Steam Account Security
This article is only applicable to those who have PURCHASED a genuine copy of the game and activated it not their steam account. This doesNOT apply to client installations.
Most of you might have heard of a friend who got his/her steam account hacked. Some of us have experienced that ourselves. There is no Vodoo or Magic or some extremely geek stuff involved in this. This happens due to reasons already known to us and are simple.They are listed in the order of their probability to happen.
Reasons and Procedures
- Sharing your password
- Compromised accounts
We will first cover each of the reasons and then look at security measures in 2 stages
- Sharing your password
- Yes, this is something most of us have seen happen. Even if the person you shared it with is trustworthy, the way he handle the password can get you into some serious troubles.
- Phishing is scamming a user into giving away his password by himself by posing as a representative or faking a necessity.
- Key logging
- Recording key strokes. Whatever you type is recorded and sent to the hacker.
- Eavesdropping is getting spying information transmitted through your PC. By eavesdropping a UN-encrypted line which uses transmits your password.
- By gathering enough information about the user and guessing a possible password.
- Checking every possible combination of letters and numbers. Although it sounds impractical easy password can be cracked by this method.
- Compromised accounts
- If one of the other accounts using the same password as your steam account is hacked OR if your steam registered email itself is hacked.
- For Sharing Password
- Obvious isn't it. DONT DO IT. Problem solved.
- Phishing need not necessarily be as easy to detect as you think. I once came across a phishing mail this one with a from address of facebook bot saying an access from a new PC. I have alerts enabled for IP logs on FB and the message looked exactly the same. Clicking however redirects you to a scam site with a similar look to facebook.
- That was easy to detect, BUT steam's Open ID system redirects you to custom urls. So guessing a phishing attempt gets harder here. So to tacke this, whenever there is a request for log in don't login from the link provided. Go to official steam page. Login there and then click on the link provided. If its genuine, You will find yourself ALREADY LOGGED IN.
- Another thing to notice would be the SSL certificate. Most of the email providers have a SSL certificate and will give you an encrypted line identifiable by the prefix "https". Phishing sites are not eligible for SSL certificates. So, don't login unless you see that the connection is using "https" prefix.
- Another precaution would be using Sign-in Seal provided by yahoo. It gives you a personalized picture or "seal" during the login screen even in open-id login sessions. Scam sites will not be aware of this seal and can be identified easily.
- Key logging
- This requires a malicious program to be present in your PC. So use a good Anti virus(AV). BUT, AV programs use CRC checks for detecting code stings. WIth some good HEX editing OR by programming in assembly, these can become undetectable. So we will be looking at a remedy for this later on in this wiki.
- Something that is more difficult to do and hence less likely to happen. Steam and most other website use stong encrption. AES 256 bit is still unbroken and can give you more security than you need.
- Others transmit a md5 or SHA hash of the password. But there are websites which transmit it NAKED. So a solution would be to use a SEPERATE passwords for steam and the email linked to it.
- The information available about us is not necessarily under our control. So the only thing we can do is to make our password difficult to guess.
- This is esier to implement but less likely of success. So it is listed after eavesdroppping. Use a password with both capital and small letter, numbers and symbols. The longer the length and more the mixture of symbols and numbers, the better the protection.All in all a less practical approach for hacking but better to be on the safe side.
- Compromised accounts
- Use the above precautions over all your accounts and Most importantly make sure that the email account linked to steam is never compromised.
- Even after these measures some loop holes do exist like key loggers being undetectable. So we will now cover additional measures to cover those loop holes.
- WHILE WE DISCUSS REMEDIES, WE ARE CONSIDERING THAT THE HACKER NOW KNOWS BOTH YOUR STEAM PASSWORD AS WELL AS THE PASSWORD FOR THE LINKED EMAIL ACCOUNT AND WE WILL LOOK AT WAYS TO PROTECT YOUR ACCOUNT EVEN AFTER THAT.
- The solution is using multiple layers of One Time Passwords or OTP's. Similar to those used in Internet Banking. These are random codes valid for only 1 time and sent to your Mobile phone or an email.
Enable Steam Guard
- This is an OTP system at steam level.Its enabled by default and its there for a reason. Double check and triple check that its enabled. Even if the said hacker successively finds your password, he wont be able to login from a new PC unless he has access to the email account linked to the steam account as well.
