Gamasutra: The Art & Business of Making Gamesspacer
View All     RSS
September 3, 2014
arrowPress Releases
September 3, 2014
PR Newswire
View All





If you enjoy reading this site, you might also want to check out these UBM Tech sites:


New phishing scam sees hackers bypass Steam Guard security
New phishing scam sees hackers bypass Steam Guard security
April 17, 2014 | By Mike Rose

April 17, 2014 | By Mike Rose
Comments
    6 comments
More: Console/PC, Business/Marketing



Valve introduced Steam Guard back in 2011 -- an additional security measure that aims to protect users whose Steam accounts are compromised. However, a new phishing scam has seen hackers manage to bypass Steam Guard completely.

When you have Steam Guard activated on your Steam account, and you (or someone else) attempts to log in to your account from somewhere other than your regular computer, a code is sent to your email which must be entered before access can be gained.

A new phishing scam, however, asks for a username and password for Steam, and then tells users that they need to download a special SSFN file from your computer. This file is located in your Steam folder, and is in place to tell Steam Guard that it doesn't need to security check your computer.

As noted by Malwarebytes' Chris Boyd, if you upload your SSFN file through the phishing website, the scammer can then potentially use this file, coupled with a username and password, to gain access to a Steam account and claim it as their own.

This is a relatively new scam that Gamasutra has seen in action just in the last couple of weeks. Scammers use the account to drain it of any credit, items and trading cards that are inside, and then move on to another account -- notably, the scammer cannot purchase anything, since they need to know your card security details.

Valve is aware of the issue, and is warning Steam users not to send their SSFN files to anyone.


Related Jobs

Piranha Games Inc
Piranha Games Inc — Vancouver, British Columbia, Canada
[09.03.14]

Lead Artist
Piranha Games Inc
Piranha Games Inc — Vancouver, British Columbia, Canada
[09.03.14]

Online Software Engineer
Piranha Games Inc
Piranha Games Inc — Vancouver, British Columbia, Canada
[09.03.14]

Systems Engineer
Sony DADC
Sony DADC — Culver City, California, United States
[09.02.14]

Software Engineer – App and Game Development










Comments


Jennis Kartens
profile image
I find it astonishing that people still fall for these kind of blunt and easily to idetify scams.

http://i.imgur.com/BbNfVFI.png

steamncommuniity?!

:(

Jacek Wesolowski
profile image
People are always going to fall for blunt scams, because there is always someone who hasn't heard of them yet (for instance, someone very young). In order to understand this kind of threat, you need to be not only vigilant (I know I would miss that typo, and I've been using computers for 28 years), but also equipped with basic understanding of the underlying principle. In this case, you need to understand that the file in question is kind of like a password, and not like that selfie you uploaded to Instagram yesterday.

Alan Barton
profile image
@"I find it astonishing that people still fall for" etc..

Just because something is obvious to some people doesn't make it obvious to others, because they have other areas of knowledge and interest about the world around us. So it not just the young. Most people will never have enough technical knowledge to spot and catch these scams and problems, because that isn't their area of interest in life and we can never expect them to gain enough knowledge in that area. It will simply never happen, no matter how advanced the future becomes.

Its going to be a continuous arms race where scammers, hackers and crooks in general, will keep coming up with better ways to attack as fast as we all try to stop them harming people. Perhaps very long term, once we have truly intelligent AI, they will be able to better help protect non-technical people, but even then crooks will task other AI's to come up with better ways to steal etc.., so it won't even stop then.

Ultimately the problem isn't technology, its the Narcissistic arrogance of thieves and crooks in general, and that Narcissism in some people will never end. Therefore the only way to stop thieves etc.., is to stop Narcissists in society. That however is a very hard battle to win, because Narcissists by their very nature, have arrogant contempt for everyone but themselves. Its a battle that has continued throughout history and will likely always continue.

Jennis Kartens
profile image
Well even in the first thread on the Steam forums I found, the guy who felt for it apologized twice in the first two sentences, so obviously he should've know better and still felt for it due to carelessness.

And that is the main issue. People still treat the internet the wrong way, as something entirely different from reality, while it is a part of that reality and on the other end are people too. And not all of them with good intent, yet IRL you wouldn't trust the random stranger asking for your personal data so easily. Sure, some do as well and of course, scams existed in the analog world too, but the overall carlessness in cases like these makes it the users very own fault if they fall for it.

The problem is not "narcissitic arrogance of thieves", it is the lack of proper education and the unwillingness to question your environment in which you're giving away your personal information on a daily basis.

Scott Kevill
profile image
I'm more amazed that this file isn't tied to the machine hardware. Seriously, Valve? Doesn't that defeat the entire purpose of SteamGuard?

If this method actually works, it's essentially just a cookie getting dropped (presumably the same thing is done when they authorise you on a new web browser).

If Valve now has to warn people not to send the file to anyone, it's no better than warning them not to send the username / password to anyone.

John McMahon
profile image
I too am surprised that such a file is all you need to identify yourself without requiring additional measures (outside username and password.


none
 
Comment: