1. SteamRep is shutting down at the end of 2024. See announcement.

Further Securing Your Steam Account Using Gmail

Discussion in 'SteamRep Guides' started by XE_ManUp, Nov 22, 2012.

  1. XE_ManUp

    XE_ManUp Retired Staff

    Messages:
    289
    Steam:
    STEAM_0:1:5021657
    ss (2012-11-19 at 09.17.57).png
    (TLDR version located at bottom of post)

    In Simple Terms:
    So what does this mean? I will leave out the luscious conspiracy theories and stick to the facts. It means that Steam is going to require ANYONE that trades to have their Steam Account protected by Steam Guard for a minimum of 15 days before they are able to trade. All I have to say is: "IT'S ABOUT TIME!"

    Why?
    Conspiracy aside, here's what Valve says:
    TLDR: It is a preventative measure to keep your account from being hijacked or phished.

    How does Steam Guard work?
    Once you have verified your email address with Steam, when you login from any computer or device that is not trusted/recognized, a short code will be sent to your email address. Therefore, unless your email address is also compromised by the same person, it is unlikely that they will be able to take control of your Steam account. In fact, Steam Guard will let you know if someone has your password. Since you only receive the email with the short code when someone has successfully entered your Steam username and password on another computer, you will know that you have been compromised since you obviously aren't logging in elsewhere.

    The Issue:
    Hasn't Steam Guard been around a while? Yes. Don't people still get hijacked with Steam Guard enabled? Yes. How? A Steam Account's username and password is compromised as well as their email address and password (usually through phishing, or viruses/trojans/keyloggers). The standard explanation for this is that the attacker uses the same password for the email as is used on the Steam account. Here's a good rule of thumb: DO NOT use the same password for Steam and your email account. Typically, phishing websites will ask the user to enter their steam username, password, and email address (and sometimes the email password as well). They try to claim they need the email address to notify you of winning a "prize."


    More Security, Anyone?
    Let's add an additional layer of security on top of the additional layer of security! What if I told you that I would almost feel comfortable giving you not only my Steam username and password, but my email address and password, and feel fairly confident that you would not be able to access either? I use this situation "loosely" because I never say never.

    No, I am not insane. I have a Gmail account. Gmail, like Steam, has a 2-factor authentication method. Google has branded this "2-Step Verification." If you don't have a Gmail account, you should get one simply for Steam. Below you will find information on the benefits of Google's 2-Step Verification.



    If you take away nothing from the above video, here is the MOST IMPORTANT SECTION:

    Here's a little more information on Google 2-Step Verification:
    So, now you can have Google send you a text or call you when someone tries accessing your email from an untrusted computer, just like Steam! I strongly recommend this setup to anyone who is wanting protection for their Steam account.


    TLDR Version:
    • Starting December 12, 2012, Steam Guard has to be enabled for 15 days minimum on your Steam account to be able to trade.
      • Why? Prevents as many successful hijacking/phishings/keyloggers.
    • To enable Steam Guard, verify your email address with Steam.
      • Steam Guard will send an email to your verified with a short authentication token when you login from a new computer.
    • Get a Gmail account. It offers 2-Factor authentication.
      • Sends you a text message or calls you when someone logs in from a different computer.
  2. Thomas Matthias

    Thomas Matthias Retired Staff

    Messages:
    4,642
    Steam:
    STEAM_0:0:36213483
    I really like it! What is more GOOGLE did a great job because many companies do not plan what we have to do if we lose our mobile phone, they do. There are some way to add a spare phone number or print spare codes. I think other e-mail providers should follow Google.

    Google +rep! :D
  3. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    I did notice one that used G's 2-step, but they got in via POP/IMAP etc.

    Gmail has a LOT of ways to open one's mail on them. To successfully lock them all off is a different story imo.
  4. XE_ManUp

    XE_ManUp Retired Staff

    Messages:
    289
    Steam:
    STEAM_0:1:5021657
    Yes, they include backup phone numbers that they will call, as well as printable codes that you can carry in your wallet or purse in the event that you are not near the phone that you set up.
  5. Panda's FTW

    Panda's FTW New User

    Messages:
    8
    Steam:
    STEAM_0:1:52551665
    I'm happy they finally have this. It's making steam more safe and protected by hackers,etc. I was wondering what this was. Thanks for the information.
  6. TheBloodMaster™

