115

Is there any particular reason why the Steam application attempts to be so secure? It seems to force you to take more security measures (two-factor authentication, emails confirming all trades, etc) than most banks do.

Is this due to the fact that the Steam software has some inherent security risks associated, or is it just because they want to avoid people complaining that their account was hacked?

Is there any reason that Steam attempts to be more secure than most banks?

Cronax
  • 103
  • 4
Jojodmo
  • 1,012
  • 2
  • 7
  • 10
  • 31
    I think you would have to ask Steam about that one. However I personally think it just has to do with Steam simply taking security more seriously. IMO the fact that it's not just a website and doesn't necessarily need the login process to be streamlined for efficiency purposes may help. However you should also take into account that the average Steam account has payment information tied to it. – Jonathan Gray Dec 01 '15 at 04:05
  • 94
    Remember who the responsible people are: In banks the software engineers answer to bankers and in steam they answer to other software engineers. I would argue that software engineers are inherently more IT security conscientious than bankers. – shadow Dec 01 '15 at 08:29
  • 25
    Also, "more secure than most banks" depends a bit where you live in, whereas Steam is used worldwide. IMO some banks, especially in the US, have abysmal security practices compared to some banks in Europe, for example. – eis Dec 01 '15 at 10:14
  • 20
    I'd view this as a win for Steam, and I wonder why aren't the other authenticated services you use at the same level of stringency? – Criggie Dec 01 '15 at 11:21
  • 4
    @shadow I think your statement is generally false. In banks the software engineers that work on login/security features generally answer to regulators as far as security features go. – David says Reinstate Monica Dec 01 '15 at 14:02
  • 8
    In the US pretty sure it's banks having shoddy security. Mine only just recently allowed for passwords that were longer than 8 characters. – aslum Dec 01 '15 at 14:15
  • 5
    @DavidGrinberg That's not a whole lot better. Banking regulators often know even less about security than bankers. PCI DSS is about 10 years behind the hackers. – James_pic Dec 01 '15 at 14:48
  • 66
    Maybe you should be asking not "Why is Steam so secure", but "Why are other online services not as secure as Steam". Steam does it pretty well, and I would be happy to see e.g. Amazon take security as seriously as Steam. – JonnyWizz Dec 01 '15 at 15:40
  • 3
    @JonnyWizz I think the answer to that is that Steam's security gets pretty annoying, and those other services don't want to annoy their customers. – user253751 Dec 01 '15 at 19:29
  • 3
    @Jojodmo, **It's not just Steam.** Strong security is actually typical for games which sell in-game items that cross hundreds or even thousands of real dollars. There are some that even link your national ID to your game account so that you can physically retrieve your account when it gets hacked (e.g. MapleStory). They even sell items that lock your items (you read that right) so that your valuable items cannot be traded away while your account is under the control of a hacker. – Pacerier Dec 02 '15 at 04:35
  • @immibis What're you finding particularly annoying with it? Aside from if you're regularly playing on several different devices or don't have a reliable internet connection, nothing I've seen it do has ever felt intrusive. Since I only need to log on when buying a game or switching computers (can only be logged on in computer at a time), I find myself having to enter a password much less frequently than I do for any of my financial accounts. – Dan Is Fiddling By Firelight Dec 02 '15 at 18:20
  • Kind of ironic, since the design of Steam itself is rather insecure - last time I checked, at least, all the main executable files were still living in a world-writable directory, including some that are loaded by the steam service while running with local system privilege. – Harry Johnston Dec 02 '15 at 23:36
  • 8
    My steam account is more worth than my bank account. – stuXnet Dec 03 '15 at 00:54
  • You can turn the trade emails off. Also 2-factor authentication is only a thing if you tie your phone to steam, I for one chose not to despite their insistance. – Pharap Dec 03 '15 at 19:33
  • Also, steam is used by the more tech inclined people, whilst banks are used by everyone from the full on security experts to ol gran who has been largely strong armed into using Internet banking! – RemarkLima Dec 04 '15 at 12:27
  • @JonnyWizz, you must be talking about Amazon Marketplace, because Amazon Web Services is probably the most secure set of APIs I have ever had the pleasure to work with. But even then, I think you used a really poor example. Amazon seems to take security pretty seriously. – Octopus Dec 04 '15 at 20:13
  • 1
    Considering my account value, I'm extremely glad to have two factor authentication. https://steamdb.info/calculator/76561197980465455/?cc=us – Caimen Dec 04 '15 at 20:49
  • 1
    However, I am very disappointed by how Steam approaches security. Valve seems to think it's important to force strong security on its users, but often fails at doing that in a proper way. They [declined](https://steamdb.info/blog/valve-security-open-letter/#valve_response) to make a bug bounty system, and at least one [extremely serious](http://www.geek.com/games/steam-bug-let-anyone-reset-your-account-password-1629411/) bug has occurred. They are also forcing the use of complicated proprietary 2-factor auth methods instead of using similar open standards like TOTP and U2F or SMS support. – Keavon Dec 05 '15 at 03:05
  • Your question makes it sound like you think more security is bad in some way? I assume you mean from a usability point of view? I completely agree with @JonnyWizz, I would love to see some other services take security as seriously as Steam does and frankly I find the view that more security somehow could imply inherent security risks quite disconcerting. – Xaver Kapeller Dec 06 '15 at 06:09
  • 2
    Relevant: [Security and Trading](http://store.steampowered.com/news/19618/) – Bergi Dec 10 '15 at 18:06

