Valve talks about upcoming changes to their security and trading policies

Christmas truly is a time of miracles because Valve have actually come out and spoken in-depth about an important topic that's been circulating the Steam forums recently, that of account security and trading. To say Valve has little community interaction would be one hell of an understatement so when they do actually talk, it tends to be worth listening to.

In the recent announcement they have confirmed that there is indeed a raise in the number of hacked Steam accounts but they've also detailed all the various options available to them as well as what they're going to do about it moving forward. I'll do a brief overview of the announcement but if you want to read the full version yourself head over here.

First of all, there is some bad news. The number of people who make a business out of stealing Steam accounts has increased significantly and they aren't just targeting new and inexperienced users anymore.

"What used to be a handful of hackers is now a highly effective, organized network, in the business of stealing and selling items. It would be easier for them to go after the users who don't understand how to stay secure online, but the prevalence of items make it worthwhile to target everyone. We see around 77,000 accounts hijacked and pillaged each month.

These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc. Users can be targeted randomly as part of a larger group or even individually. Hackers can wait months for a payoff, all the while relentlessly attempting to gain access. It's a losing battle to protect your items against someone who steals them for a living."

While this does mean that everyone is theoretically at risk I'd still wager that its those with relatively weak passwords, or bad browsing habits, that are the most affected and that is an area you fortify yourself. Make sure you have different passwords for every single high profile account you use and, this should be obvious, don't install random junk from the Internet and don't clink on suspicious links you get sent through Steam chat because no, it is not actually your brother.

Again, this won't protect you from someone who is both skilled and seriously after your account but in the vast majority of cases it will.

So what Valve has decided to do is to create their own version of a mobile authenticator so even if someone, somehow gets complete control over your Steam account they can't do anything with it because all important changes and trades would need to be confirmed via the authenticator. Which does unfortunately mean that third party authenticators will simply not work with this system.

"We needed to create our own two-factor authenticator because we need to show users the contents of the trade on a separate device and have them confirm it there. Requiring users to take a code from a generic authenticator and enter it into a hijacked PC to confirm a trade meant that hackers could trick them into trading away items they didn't intend to. This basically made it impossible to use a generic third party authenticator, such as Google Authenticator, to confirm trades."

But with every sweeping change there will be issues and in this case that translates to a less than ideal experience for people that either won't or can't use the new authenticator. So with all of that in mind Valve have done a compromise and came to the following system that will be deployed later today:

"- Anyone losing items in a trade will need to have a Steam Guard Mobile Authenticator enabled on their account for at least 7 days and have trade confirmations turned on. Otherwise, items will be held by Steam for up to 3 days before delivery.--

- If you've been friends for at least 1 year, items will be held by Steam for up to 1 day before delivery.

- Accounts with a Mobile Authenticator enabled for at least 7 days are no longer restricted from trading or using the Market when using a new device since trades on the new device will be protected by the Mobile Authenticator.

This means that anyone using the Steam Guard Mobile Authenticator to confirm trades is able to continue trading as always. Users who haven't enabled it, or can't, can still trade, but they'll have to wait up to 3 days for the trade to go through. This gives both Steam and users the time to discover their accounts have been hacked and recover it before the hackers can steal their items."

This system is clearly not perfect, and Valve themselves know it, but if what they say is true (they have no reason to lie about this) and there is a big increase in hacked accounts I really don't see another way of doing things.

It just unfortunate that people with Windows phones that don't have an official Steam app or people without phones altogether will have to bear with significantly slower trading times. Hopefully they'll release physical authenticators, much like how Blizzard did, sometime in the future and solve most of these issues in a single move.