Account Stolen, Steam Support Nightmare

[Satoru]

Quote:

Originally Posted by jimrad1

The only thing Ive learned is Steam Guard is ineffective if someone can make changes like that and assume a person account. Steam needs a better system. There has to be a way to recover an account thats a bit more sure fire. I would think since the original account has a persons real name and contact, that simply scanning and ID card would do the trick. Gives me no confidence in Steam Guard actually. No matter how strong my password on email or Steam is, if the new person can just come along and change it and reroute a persons ticket to a new email address.

SteamGuard is as effective as the security on your computer and your email. It's not designed as some kind of ultimate security for your account. It's another wall for a hacker to climb. Again you can also hack the RSA tokens by hijacking the computer and intercepting the key codes. It's complicated but it's possible.

No system is perfect but SteamGuard is every effective at stopping most phishing attempts and passwords being stolen from other websites. To say that it's worthless is simply ludicrous.

[BLITZDace]

Concur with Satoru - format the PC (you said you would, but I thought I'd re-iterate) because nothing compromises a PC like old(er) people do. Parents were on it for (holy sweet mother of messiahs) a whole week? then take the format gun to the PC's head and pull the trigger.

[zonkz]

These "older people" explained the world to you, while you knew nothing.... And you are still alive

Now its your turn....

[Rifle Elite]

The forums are not where you post this, contact and wait for Steam Support to help you.

I swear, you people never learn that the Forum mods don't have any of your Account information stored in some notepad document on their computers...Only Steam Support can assist you...

[Jim E. Russel]

In case it hasnt been said yet, your computer was most likely infected with a RAT.
A RAT is a Remote Administration Tool. It's purpose was most likely so companies and parents can see what their workers/children are doing on their computer. Obviously it can be abused because once installed it can see what you type (keylogger), look in your files, as well as edit delete and transfer them, can even look at your webcam if you have one installed, and see EVERYTHING YOU DO. Today most RATs come with desktop cameras that can watch your screen 24/7
The first thing you should do is to install keyscrambler (it replaces your keystrokes with garbled letters) and to remove/cover any webcams you have. afterwards you can follow a guide on how to further get rid of it.

[MystMan]

Quote:

Originally Posted by jimrad1

The only thing Ive learned is Steam Guard is ineffective if someone can make changes like that and assume a person account. Steam needs a better system. There has to be a way to recover an account thats a bit more sure fire. I would think since the original account has a persons real name and contact, that simply scanning and ID card would do the trick. Gives me no confidence in Steam Guard actually. No matter how strong my password on email or Steam is, if the new person can just come along and change it and reroute a persons ticket to a new email address.

Quote:

I agree with Satoru. You can not rely on any type of system to do 100% of the work to protect you. That is very unrealistic. A security system is only as good as its human user allows it to be. From a bank vault to your house keys, any of these things can be stolen/cracked as soon as a human error is involved. This is a life lesson everybody should learn ASAP.

In OP's case, letting his parents use his PC on his same main Windows account was the human error. When other people use your PC, make a separate guest account, preferably with many restrictions. Steam is something I invest a lot of money in, I wouldn't let somebody mess around in that same windows account where it resides. That's like letting my wallet on a table and assume nobody will look in it or even take it.


It's quite common for older people to click on every "yes" they see on popups. They didn't grow up with computers and internet like we did. They're not aware of the risks of the internet.
It's common for me to (as usual) having to fix my mom's laptop when she complains it's too slow. Her browser is always packed with 5-7 toolbars and a truckload of tracking cookies, trojans, and lots of other junk.

[Tito Shivan]

Quote:

Originally Posted by MystMan

I agree with Satoru. You can not rely on any type of system to do 100% of the work to protect you. That is very unrealistic. A security system is only as good as its human user allows it to be. From a bank vault to your house keys, any of these things can be stolen/cracked as soon as a human error is involved. This is a life lesson everybody should learn ASAP.

Agree with Satoru too. Steam actually provides enough layers of security as to keep your account secure. Bypassing a two factor authentication (steam login+email code) is really hard to overcome without having a great ammount of data from the user.