9 Answers9

203

Steam has about 100 million users (random link saying they had 75 million almost 2 years ago). If they spend on average $10 per year, we're talking $1,000,000,000 per year - and I'd say that's a conservative estimate (random link saying they had 1 billion in revenue back in 2010). That's the same kind of money small banks deal with.

Then there is almost certainly a large number of low tech attackers. Steam is used by a lot of kids who don't yet have a proper understanding of legality, so at least some of them will try to steal the account of that other kid that smells funny. To be clear: "some" of 100 million is "lots". These attackers often live in the same town and maybe even saw the other kid typing in the password before, which breaks some traditional safeties based on IP range and passwords. Stolen accounts create customer support costs. Widespread reports of stolen accounts create bad press, which destroys trust. For a digital market, trust is money.

Valve also works with a huge number of partners. These partners can act maliciously and try to break/abuse the billing process, which will directly hurt Steam's reputation and therefore lose Valve some serious money, unless the abuse is detected and dealt with swiftly.

EDIT:

[...] enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers [...] We see around 77,000 accounts hijacked and pillaged each month. - 9 Dec 2015 http://store.steampowered.com/news/19618/

So in addition to a large number of low tech attackers, there's a large number of high tech attackers as well.

Peter
  • 3,620
  • 3
  • 13
  • 24
  • 15
    Upvoted because the statistics are highly relevant here. There is a *lot* of money in Steam accounts. – Kevin Dec 01 '15 at 14:55
  • 11
    +1 for customer support costs--imagine if it costs the company $20 to $100 per stolen account (since they'd typically require multiple CS interactions, I'd imagine), the support cost difference between 1000 and 100 000 stolen accounts per year are significant: about 2 to 10 million dollars. These are wild guesses, but you get the idea. – Mathieu K. Dec 02 '15 at 03:20
  • 2
    It's worth noting that you're talking about the individual user spending 10$ on Steam - that money won't 100% go to Steam, because they only take a cut for most of the things that sell. That means that in addition to them dealing with 1 Billion of their own money, they might be handling 9 Billion of other peoples money. – Mark Dec 04 '15 at 14:58
  • @Mark That's what revenue means. All of the money goes to Steam first, thus becoming *revenue*. They then use the revenue to pay their bills, which includes the cut other publishers and developers get. Accountants would insist that taxes get involved at multiple points too, muddling the picture. I agree 1 billion is a very low revenue estimate, especially since that was 5 years of massive growth ago. – Peter Dec 04 '15 at 15:06
  • @Peter We would have to know more about how Steams internal accounting works, but I would be surprised if it were that, and not just 33 cents off every dollar. – Mark Dec 04 '15 at 15:39
  • 2
    Other thing to add is that there are third-party means of buying games like Humble Bundle. While they make not all make Steam rich or profitable, that add to the amount of games purchased and the user experience. Not all of these purchases effect steam directly, such as people selling off extra steam codes (these are already purchased) or buying directly from the maker. – unsignedzero Dec 04 '15 at 17:42
  • 1
    Yeah, and when your support sucks, better make sure no one ever has to use it... – Ludwik Dec 06 '15 at 15:26
117

I think it's very understandable, especially why they feel the need to force security measures on user:

  • A Steam account can be a very valuable asset, many Steam libraries would easily cost hundreds, if not thousands to replace
  • People often don't treat their steam account as carefully as other accounts, eg email or a bank account
  • Once stolen it's very difficult to determine the legitimate owner. Unlike a financial institution they can't ask a user to take ID to a branch.
  • Many children use Steam. Information belonging to children deserves a higher level of protection
  • Children using Steam can't necessarily be trusted to be security conscious. They may share their passwords, etc.
  • Having your account stolen would create a very negative impression of the Steam distribution model. Many people would blame Steam and the distribution model they're trying to champion, even if the user was entirely to blame.
  • There is a huge market for stolen steam accounts, and it's fairly easy to steal one using unsophisticated methods such as phishing
thexacre
  • 8,444
  • 3
  • 24
  • 35
  • 40
    Ever seen a CS:GO Skin? knives are $300 and some skins $1,000+. Add on COD and other Skyrim downloadable content and you've probably got more in your Steam account than your bank account. – Ross Dec 01 '15 at 05:19
  • 6
    You kinda say it in your answer but perhaps it would be valuable to emphasise that accounts getting stolen has been a real problem for them in the past so they're under pressure to *do something* – Cronax Dec 01 '15 at 08:38
  • 2
    I think you should also possibly mention anti-cheating as well – Burgi Dec 01 '15 at 09:05
  • 13
    I am considering to sum up how much I paid for my steam game library, but to be honest I am afraid of the answer. – Philipp Dec 01 '15 at 11:36
  • 1
    @Philipp https://steamdb.info/calculator/ Use at your own risk. Not sure if it can get the price you paid though versus the current (maybe sales price) on Steam. – TMH Dec 01 '15 at 11:42
  • 3
    Your second point here is quite important: people will naturally treat their bank account more carefully than their Steam account. Also, Bank accounts are almost entirely held by adults (particularly ones with enough money in to be worth stealing), bank accounts are well audited, and breaches taken very seriously by the police. Steam accounts are often held by teenagers who are likely to be more lax with security (tell their friends their password etc). – Jon Story Dec 01 '15 at 11:51
  • 18
    @JonStory Your trust in how adults treat their bank accounts scares me. – Peter Dec 01 '15 at 12:04
  • Well that does depend on the adult, but at least they're adults and if they choose to be an idiot, can be more easily blamed since they should know better – Jon Story Dec 01 '15 at 13:57
  • @Peter Still, *the bank* takes bank accounts seriously, and if your bank account is broken into (figuratively speaking) they will investigate it, while Steam has no such insurance. – user253751 Dec 01 '15 at 19:33
  • 1
    It's not necessarily as understandable when you understand how they implement things. Log into website. Okay. Purchase game, using stored info on website. Okay. Try to install game, which uses Steam's bandwidth: Oh, now we need to go through additional security measures. Somehow, the requirement for additional security hoops doesn't sound much like a primary focus on consumer protection. – TOOGAM Dec 01 '15 at 20:45
  • 2
    "Information belonging to children deserves a higher level of protection" Why does my information deserve less protection than a child's? What did I do wrong to deserve that? – David Richerby Dec 02 '15 at 00:28
  • 5
    @DavidRicherby : Nicely said. The answer to your last question is that you got smart. I think that the logic is that a child's information should be protected against the owner/user doing childish things, due to the high likelihood of that happening. Hopefully you know better than to type your credit card number and SSN into this comment box. For adults, we are expected to need less protection because most of us can avoid some silly mistakes that children may be more prone to do, so we (or, hopefully most of us) need less protective restrictions. – TOOGAM Dec 02 '15 at 07:10
  • @DavidRicherby also in the US, at least, children have almost no legal authority on their own - they're pretty dependent on their "parent/guardian". As a legal adult there are a ton of things that I can do on my own that would be extremely difficult for a child. – Wayne Werner Dec 02 '15 at 13:43
  • 1
    @TOOGAM Thinking through the people I know who would be stupid enough to do something like type sensitive info into these comment boxes, there are a few small children there, but adults are rather disproportionately highly represented on that list. – Matthew Najmon Dec 03 '15 at 21:06
  • @Philipp https://steamdb.info/calculator ;) – spex Dec 06 '15 at 16:17
30

The real reason is fraud. A typical scam looks like this:

  1. The scammer buys a game off the Steam store, or an item off the Steam Market using a stolen credit card or stolen account. Many CS:GO, TF2, and Dota 2 items are worth $100's or even $1000's of dollars, so these aren't penny scams we're talking about.
  2. The scammer then sells the item to an unsuspecting user for slightly below market value using a site like tf2outpost.com or steamtrades.com. If the stolen account has a high reputation on that site, it will be easy to convince the unsuspecting user to pay with Paypal.
  3. Several days or weeks later, the real owner of the credit-card/account realizes their crendentials have been stolen and issues a chargeback.

Now money that would have otherwise gone to Valve goes to the scammer's pocket instead. This is also the reason items that are purchased on the Steam Market are now untradable for 7 days (30 days for games).