- But, we have assumed that hacker knows the password to the email as well. So now what? Well, set an OTP to the email as well. More on this below. For now we know that the hacker wont have the steam access code for steam guard.
Enable OTP's on email
- I'm sure most of you are not using this feature and most of you are not even aware of it. Both yahoo mail as well as Gmail provide this feature. Its called 2 step verification.
- Each time you log in from a new PC a special code is sent as an SMS to your mobile phone number. And you wont be able to login unless you enter this code.
- So unless you parcel your phone to the hacker's address, even though he knows the password, he wont be able to login.
- Don't worry. This will NOT annoy you on each login. You can set up to "Remember the PC" so that you won't be asked for an OTP on your Home PC.
- And also don't worry. Even if you don't have access to your phone, there will be options for you to still login. Google for example gives you the option to add additional phone numbers to sed the OTP IF you don't have access to the original phone or if that phone is lost.
- In addtion to that if all those numbers are lost as well, you will have 3 Emergency passwords for such cases. You will prompted to write them down or print them. Those are 32 character length passwords with a minimum crack time of 32 years over brute force. So yes those emegency passwords are pretty safe.
- And if even that is lost, you will presented with upto 5 security questions, all need to be answered, custom written by you in cryptic language only known to you. And if thats forgotten, you can always go back home login with the home PC or somewhere else where it remembers the PC and won't ask for OTP and just reset the mobile number.
- Yahoo also provides a similar approach but adds a bad option of sending the OTP to a alternate email. I advice you to disable the "Send OTP to email" feature for obvious security reasons OR even better, send the OTP to an email but make that email a Gmail account ALSO with OTP protection just to screw with the hacker.
- And since Gmail has more option than yahoo for OTP you will have access to the Yahoo sent OTP even if you lost your phone.
- If you have linked any other email account to steam, change it to gmail or yahoo. Preferably GMAIL if not then second option is yahoo.
- If any other email provider is providing this feature, you may use that as well.
- Although, even after all of this there will always be loop holes. BUT, the hacker won't waste time trying to crack your specific account.
- Motivations for hacking are mainly "Inventory items". These include games you bought as a gift and TF2 items and Dota 2 items. In most cases if those are transferred and redeemed on another account its not reversible.
- So KEEP YOUR INVENTORY PRIVATE AT ALL TIMES. YOU DONOT WANT TO BE IN THE RADAR TO BEGIN WITH. Setting your profile to "Private" or atleast "Friends Only" will also give additional security. Because the games you own are NOT exposed and the hacker will never know if he is trying to crack a account with 100 games worth $5000 or a fake account worth nothing.
My account still got hacked
Well its unfortunate, but still, it can happen. In this cases you need to open a support ticket with steam describing the problem. The procedure will take 1-2 weeks for getting back your account. It doesn't sound that bad, BUT the issue arises in proving your ownership of the account. Steam ask for a photograph of the Game Box and CD Key with the ticket number written over it. This is fine if you bought from flipkart AND YOU STILL HAVE THE BOX WITH YOU. This is not possible in all cases OR Some of us have bought directly from steam, so there is no Box and key. In this case steam will ask for credit card info for the purchase. But some of us have not bought the game our selves. The purchase is made by a friend and sent over as a gift in steam. Now this is where it gets complicated. You don't have the box AND your purchase doesn't have credit card information.
So in such cases how to retrieve the account ?
Activate a steam key thats free. Thats how. For example I activated Dota 2 on my account via a key. I know that key and MOST IMPORTANTLY TAKE A SCREEN CAP OF THE WEBSITE GIVING YOU THAT KEY.
For example lets assume you got the key from mmobomb, after you click get key, you get a page showing the key. Take a screen cap of it. Also you will get the same key via email you provide.
Screen cap of the email will also work. Also save the email as well for additional proof. ALSO NOTE DOWN THE DATE YOU ACTIVATED IT.
When you redeem the key, you get the option of print receipt, Save that. That can also be used as proof. Basically its a human on the other side looking at these proofs and you need to convince him that the account is yours.
Yes, this process is also tested as WORKING AND STEAM ACCEPTS IT AS PROOF.
DISCLAIMER :- This article is for educational purposes only. This doesNOT guarantee that your account won't be hacked AND we will not be responsible if your account is hacked or any harm resulting from this article.