    TheBloodMaster™ Caution on SteamRep

    Messages:
    20
    Steam:
    STEAM_0:1:15155616
    I've been on steam for years, and never been hacked, if you truly are good enough, you can avoid hackers easily without all this crap.
  7. XE_ManUp

    XE_ManUp Retired Staff

    Messages:
    289
    Steam:
    STEAM_0:1:5021657
    That's not the point. It doesn't matter how "good" you are. Your account can still be compromised. It doesn't matter how good of a trader you are, you can still make mistakes if you don't pay attention when someone renames a standard item and end up losing a high value item due to it. The same principle applies that it doesn't matter how good of a swimmer you are if a tsunami hits the shore and you are standing on it. It is about prevention, and that is PART of being good.
    Dronefly likes this.
  8. DJ_Machine

    DJ_Machine New User

    Messages:
    19
    Steam:
    STEAM_0:0:40896779
    99% of people with this attitude are easy to exploit.
    homoglyph / tabnabbing / clickjacking all attack vectors not currently in use by attackers that would have a devastating not to mention the current idle / trade server's that install malware on join / java driveby's /long time social engineers
    that are currently responsible for 99% of large money target attacks
    and the trust con/ scam / fake logins
    that are currently responsible for the 99% of low money target attacks

    I fail to get why such a crass attitude @ security = safe?
    enlighten me how you would stop a 0day attack on your system from an attacker who only needs your ip address?
    I mean how hard is that to get.
    Host Name:
    IP Address:
    Country: United States [​IMG]
    Country code: US (USA)
    Region: Pennsylvania
    City: Broomall
    Postal code: 19008

    /Admin edit: While all nice and dandy, we're not posting IP info of ppl here on the forum.
  9. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    As I stated in the edit, I won't have it on our forum that you post IP info.
    I can state that you where correct, and I know of several methods to get such.

    As on 0days, you see that a bit too easy. Almost all 0days are browser vuln's, not Firewall/protocol (SMB, NFS etc) exploits. Securing a system's remote access does warrant some measures, but those aren't much of interest with most default installations of OS's of the latter years.
    DJ_Machine likes this.
  10. Xenophobia

    Xenophobia Retired Staff

    Messages:
    4,323
    Steam:
    STEAM_0:1:20973413
    2-step verification with Gmail is so secure, I can hardly get into my own account :v
  11. DJ_Machine

    DJ_Machine New User

    Messages:
    19
    Steam:
    STEAM_0:0:40896779
    that feeling when you cant find your phone.
  12. Dronefly

    Dronefly Caution on SteamRep

    Messages:
    353
    Steam:
    STEAM_0:0:41413966
    i actually printed up the backup codes and have them in my pocket. also set up a dummy phone number as primary and a dummy secondary and only the third backup phone is my real phone so every time i need the code i click the "send code to secondary phone" and select the one that is my cell. this way its a third step security (although slightly mediocre).
  13. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    Why the dummie numbers then? I Don't think that adds anything.
  14. Dronefly

    Dronefly Caution on SteamRep

    Messages:
    353
    Steam:
    STEAM_0:0:41413966
    if someone has my phone and they see dummy numbers all with the same last 2 digits they wont know where to send the code. if they wait for a msg to show up it never will to the number that is default hence if they have my phone they can not really get it unless they know where you send the code to. this is mostly from my brother or anyone close to me getting access to my gmail.
  15. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    and your brother has not your phone number? lol
    and even if not, if he just calls his own mobile with yours, he can see the number (unless you have that private, but then they can disable that).

    Better just secure the phone with a pin or "swipe" code.
  16. Dronefly

    Dronefly Caution on SteamRep

    Messages:
    353
    Steam:
    STEAM_0:0:41413966
    well when it says send a code it only shows the last 2 numbers. rest are hidden so then you don't know which one of them is the correct one since i made all the dummies with the last 2 digits the same. you need to know which of the dummies is the right one. The phone IS secured but even secured a bubble pops up and you see the code. you don't need to unlock the phone to see the bubble. it pops up on the lock screen.
  17. DataStorm

    DataStorm Retired Staff

    Messages:
    3,373
    ah, yeah.
    Well, I'm glad I don't have that problem with distrusting family.
  18. Dronefly

    Dronefly Caution on SteamRep

    Messages:
    353
    Steam:
    STEAM_0:0:41413966
    he's too lazy to trade and just wants my stuff cuz i always have a nice pack due to my trading. Oh well. Not like i can report him to authorities for hijacking my account if he ever does :p