# Steam exploit regarding Russian pay kiosks



## Law (Jun 30, 2013)

It starts with a user having 10 rubles randomly appear in their Steam Wallet, it ends in having his account frozen for 9 weeks due to the actions of a Russian troll.












10 rubles is roughly 30 cents, there is very little chance this was an accident. It seems like a very deliberate move which exploits the lack of validation the Russian pay kiosks use. Avoid ARMA, avoid Dota2, avoid any other game that may be popular in Russia. It is very easy for them to lock down your account, and Steam support take so long to set things straight.



> Seems to me like a case of the left hand not knowing what the right hand is doing. The person who got his initial e-mail figured out that the money was deposited into his wallet by somebody else and assured him his account hadn't been compromised. Then the Russian guy who did it made a charge-back (apparently to ♥♥♥♥ with Sultan for shushing him on a game server) and Steam automatically restricted his account and sent out a form e-mail.
> 
> Like jivjov says though, I'd get this information out to everybody you can - no other user (either deliberately or accidentally) should be able to cause your account to be locked down or restricted like this and Steam needs to prevent this type of thing from being allowed to happen.


 
This probably isn't formatted correctly for your USN guidelines, but do you know who I am? Yeah.






The fact that this makes it incredibly easy for anybody in a country that uses those pay kiosks to lock down another users account is VERY important. This shouldn't be a thing that happens. I'm hoping that if this spreads perhaps Steam will finally step up their customer support, remove the kiosks as a payment method until they implement a method of account validation, and put systems in place to *never* allow this to happen.

Thanks for reading.​


----------



## nukeboy95 (Jun 30, 2013)

source?


----------



## Law (Jun 30, 2013)

The source is a private forum.

This is literally breaking news, this conversation is still going on. I've tweeted a few news sites, but none of them will bother with it when "XBOX ONE OR PS4? YOU DECIDE!" is going on.


----------



## AlanJohn (Jun 30, 2013)

Fucking russians. Hopefully this will never happen to me, but I already have a lot of enemies in Russia...


----------



## notmeanymore (Jun 30, 2013)

Jesus. 9 weeks is a LONG time when the Steam Sale is right around the corner.

I'd probably just make a new account and buy all the games I want as "gifts" for my primary account, but still, that's harsh.


----------



## chartube12 (Jul 1, 2013)

Can you even receive gifts on steam while you are banned from their store?


----------



## nukeboy95 (Jul 1, 2013)

Poor guy, now he won't go bankrupt during the summer sale.


----------



## Gahars (Jul 1, 2013)

With just a few rubles, Steam accounts are reduced to rubble. Hmph.

You win this round, Russia.


----------



## Law (Jul 1, 2013)

After speaking to a few people, the kiosks require the username you log into steam with. As long as you keep those private, don't get phished, or disclose them (I'm unsure if they still show up in server logs next to SteamID numbers like they used to) you should be fine. Unconfirmed as to whether you can transfer the money straight to a SteamID, but it still feels like a method Valve should not be using when those same kiosks allow them to add funds to a webmoney account, which they then need to properly log into steam to put in their wallet. The kiosks also require an account which has fraud protection, which made the chargeback easy.


----------



## Gabelvampir (Jul 1, 2013)

Law said:


> After speaking to a few people, the kiosks require the username you log into steam with. As long as you keep those private, don't get phished, or disclose them (I'm unsure if they still show up in server logs next to SteamID numbers like they used to) you should be fine. Unconfirmed as to whether you can transfer the money straight to a SteamID, but it still feels like a method Valve should not be using when those same kiosks allow them to add funds to a webmoney account, which they then need to properly log into steam to put in their wallet. The kiosks also require an account which has fraud protection, which made the chargeback easy.


Keep the Steam account name private? A bit hard seeing many games use it as default multiplayer name. I haven't played much DotA 2, but as far as I've ssen you can't even change your screenname there, it is the Steam account name.
So the only (temporary) solution would be to make a account just for DotA 2 in that case. But then you'll lose you online stats.


----------



## Deleted User (Jul 1, 2013)

Gabelvampir said:


> Keep the Steam account name private? A bit hard seeing many games use it as default multiplayer name. I haven't played much DotA 2, but as far as I've ssen you can't even change your screenname there, it is the Steam account name.
> So the only (temporary) solution would be to make a account just for DotA 2 in that case. But then you'll lose you online stats.


 
you can change your screen name (I changed mine) xD


----------



## Gabelvampir (Jul 1, 2013)

riyaz said:


> you can change your screen name (I changed mine) xD


Ah ok, I did not look that much for that option. So far I only played DotA 2 only at the last LAN party with some friends.


----------



## MasterPenguin (Jul 1, 2013)

This isn't breaking news at all. People have been gifting people games (ie bad rats) and then canceling the payment, which freezes the account of whoever had it. This "exploit" is years old.


