Steam is by far the largest digital game platform on the Web. It's not uncommon for a gamer using Steam to have hundreds of digital games in their library, along with digital items that can be worth hundreds, if not thousands, of dollars on Steam's virtual marketplace.
Perhaps it's not surprising then that hackers looking to make a buck target the platform and its users. What is surprising is just how many hacks happen every month. According to Valve in a new blog post on account security, around 77,000 Steam accounts are "hacked and pillaged" every month.
"These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc," Valve writes. "Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living."
It's for that reason Valve has implemented a number of additional security measures. Two-step authentication using the platform's Steam Guard Mobile Authenticator came in April, prompting users to confirm their identity when logging in on a new machine or from a new location with their mobile phone.
Most Steam users, however, have not enabled the Mobile Authenticator. This promoted Valve to look at other methods of improving account security, resulting in a just-implemented change to how Steam's trade system works. Previously, the two parties of a trade simply needed to confirm what items they were transferring before clicking accept. Those items would then be moved between accounts as desired. As Valve reveals, hackers have long been using this method to transfer stolen items between accounts, eventually selling the stolen virtual goods to innocent buyers for profit.
"So what if instead of trying to prevent hackers from being able to steal a Steam account that hasn't enabled two-factor authentication, we tried removing their ability to profit from the theft," Valve writes. "If hackers couldn't move the stolen goods off the hacked account, then they couldn't sell them for real money, and that would remove the primary incentive to steal the account. Hackers fundamentally rely on trading to offload stolen goods."
This is where the new trade hold system comes in, as detailed by Valve below:
Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least seven days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to three days before delivery.
If you've been friends for at least one year, items will be held by Steam for up to one day before delivery.
Accounts with a Mobile Authenticator enabled for at least seven days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.
This is a "best of both worlds" approach, so to speak. Those who have Steam Guard Mobile Authenticator enabled are allowed to trade like normal. Those without the extra layer of security will have to wait up to three days for a trade to go through, or one day if the trade is between users who have been friends for at least a year. Having the delay between trade deliveries grants users time to detect missing items or learn that their account has been compromised, allowing them to contact Valve and have their items restored.
"Any time we put security steps in between user actions and their desired results, we're making it more difficult to use our products," Valve writes. "Unfortunately, this is one of those times where we feel like we're forced to insert a step or shut it all down."
The company says it will be paying attention to the community's discussions about the changes and looks forward to hearing their thoughts on the matter.