Steam Users Think Valve’s New Trading Restrictions Go Too Far

Steam Users Think Valve’s New Trading Restrictions Go Too Far

Wanna use Steam’s market or trading features? Don’t have a compatible mobile phone for security purposes? Then prepare to wait weeks before anything happens.

Valve recently announced big changes to Steam’s trade (directly between individual users) and community market (where you can post listings for virtual items to buy/sell) features. If you’re not using the Steam mobile app for two-factor authentication and security, you’ll have to wait 15 days before a trade goes through or a listing goes live. 15 days. Given that Steam’s market and its prices can be fast-moving and fickle, 15 days is a brief eternity.

Sounds kinda ridiculous, no? But it comes a couple months after Valve added three-day trade holds, which they claim improved security (by giving people a chance to shut down transactions in the event that their account had been compromised) and had little impact on the overall volume of trades on Steam. Meanwhile, they say 95 per cent of users are using the mobile app for increased security, so the 15-day hold is for people who don’t check their Steam accounts all that often and might miss a fraudulent transaction if they only have three days to slap the red hand of some sticky fingered thief. Valve explained:

“Since the last account security update, we’ve made significant progress in protecting accounts. In addition to significantly increasing the size of Steam Support to improve response times, individual accounts protected by the Steam Guard Mobile Authenticator on a separate device turned out to be even more effective than we’d hoped. For customers who have yet to add the Steam Guard Mobile Authenticator, trade holds have been helpful in keeping items secure, and we expect that the added duration and extension of holds to the Steam Community Market will further improve security.”

But a lot of Steam users still aren’t pleased, especially those who don’t have iOS or Android phones, given that there’s no version of the Steam mobile app for other devices. There’s also the matter of people who don’t have phones at all:

On top of all that, the Steam app can be finicky and unreliable, and it apparently has trouble with lower-end phones:

Just about every major Steam-related forum is boiling over with backlash right now. Granted, if Valve’s statistic about 95 per cent of users linking their accounts to the Steam app is accurate, this is probably a vocal minority. Then again, when you’re dealing with millions of people, minorities still tend to run pretty large in the grand scheme of things.

To their credit, Valve acknowledged that some people are gonna be massively inconvenienced by this change. But they’re run the numbers, and they think it’s for the greater good. Valve wrote:

“There’s a delicate balance between account security and the convenience of interacting with the market or trade. Any time we make changes, there’s the risk of significant disruption. We recognise that today’s changes will be inconvenient for users who have yet (or are unable) to use the Steam Guard Mobile Authenticator. But if you’re a high volume trader (who our data shows is likely using the authenticator already), or a trader who likes to exchange items with friends, these changes won’t really affect you at all.”

“We believe these steps are necessary to ensure that accounts are made more secure, that users are empowered to identify and solve problems, and that the economic systems enjoyed by millions of customers are not compromised by people with malicious intent.”

15 days does seem like a little much to me, but Steam has a massive problem with account theft and fraud. As I reported previously, 77,000 accounts get hijacked per month. This isn’t something Valve can take lying down, or even sitting up but kinda, you know, slouching a bit and checking Facebook every couple minutes. Unfortunately, security isn’t always convenient, and unfair as it may seem, the onus is generally on the innocent people in the equation to bolt the locks, put up the barbed wire, and rig a few of those paint bucket traps from Home Alone.

I do feel, though, that Valve could’ve been more considerate of folks who don’t have iOS/Android smart phones or any phones at all, especially due to low income or what have you. I’m not sure what such a security system would look like (or if it’s even possible given Steam’s current form/size), but the new system definitely ensures that those people are gonna have a bad time.

The new trade/market holds go live on March 9th.

You’re reading Steamed, Kotaku’s page dedicated to all things in and around Valve’s stupidly popular PC gaming service. Games, culture, community creations, criticism, guides, videos — everything. If you’ve found anything cool/awful on Steam, send us an email to let us know.


  • I don’t want to use Steam because they can change their policy at any tine and if you do not agree to it you can lose your library of games.
    Seems anti consumer to me.

  • Part of me thinks a better way would be to simply increase security at the point of entry for steam accounts, rather than simply placing a restriction on the marketplace and trades.

    But I might be silly.

    • Like how? You already have to get a code emailed to you whenever you use a new computer.

      • I’m not sure, but clearly their verification system isn’t working if 77,000 accounts get hacked a month.

        • That’s because people are getting keylogged and their emails are hacked. It’s a user end problem. Warcraft requires authenticators now because people kept getting hacked.

          People who don’t have smart devices can purchase an authenticator dongle. Valve could end up doing that, but it’s really the only working solution

          • I would have preferred they use TOTP or some other standardised 2FA system instead of the current Steam mobile app solution, but I’m not exactly bothered by it.

