Recently we walked through our thinking on account security and trading http://store.steampowered.com/news/19618/, and introduced some new tools for users to protect their accounts. Now that we've had some time to gather data, we'll be making a few more changes to account security, market transactions, and our account restoration process.

Below are the changes that will take place on March 9th. If you are already protected by the Steam Guard Mobile Authenticator (or if you add the security feature to your account today), the first two points below will not impact you:


  • Trade hold duration will be increased to 15 days (for long-time Steam friends the duration will remain 1 day)
  • Listing on the Steam Community Market will have a hold of 15 days before an item can be sold
  • Steam Support will no longer restore items that have left accounts following a successful trade or market transaction (a process that previously created duplicates of original items)


To help understand these changes, we wanted to walk you through the results we've seen so far and our reasoning behind these next steps.

First, it's worth revisiting our goals behind the two main ways customers interact with in-game economies on Steam: Trading and the Steam Community Market. Our primary goal for Trading is to allow customers to easily exchange items with their friends. Our goal for the Steam Community Market is to provide customers with a way to sell any unwanted goods to other players. Both systems work well for these purposes, but they can be a source of pain if the security of your account is ever compromised.

Account and Item Theft

In December we took steps to improve account security by adding more security features, including the Steam Guard Mobile Authenticator and trade holds.

Since then, we've seen lots of users adopting the Steam Guard Mobile Authenticator (two-factor authentication) for trade and market confirmations, and now roughly 95% of daily trades use the mobile authenticator, with trade volumes as high as ever. The authenticator is the best tool that users have to protect their accounts, and the fastest and most secure way to trade items.

Trade Holds

For users who have yet to transition to the Steam Guard Mobile Authenticator, trade holds provide a way to continue to exchange items. Items in a trade hold are held by Steam for a period of time before delivery. This allows users whose accounts have been compromised to quickly cancel any fraudulent trades to recover their items. Trade holds are effective, but unfortunately the current three-day hold fails to protect users who log in less frequently and who need more time to identify a problem. So we'll be adjusting the system to accommodate the majority of customers by increasing trade holds to 15 days.

If you're exchanging items with a friend, and you've been friends for more than a year, don't worry - the trade hold duration is still one day.

Market Holds

Trade holds have been successful, but until now they've been limited to trades. If the Steam Guard Mobile Authenticator was not enabled on a user's account, it was still possible for a hacker to quickly liquidate a user's inventory through the Steam Community Market. To further protect users who haven't enabled the authenticator, holds will now also apply when you list items on the Steam Community Market. Market listing (like trades) will still be instantaneous if you're using the Steam Guard Mobile Authenticator.

Item Duplication

Since the last account security update, we've made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we'd hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.

Our work isn't finished, but we've seen enough progress in account security to finally address an old problem: item duplication. Currently, if an account is compromised and items have been lost through a successful trade or market transaction, we would manually restore the items, creating duplicates of the original items in the process. That process of manual restoration and duplication has the negative side effect of changing an item's scarcity - as more copies of the item are created, the value of every other similar item is reduced. In addition, it created a method by which users could be rewarded for faking account hijacks.

While we'll continue to assist users with the recovery of their account if they encounter an issue, beginning March 9th we will no longer be manually restoring items that have left the account due to a successful trade or market transaction.

Balance

There's a delicate balance between account security and the convenience of interacting with the market or trade. Any time we make changes, there's the risk of significant disruption. We recognize that today's changes will be inconvenient for users who have yet (or are unable) to use the Steam Guard Mobile Authenticator. But if you're a high volume trader (who our data shows is likely using the authenticator already), or a trader who likes to exchange items with friends, these changes won't really affect you at all. We believe these steps are necessary to ensure that accounts are made more secure, that users are empowered to identify and solve problems, and that the economic systems enjoyed by millions of customers are not compromised by people with malicious intent.

Account security is an issue that affects everyone, and we hope this post has helped to explain our goals and reasoning as we move forward. Please continue to provide your feedback and account security ideas in the Steam forums and elsewhere on the web.

More...