Valve is privately owned and does not publically publish their financial statements, but similarly large companies like Sony and Microsoft lose millions a year to these sorts of credit-card fraud.

  • 2
    While this is most definitely fraud, I fail to see how *account level* security makes any difference to this. – Bobson Dec 01 '15 at 16:47
  • 4
    @Bobson: Because many accounts have credit-card and Paypal info saved. Also they can have Steam-wallet funds. – BlueRaja - Danny Pflughoeft Dec 01 '15 at 16:57
  • 3
    I think he's implying that the original account was stolen and that it's difficult for steam to clean up the mess once the account is stolen, so the only economical solution for steam is to prevent it getting stolen in the first place. – thexacre Dec 01 '15 at 17:01
  • 1
    Making it harder for people to use Steam for money laundering is always a good thing... unless you're the people trying to use Steam for money laundering -_- – Wayne Werner Dec 02 '15 at 13:45
  • @WayneWerner Not just bad for the launderers. Making something more difficult for one subset of the population to access will always add at least a little bit to the general difficulty of access, which blows back on every other subset, including the authorized user(s). Security is always a balancing act between maximizing the increase in difficulty to the unauthorized and minimizing the increase to the authorized (this is why we use keys on our doors, when welding them shut would be much more secure). Implicit in the OP is a complaint that Steam has made Steam harder to use for players, too. – Matthew Najmon Dec 03 '15 at 21:13
21

Another thing that is not mentioned in the other answers is the impact of Valve's structure as a company and their philosophies for scalable solutions.

Most Valve employees (if not all) are hired into Valve's culture where each person works on the project of their choice, especially if they feel it is the most valuable contribution they can make to the company. For understandable reasons given this culture, few employees at Valve take interest in customer service/complaint handling.

In addition, Valve views community-driven/game-ified solutions as a principal way of making features scalable. See also: Steam tags, reviews, etc.

For these reasons and because Steam had suffered a rash of account thefts due to the large real-world value of TF2 and CS:GO items, Valve naturally alighted on two-factor authentication as a user-driven way of cutting down on the number of mind-numbing account theft cases they had to handle. They further game-ified adoption of two-factor authentication by making a new level of the community badge and adding two-factor authentication as one of the activities, giving a limited time discount on Steam marketplace for two-factor authentication users, etc.

To sum up, another reason Steam is insistent on security is to free software engineers up to do more engaging work.


Update 12/10/15: As Valve has just explained:

Account theft has been around since Steam began, but with the introduction of Steam Trading, the problem has increased twenty-fold as the number one complaint from our users...

We see around 77,000 accounts hijacked and pillaged each month. These are not new or naïve users; these are professional CS:GO players, reddit contributors, item traders, etc.

Restoring 77,000 accounts per month adds up to a ton of time that engineers could be spending on other things.

puzzlepiece87
  • 313
  • 1
  • 7
11

At this point, some people have thousands of dollars' worth of games in their account. To be sure, Steam accounts are not exactly liquid, and you can't easily convert them to cash (though I guess you could ransom them), but the potential loss is still there.

On top of this, many people have game accounts linked to their Steam account, such that if you control an account you can control their in-game account as well. From here you can siphon away many in-game items, such as TF2 weapons and hats, which can then be sold on a market for either real cash, or in-game money which can in turn be converted to real money through some grey market.

Of course, some people also have actual money available to their account, with features like Steam Wallet. That's not to mention any Credit Card information that can be gleaned.

Adding to the issue is the fact that people love to complain that their account was hacked, especially if they got banned for cheating ("a hacker/my brother/the dog did it!"). There are of course many hackers actively trying to take over Steam accounts as well. I think this is the real reason for the strict security, since, say, an Amazon account is likewise "dangerous" but doesn't have nearly as much security protecting it.

Also, when contrasting (as you did) with banks, keep in mind two important points:

  • Steam does not care nearly as much about dealing with customer problems - they won't even offer a return policy unless forced to by law. Banks tend to have much more helpful customer service policies.
  • Banks are protected by many well established laws and regulations. Your bank account is insured by the government. There is a lot of information, such as SSN, address, and employer that is required by a bank, so it is much easier for them to verify your identity, and resolve disputes (crimes and fraud attempts). Meanwhile, Steam neither enjoys this sort of protection from the government, nor has as many resources available for investigating crimes. If your bank account was stolen, the FBI would easily be all over it, the criminal would be caught, and get many decades in prison. If your Steam account was stolen, would the police even produce a suspect you can take to court?
Superbest
  • 1,094
  • 8
  • 20
9

As other answers mentioned, many reasons for Valve's security measures are fraud, your account could have hundreds or thousands of dollars worth of games and tradable items, payment information is linked to the account, and you can essentially use that account to buy anyone else games and tradable items.