  • I have an Android phone and so could use the app, but since the main thing I trade is excess steam cards at something like $0.10 each – and that not often – this is an awful lot of hassle for trivial gain, for me anyway.

    I also have 26 games I could trade if I wanted to, but none are particularly valuable – stuff like the XCom games, Tropico 4 and Windborne.

  • steam is evil
    and so are mobile phones

    you are going to get so much cancer if you have a mobile

  • Yeah, I wanted to trade a card with some random, then I was told to either use the authenticator or wait, so I just cancelled and gave up on trading.

    • Cards are the area that I reckon should be exempted from that. Trying to trade steam cards between friends for completing sale badges will be effectively impossible unless you both use authenticators. And there’s really no need to for something so minor and infrequent.

      • Everyone should be using authenticators, on every account they have (not just Steam). 2FA is the best account security development of the past few decades, the benefits vastly outweigh the minor inconvenience it adds to the authentication process.

        • I disagree. The general use is a minor inconvenience, sure, but the REAL inconvenience comes when you have to remove the thing due to tech failure or other.

          In my experience it’s much more likely that you will lose access to your authenticator, and be offline longer trying to get it removed when that happens, than actual ‘hacking'(/phishing) instances.

          As far as cost/benefit goes, the value of an authenticator is pretty limited and mostly for audit purposes/high-profile targets (eg: government enterprise remote access, popular/low-security MMOs).

          It’s a simple usability calculation. I started tracking the number of unique usernames and passwords I have and lost track after 70. Best practice for security means unique, complex, and regularly-updated passwords for each, without repetition or overlap. Just. Not. Happening.

          Security is only one priority of many.

          • Your arguments are unconvincing. The only time you’ll lose access to an authenticator is if every device you have it installed on is unavailable. Given almost all 2FA systems can be installed on multiple devices, losing access is an extremely low likelihood in comparison to, say, the 58% of people who use the password reset feature of websites on a regular basis (LunaBee 2013). In the event you do somehow manage to lose access, most services provide simple recovery options, ranging from master codes to voicemail messages to trusted device requests. It takes a concerted, willful effort on your part to remove your ability to participate in all of the options available and find yourself in need of proving your identity manually.

            Your cost/benefit argument is weak. Time cost is in the order of 10 seconds during login, software authenticators cost nothing, hardware authenticators cost anywhere from a few dollars a unit for standard TOTP authenticators to maybe $40 at most for something fancy like Yubikey. For the higher range of price on these devices, it’s a lifetime one-time cost to secure every one of your accounts or devices that supports two-factor authentication and didn’t implement it in a retarded way (eg. Paypal). The security benefits vastly outweigh the costs involved. Your comment that they’re mostly used for audit and high security purposes is also weak, given more than 25% of people online use 2FA (Imperium 2013) and around 68% of Google accounts have either 2SV or mobile authentication enabled (Thanasis P et al, 2015), both of which are considered 2FA. In your favour, the latter study found that the stronger 2SV method Google offers was used by around 6.5% of all Google accounts (around 45 million), but other studies like one by Frost & Sullivan in 2014 showed a growth rate in the order of 7-10%. It’s hardly a relegated solution like you’re suggesting, it’s a mainstream, widespread solution with a medium-to-high rate of takeup.

            Best practice is a combination of multi-factor authentication with regular, secure password changes. None of them are flawless factors, they’re all breakable and that’s why the best security practice is to employ them all. In terms of individual weightings though, multi-factor authentication contributes the most to overall security.

            I will add on a personal note that account security is something I’ve done a fair bit of research on, both for personal reasons and because I’m currently lead developer on a web service project that involves moderate volumes of customer-initiated financial transactions. I’ve spent probably well over a hundred man-hours on research and penetration testing. If you feel like the inconvenience of having to look up a 6 digit code and enter it periodically when you log in to a site is too much, that’s your personal choice and you’re welcome to that, but I think you’re crazy if you’re going to sit there and seriously argue that the security gain isn’t worth such a small cost. 27% of people find 2FA inconvenient (Imperium 2013), you evidently seem to be one of them.

  • How about they just support TOTP and let users load the authentication token into third party apps like Google Authenticator or Microsoft Authenticator? It works well for many other companies and would provide equivalent security.

  • What does the steam app do that getting a generated code via sms doesn’t? (Assumption: saves them money)

    My smart phone still says ‘Nokia’ on it. Steam’s harassment about 2 factor authentication was getting irritating but appears to have ceased for now instead of constantly redirecting me away from the storefront.

  • On Steam, you’re a criminal ’til proven otherwise – and that’s how it should be, right? Don’t agree, then I have a great trade for you…

    • Absolutely. In real life, criminals also only have to wait 15 days after which they’re in the clear to sell their stolen goods, no other risk involved. Much compare, so similarity.

Show more comments

Comments are closed.

Log in to comment on this story!