Of course, as one of the general computer security rule states, If someone has access to your computer, you are pretty much ♥♥♥♥ed. Once someone gets inside your computer, any security measures become almost moot.

[suntox]

Quote:

Originally Posted by chenna22

No, different passwords.

So I have to wait another three days before I even get a response? Great.

It sounds as if either you got a trojan, or someone with access to your computer installed a logger.

I would suggest installing a good AV like Eset Nod32 (free version), and a firewall like comodo. The firewall is free and comes with Defense+, which when you set it to paranoid will ask you for permission for every little thing programs do on your comp. Plus the firewall shows all active connections and the related progs with 1 click.

If you got another comp or smartphone, handle the support ticket from there and change the password using that device.

[Satoru]

@jimrad1 if you don't trust SteamGuard simply remove it if you wish. But you'll soon wish you had not!

What you need to understand is that SteamGuard moves the chain of trust up one link to your email address. That a hacker now needs two things, your Steam username/password as well as your email username/password. As in the OP case, if the hijacker has access to their computer already and has keylogged the passwords for both the steam and email accounts, then there's pretty much nothing you can do at that point anyway. If hackers get free reign access to your computer, then the game is already done.

If you want to talk about ways in which SteamGuard is vulnerable then there are a few:

1) Passcodes are not single use
2) Passcodes are sent via email which is insecure

Thus a theoretical vector is to trigger the SteamGuard email, and sniff traffic across some node where the email is being sent, and reuse the code. But this is pretty hard to do, since you need to have access to a node where you can sniff the traffic,which is between Steam's SMTP server and the target mail server. Not 'impossible' but fairly non-trivial. When it's a ton easier just to ask people to give you their passwords because I have FREE GAMEZ!! Or FREE CS:GO and DOTA2 keyz!!

To put THAT much effort into something the account needs to have something valuable in it. Steam accounts just aren't that valuable in reality. The hackers that were intercepting the RSA codes from the hard tokens and using that to hijack accounts were targetting specific people in WoW. That's because those accounts have an actual money value associated with them, especially the items and the clan inventory access. They swooped in grabbed the loot and then tranferred everything to their gold farming website to sell. Not saying TF2 items aren't valuable, it's just a lot harder to launder the money out unlike in WoW.

[ChrisW]

I'm afraid the only thing Valve can do to protect Steam accounts is to force people to pass an IQ test before getting an account. The first thing it says in the chat window is to never tell your password to anyone, yet they still give it to random strangers. When you click on a link, it tells you you are being redirected away from Steam, yet they still try to log into fake Steam websites. They continue to think people are really giving away free games and keep downloading cheats that contain keyloggers, as if you can trust the integrity of someone that is breaking lots of laws to hack software.

[zonkz]

The best way to explain and to avoid things that could happen in the internet, even without naming them:

Imagine, "this" would happen on a street in a town. Would you trust?
If the answer is "No", you are about to avoid at least 85-97% of all dangers in the internet.

[Satoru]

Quote:

Originally Posted by ChrisW

I'm afraid the only thing Valve can do to protect Steam accounts is to force people to pass an IQ test before getting an account. The first thing it says in the chat window is to never tell your password to anyone, yet they still give it to random strangers. When you click on a link, it tells you you are being redirected away from Steam, yet they still try to log into fake Steam websites. They continue to think people are really giving away free games and keep downloading cheats that contain keyloggers, as if you can trust the integrity of someone that is breaking lots of laws to hack software.

Smart people still do stupid things.

My friend who's pretty damn smart got his Diablo3 account hijacked? Why? Because he hasn't changed his password on there for years. He's pass any test you coudl throw at him with flying colors.

The reality is users, even smart ones, get lazy. I'm pretty good with my account and computer security. But do I get lazy sometimes? Are some of my account passwords 'sub optimal' yeah... I'm guilty of that too. Everyone is from time to time.

[ChrisW]

Quote:

Originally Posted by Satoru

Smart people still do stupid things.

Yes, they do, then they admit they did something stupid. They don't blame Valve or Steam and say they should have done more to prevent it (do all the thinking for them).