----------



## Law (Jul 1, 2013)

^^^^^^^ This is regarding russian pay kiosks, whilst gifting games and doing a chargeback does work to lock accounts, it is a separate issue that Steam needs to address. This is regarding adding funds to an account with no level of validation. There is no obvious guilty party, unlike the gifting scenario where Valve can punish the originating account.

The actual username that you log into Steam. That doesn't change, no matter what you set your display name to.

Somebody dug up another example of this happening in August 2012. Here's some poorly translated Russian.



> A week ago, a Russian found a way as Ukrainians, Americans, Europeans, block accounts for the purchase of, and unlock them can only support.
> In short, knowing the opponent's login account, enough through QIWI purse on the Steam Wallet to put RR 1, then buying blocked, even with a visa card and other payment systems as well as on the steam wallet is Euro account then thinks that he is a Russian, and prohibits Shopping with IP addresses are not Russian, few Americans have suffered at the STEAM forum threads quickly rubbed, (but there is one in the American forum) because they understand that the error valvae that allowed to put any amount through qiwi, naive, whom they thought you will feel sorry for their money and will not be so engaged, but there may be someone who is just 1 ruble has created a lot of problems for people. he blurted out their usernames in the U.S. when they leave our screenshots of their clients ... This kind of kind of punishment is only for those accounts that are in the countries where there is no rubles.
> And while there qiwi and the ability to put any amount valvae can not do anything,
> to an American and a support that has helped Russian again he sent RR 1, so much so that the American missed nearly all the discounts quakecon
> Valve in a support Americans responded that it was his fault, just opened your login, that is against the SSA


 
Source is a Russian Counter Strike forum csmania.ru.

Steam knows about the issue, has known about the issue for almost a year, and done nothing to try and fix a system that allows you to add funds to an account without any method of validation or any checks to ensure account ownership.


----------



## PsyBlade (Jul 1, 2013)

MasterPenguin said:


> This isn't breaking news at all. People have been gifting people games (ie bad rats) and then canceling the payment, which freezes the account of whoever had it. This "exploit" is years old.


That's why there is the advice to reject gifts from random strangers.
This new funds method can't be rejected.


----------



## Minox (Jul 1, 2013)

Law said:


> After speaking to a few people, the kiosks require the username you log into steam with. As long as you keep those private, don't get phished, or disclose them (I'm unsure if they still show up in server logs next to SteamID numbers like they used to) you should be fine.


Steam usernames do not show up in server logs and has not done so for the past 2-3 years or so at least. However, thanks to whoever designed the default Steam skin your Steam account name is openly viewable in the main window so it's probably for the best to be cautious regarding screenshots/videos of your Steam client being open unless you happen to use a custom skin which removes said stupid feature.


----------



## Law (Jul 1, 2013)

Yeah, there's also the issue of "What's your steam?" forum threads where people may post their log in usernames instead of their display names. If some Russians just wanted to be jerks they could easily shut down a few thousand Steam accounts with some dedication and the same 10 rubles over and over.

Somebody posted on Reddit, and it contains a bit more information as well as clarification from the person it happened to, and a few people chiming in and saying they have had similar issues happen to them or friends. http://www.reddit.com/r/Games/comments/1hf1qz/warning_russian_users_can_use_an_exploit_to_shut/

It also has people blindy saying "Well the default form letter says he spent the money so he's obviously trying to scam steam!"

Valve really needs to update their default form letters and not use the ones regarding chargebacks made on game purchases.


Despite the fact they need your username to act maliciously against you, this can also be done by accident which will still cause your account to get locked down.


----------



## nukeboy95 (Jul 2, 2013)

Gabelvampir said:


> Keep the Steam account name private? A bit hard seeing many games use it as default multiplayer name. I haven't played much DotA 2, but as far as I've ssen you can't even change your screenname there, it is the Steam account name.
> So the only (temporary) solution would be to make a account just for DotA 2 in that case. But then you'll lose you online stats.


 
source multiplayer games are treble when it comes to that


----------



## Jamstruth (Jul 2, 2013)

Law said:


> After speaking to a few people, the kiosks require the username you log into steam with.


 
So they just need the public half of our account details! PERFECT! I suppose the Pay Kiosks thought that nothing malicious could be done with it considering the most it can do is add to another person's account (a rather handy feature when you think about it)


----------



## Law (Jul 2, 2013)

The username you log into Steam with should be private, your profile/display name is public. The kiosks should be updated to require password validation though.

It would be easy to find a list of usernames, and in some cases it could be easy to guess a username. My steam username isn't "law", but it's damn close to it.

A steam representative replied to the twitter saying it was a support snafu, and that they were updating their tools to prevent it from happening in the future. He didn't comment regarding the automatic charge backs from the kiosks locking the account so they're being hush hush about that.


----------



## Minox (Jul 2, 2013)

Law said:


> The username you log into Steam with should be private, your profile/display name is public. The kiosks should be updated to require password validation though.


They shouldn't need to do that tbh, they could potentially just add a confirmation code that you have to enter before the money gets added to your Steam account.


----------

