Why is Steam so insistent on security?

Steam has about 100 million users (random link saying they had 75 million almost 2 years ago). If they spend on average $10 per year, we're talking $1,000,000,000 per year - and I'd say that's a conservative estimate (random link saying they had 1 billion in revenue back in 2010). That's the same kind of money small banks deal with.

Then there is almost certainly a large number of low tech attackers. Steam is used by a lot of kids who don't yet have a proper understanding of legality, so at least some of them will try to steal the account of that other kid that smells funny. To be clear: "some" of 100 million is "lots". These attackers often live in the same town and maybe even saw the other kid typing in the password before, which breaks some traditional safeties based on IP range and passwords. Stolen accounts create customer support costs. Widespread reports of stolen accounts create bad press, which destroys trust. For a digital market, trust is money.

Valve also works with a huge number of partners. These partners can act maliciously and try to break/abuse the billing process, which will directly hurt Steam's reputation and therefore lose Valve some serious money, unless the abuse is detected and dealt with swiftly.

EDIT:

[...] enough money now moves around the system that stealing virtual Steam goods has become a real business for skilled hackers [...] We see around 77,000 accounts hijacked and pillaged each month. - 9 Dec 2015 http://store.steampowered.com/news/19618/

So in addition to a large number of low tech attackers, there's a large number of high tech attackers as well.


I think it's very understandable, especially why they feel the need to force security measures on user:

  • A Steam account can be a very valuable asset, many Steam libraries would easily cost hundreds, if not thousands to replace
  • People often don't treat their steam account as carefully as other accounts, eg email or a bank account
  • Once stolen it's very difficult to determine the legitimate owner. Unlike a financial institution they can't ask a user to take ID to a branch.
  • Many children use Steam. Information belonging to children deserves a higher level of protection
  • Children using Steam can't necessarily be trusted to be security conscious. They may share their passwords, etc.
  • Having your account stolen would create a very negative impression of the Steam distribution model. Many people would blame Steam and the distribution model they're trying to champion, even if the user was entirely to blame.
  • There is a huge market for stolen steam accounts, and it's fairly easy to steal one using unsophisticated methods such as phishing

The real reason is fraud. A typical scam looks like this:

  1. The scammer buys a game off the Steam store, or an item off the Steam Market using a stolen credit card or stolen account. Many CS:GO, TF2, and Dota 2 items are worth $100's or even $1000's of dollars, so these aren't penny scams we're talking about.
  2. The scammer then sells the item to an unsuspecting user for slightly below market value using a site like tf2outpost.com or steamtrades.com. If the stolen account has a high reputation on that site, it will be easy to convince the unsuspecting user to pay with Paypal.
  3. Several days or weeks later, the real owner of the credit-card/account realizes their crendentials have been stolen and issues a chargeback.

Now money that would have otherwise gone to Valve goes to the scammer's pocket instead. This is also the reason items that are purchased on the Steam Market are now untradable for 7 days (30 days for games).

Valve is privately owned and does not publically publish their financial statements, but similarly large companies like Sony and Microsoft lose millions a year to these sorts of credit-card fraud.

Tags:

Software