But another reason everyone overlooked is your Steam account gets you logged into more games than just Steam. Game developers can use Steam's account APIs to use them as their authorization system. Kind of like how you open CS:GO and you are already logged in as long as Steam is logged in. If you have a key that opens many locks, you should be sure that key is hard to obtain and use by anyone unauthorized to use it.

And as a 11 year Steam user, I remember the early days where securing your account was a nightmare. Before the extra protections, I had to recover my account almost once a year. Some friends about monthly. Steam accounts are a high traffic target. In the end, this just doesn't affect Steam users, but Valve as well. I would imagine they have lost a lot of money just correcting and incurring the costs due to these issues.

So, overall, I don't think their security practices are the result of a single reason.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Bacon Brad
  • 3,340
  • 19
  • 26
8

You have a different definition of security than me,

Steam isn't even remotely secure. Every app installed gets full access to your entire system. You have no idea of any game is installing a root kit or a key logger. You have no idea what data they are reading out of your system and uploading to their servers. As far as you know when you installed game ABC it uploaded the entire contents of your user folder and your download folder, stole your steam password then logged in and sold your credit card info.

If Steam was truly serious about security they'd implement a sandbox similar to Chrome or the Windows App store or the Mac App store or Android or iOS such that the games they distribute can not access your system.

The security you mention only has to do with the login for steam itself from people not on your system. Which, while all their measures seem to make things more secure the fact that any steam installed game could steal that info makes it actually fairly insecure, especially now that they ship so many games. Apple (iOS or Mac App store), Microsoft (Windows App store) only allow apps that live in their sandboxes to prevent this kind of stuff. Android and iOS force all apps to live in sandboxes. Steam has no sandbox

gman
  • 458
  • 2
  • 10
  • 4
    I mostly agree with you, however it's most a question of security *purpose* than security *definition*. The goal here is to ensure Steam's *own* security (prevent any fraud, prevent service disruptions or any other inconvenience which could refrain people from spending money, etc.) and not Steam end user's security... – WhiteWinterWolf Dec 03 '15 at 10:04
  • I get the distinction you're making but if your steam password gets stolen or your machine gets owned through a steam game both of those are "end user security". Having someone log in as you isn't going to cause service distruptions for Steam itself nor prevent anyone except the user in question from spending money. Having their machine owned will also likely prevent them from spending money while they're off using time fixing their machine and cleaning up accounts instead of spending money on steam. – gman Dec 21 '15 at 18:33
5

One thing that the other answers don't mention is how fraud affects the banks versus steam. If a bank account gets frauded they return the money and that's about that. They might lose customers, maybe.

On, the other hand, if a vendor (steam) in this case gets frauded too often, or have too many chargebacks against them, credit card companies will blacklist them. If steam can't accept any credit cards anymore, they are done as a company.

Shane
  • 160
  • 1
  • 7
  • This is true, but I think you should add why this is more of a problem for stream than any other merchant. Many online merchants who have more revenue than stream don't impose the same security measures. – thexacre Dec 01 '15 at 17:41
  • @thexacre good point. I'm not really sure the answer to that though. I imagine it is because they sell only digital goods? If you are running this scam on amazon, you need to physically pick up a package somewhere, but with steam there isn't a way to track you IRL? – Shane Dec 01 '15 at 17:51
  • Steam usually requires entry of the card security code on purchase, unlike most other vendors. This alone makes this less of a problem for them than for many others. – Peter Dec 01 '15 at 18:34
2

I am not saying this is 100% why but it should be a good indicator on how important their security really is. I have had my primary email account leaked in that mass gmail hack a few years ago. The first things the "hackers" attempted to go after was my Steam and Netflix accounts. I also got failed login attempts for just about every other gaming network I had ever signed up for. If they did not have such good security someone could have easily gotten into my account and gifted themselves thousands of dollars in games. My bank would have not warned me because I am a game collector so it would have been detected as usual spending more than likely. I am glad they keep that puppy on lock down, having been the victim of identity theft in multiple forms I now only feel comfortable with sites that require 2nd factor authentication.

ps. To this day you can still find my gmail credentials on the internet.. they have been passed out everywhere. It was a wake up call, I had to change my password for so many sites it was sickening but I am a lot more careful now and use unique passwords on just about every site.

Tony
  • 121
  • 3