Convince Valve to add verification when registering a Steam Web API Key to stop scams!

0 have signed. Let’s get to 200!


With it’s immense market for virtual items which have real cash value, the Steam platform has unfortunately attracted numerous amounts of scammers. Most scams are pretty easy to foresee, however, appearances are deceptive. 

Previous scams were all focused on user ignorance; people logging onto ‘gambling sites’, ‘legit trading sites’ and ‘free skin’ websites. Without hesitation, most users would just login with their Steam credentials, exposing themselves to massive security threats. Once account credentials were entered and recorded by the fraudulent websites, bots would login to ‘legitimate’ gambling sites & virtual marketplaces and send all balances & on-site items to their own accounts. To counter scammers, fraudulent sites, and to shut down the CS:GO gambling community, Valve introduced a 7 day trade hold on all CS:GO items on March 29th 2018.

With the Valve 7 day trade ban on CS:GO items in place, and with old scamming methods brushed aside, scammers had to come up with new ways to illegitimately rob people of their items. And they did.

 

A new scam is arising, a very complex and elaborate one, to be precise. A huge network of, mostly Russian, scammers, has completely taken over the virtual item trading scene. The ‘service’ these Russian scammers offer to the public, are paid. Completely coded and including a fake domain to impersonate legitimate businesses, these platforms for scammers allow their clients access to a well setup frauding system.

With the platform, in combination with a phishing website, scammers collect session logins of Steam users to request and access their Steam Web API key. Once you login and enter your Steam Guard authentication code, the website will log onto your Steam account and request a Steam Web API key on your behalf. The platform will save this Steam Web API key, including your Steam trade URL, and ping your Steam account every couple seconds to check for new incoming- and outgoing tradeoffers.

With this Steam Web API key, the scammer has free reign managing (viewing and cancelling) incoming, outgoing- and live trades. Whenever you’re trying to trade, the scammer will automatically decline it and send you a duplicate offer. The only difference between the tradeoffer you sent and the one the scammer sends, is that the items you’d normally receive, will be left out. Once you unknowingly accept the trade, your items will be sent to a complete stranger, leaving you scammed.

 

This scam could easily be resolved by adding a simple verification method when registering a Steam Web API key:

  • Add a captcha when registering a Steam Web API key.
  • When a Steam Web API key is requested, require a user to verify his request by clicking on a link in their mailbox (e-mail linked to the user’s Steam account).

Both solutions stated above would be easy to implement and would completely shut down this scam since a program isn’t able to successfully complete captcha’s and verify requests by e-mail.

I’ve tried contacting Valve multiple times to get them to put a simple verification method on requesting Steam Web API keys, without any success unfortunately. With thousands of dollars worth of virtual items being scammed away from their users, it’s time for Valve to finally step in and put a halt to this scam. Sign this petition and show you care about the virtual item trading community!

Your help is much appreciated, and for now, trade safe!