accounts on their PC gaming platform Steam. They have pushed adoption of this by giving limitations on accounts that do not have it enabled. These limitations are mostly focused on trading in-game items such as trade-able copies of games, in game items such as different paint jobs, hats, or loot boxes. The nature of these items has caused these games to create a full blown economy, users relying on natural supply and demand to trade items with other users, on steam, or with third party sites. With how Valve’s own games are set up, most items can only be gotten from random via a paid loot box style system, with different rarities deciding how likely it is for a user to get an item. With supply limited by how much money users are willing to throw into digital items, and demand mostly placed on how these items look or their rarity, many of these items have value over $100, and some others with value even greater than $1,000.
Naturally, we ask, how does a video game company with 400 employees have better security on average for their users than most online banking accounts? In 2012, Valve did not have any of these securities in place, what drove them to force users’ hands to secure their accounts? Valve answered this as a response to fraud. With the popularity of these items increasing, they saw people posing as Valve staff or using phishing sites to get users passwords. These attacks grew rampant in 2012, and it was near impossible to find a steam account that didn’t have bot accounts posting phishing links in the comments. Valve finally added 2FA over email, requiring users to confirm trades with this too. This mitigated how much damage could be done when you knew someone’s steam login, as you still could not trade without the email.
Obviously, this wasn’t the end of the story, phishers were making ten of thousands of dollars and they weren’t planning to stop yet. They now employed new tactics, creating malware with the express purpose of gathering email login info and the local steam session files. These new attacks often relied on spreading this malware as popular communication programs. One personal encounter was someone that asked me to join their game, they said they were playing in a tournament and needed an extra player. I was abit on guard, and they asked me to join their voice server. The user gave me a link to what looked like the site for voice client, but was actually a fake. I caught it because it claimed to be a newer version than the one I had downloaded from the real site, and was a lot smaller. At this point, I knew it was a scam, but was amazed by how well orchestrated it was. This was about the time valve used their mobile app for all authentication. Locking accounts temporarily when it changed, and requiring all trades to be done through it or for them to get stuck pending for 3 days.
Now Valve has implemented some of the toughest required account security features in the industry. Their reasoning? To cut down the need for support to duplicate items people that were scammed. Because while account phishing was a problem, Valve was practically forced to duplicate the item for the victim. The original item was likely already sold to multiple people, via real world money or other items, and couldn’t be deleted without upsetting innocent users. With requirement of 2FA and account limitations, it is now impossible for a hacker to take items from an account without alerting the user. At best the hacker might be able to get 2FA removed and trade the item in 18 days, but usually the user would notice by then.
Steam accounts are safer than most bank accounts because Valve doesn’t want to upset their in game economy. And that only makes me wonder why banks don’t do the same, even Bank of America will let you transfer all your money online without a single 2FA or notification.