|
|
|
|
|
|
by mxscho
1986 days ago
|
|
|
Steam and especially CS:GO has a problem with phishing sites (with fake Steam OpenID pages) where attackers (after getting access to the Steam accounts) can automatically create permanent access to accounts by generating API keys to control those phished accounts. This is used e.g. to swap trade offers in realtime, i.e., a trade offer with the actual account is replaced by a trade offer with a bot with a similar looking profile (all set up automatically).
All of this is done in the timeframe between the user setting up the trade offer and the actual 2FA mobile confirmation of this trade. People are being phished like this for years and Valve fails to take the responsibility to implement a simple anti automation measure at the part of API key generation (e.g. email confirmation or captcha). The monetary damage done to users is probably in the high thousands, if not millions, at this point in time. |
|
|