Steam exploit regarding Russian pay kiosks

Discussion in 'User Submitted News' started by Law, Jun 30, 2013.

  1. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    It starts with a user having 10 rubles randomly appear in their Steam Wallet, it ends in having his account frozen for 9 weeks due to the actions of a Russian troll.

    [​IMG]

    [​IMG]

    10 rubles is roughly 30 cents, there is very little chance this was an accident. It seems like a very deliberate move which exploits the lack of validation the Russian pay kiosks use. Avoid ARMA, avoid Dota2, avoid any other game that may be popular in Russia. It is very easy for them to lock down your account, and Steam support take so long to set things straight.

    This probably isn't formatted correctly for your USN guidelines, but do you know who I am? Yeah.

    [​IMG]


    The fact that this makes it incredibly easy for anybody in a country that uses those pay kiosks to lock down another users account is VERY important. This shouldn't be a thing that happens. I'm hoping that if this spreads perhaps Steam will finally step up their customer support, remove the kiosks as a payment method until they implement a method of account validation, and put systems in place to never allow this to happen.

    Thanks for reading.​
     
    soulx likes this.
  2. nukeboy95

    nukeboy95 Leave luck to heaven.

    Member
    2,273
    1,086
    Aug 24, 2010
    United States
    not sure
    source?
     
  3. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    The source is a private forum.

    This is literally breaking news, this conversation is still going on. I've tweeted a few news sites, but none of them will bother with it when "XBOX ONE OR PS4? YOU DECIDE!" is going on.
     
  4. AlanJohn

    AlanJohn くたばれ

    Member
    3,460
    2,930
    Jan 6, 2011
    Canada,New Jersey
    Fucking russians. Hopefully this will never happen to me, but I already have a lot of enemies in Russia...
     
    EZ-Megaman and DinohScene like this.
  5. TehSkull

    TehSkull Living the life

    Member
    2,700
    388
    Nov 29, 2009
    United States
    Louisiana
    Jesus. 9 weeks is a LONG time when the Steam Sale is right around the corner.

    I'd probably just make a new account and buy all the games I want as "gifts" for my primary account, but still, that's harsh.
     
    Celice and nukeboy95 like this.
  6. chartube12

    chartube12 GBAtemp Psycho!

    Member
    3,243
    492
    Mar 3, 2010
    United States
    Can you even receive gifts on steam while you are banned from their store?
     
  7. nukeboy95

    nukeboy95 Leave luck to heaven.

    Member
    2,273
    1,086
    Aug 24, 2010
    United States
    not sure
    Poor guy, now he won't go bankrupt during the summer sale.
     
    luigiman1928 likes this.
  8. Gahars

    Gahars Bakayaro Banzai

    Member
    10,254
    17,404
    Aug 5, 2011
    United States
    New Jersey
    With just a few rubles, Steam accounts are reduced to rubble. Hmph.

    You win this round, Russia.
     
    jgblahblahblah, mercluke and Ammako like this.
  9. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    After speaking to a few people, the kiosks require the username you log into steam with. As long as you keep those private, don't get phished, or disclose them (I'm unsure if they still show up in server logs next to SteamID numbers like they used to) you should be fine. Unconfirmed as to whether you can transfer the money straight to a SteamID, but it still feels like a method Valve should not be using when those same kiosks allow them to add funds to a webmoney account, which they then need to properly log into steam to put in their wallet. The kiosks also require an account which has fraud protection, which made the chargeback easy.
     
  10. Gabelvampir

    Gabelvampir Free Mars!

    Member
    455
    48
    Mar 17, 2009
    Gambia, The
    K-Town
    Keep the Steam account name private? A bit hard seeing many games use it as default multiplayer name. I haven't played much DotA 2, but as far as I've ssen you can't even change your screenname there, it is the Steam account name.
    So the only (temporary) solution would be to make a account just for DotA 2 in that case. But then you'll lose you online stats.
     
  11. Riyaz

    Riyaz Black Ace/Red Joker

    Member
    1,283
    735
    Jun 21, 2011
    Netherlands
    everywhere
    you can change your screen name (I changed mine) xD
     
  12. Gabelvampir

    Gabelvampir Free Mars!

    Member
    455
    48
    Mar 17, 2009
    Gambia, The
    K-Town
    Ah ok, I did not look that much for that option. So far I only played DotA 2 only at the last LAN party with some friends.
     
  13. MasterPenguin

    MasterPenguin GBAtemp Fan

    Member
    424
    24
    Jul 16, 2008
    Canada
    This isn't breaking news at all. People have been gifting people games (ie bad rats) and then canceling the payment, which freezes the account of whoever had it. This "exploit" is years old.
     
  14. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    ^^^^^^^ This is regarding russian pay kiosks, whilst gifting games and doing a chargeback does work to lock accounts, it is a separate issue that Steam needs to address. This is regarding adding funds to an account with no level of validation. There is no obvious guilty party, unlike the gifting scenario where Valve can punish the originating account.

    The actual username that you log into Steam. That doesn't change, no matter what you set your display name to.

    Somebody dug up another example of this happening in August 2012. Here's some poorly translated Russian.

    Source is a Russian Counter Strike forum csmania.ru.

    Steam knows about the issue, has known about the issue for almost a year, and done nothing to try and fix a system that allows you to add funds to an account without any method of validation or any checks to ensure account ownership.
     
  15. PsyBlade

    PsyBlade Snake Charmer

    Member
    2,204
    256
    Jul 30, 2009
    Gambia, The
    Sol III
    That's why there is the advice to reject gifts from random strangers.
    This new funds method can't be rejected.
     
  16. Minox

    Minox I did it

    Supervisor
    6,111
    2,964
    Aug 27, 2007
    Sweden
    Steam usernames do not show up in server logs and has not done so for the past 2-3 years or so at least. However, thanks to whoever designed the default Steam skin your Steam account name is openly viewable in the main window so it's probably for the best to be cautious regarding screenshots/videos of your Steam client being open unless you happen to use a custom skin which removes said stupid feature.
     
  17. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    Yeah, there's also the issue of "What's your steam?" forum threads where people may post their log in usernames instead of their display names. If some Russians just wanted to be jerks they could easily shut down a few thousand Steam accounts with some dedication and the same 10 rubles over and over.

    Somebody posted on Reddit, and it contains a bit more information as well as clarification from the person it happened to, and a few people chiming in and saying they have had similar issues happen to them or friends. http://www.reddit.com/r/Games/comments/1hf1qz/warning_russian_users_can_use_an_exploit_to_shut/

    It also has people blindy saying "Well the default form letter says he spent the money so he's obviously trying to scam steam!"

    Valve really needs to update their default form letters and not use the ones regarding chargebacks made on game purchases.


    Despite the fact they need your username to act maliciously against you, this can also be done by accident which will still cause your account to get locked down.
     
  18. nukeboy95

    nukeboy95 Leave luck to heaven.

    Member
    2,273
    1,086
    Aug 24, 2010
    United States
    not sure
    source multiplayer games are treble when it comes to that
     
  19. Jamstruth

    Jamstruth Secondary Feline Anthropomorph

    Member
    3,456
    185
    Apr 23, 2009
    North East Scotland
    So they just need the public half of our account details! PERFECT! I suppose the Pay Kiosks thought that nothing malicious could be done with it considering the most it can do is add to another person's account (a rather handy feature when you think about it)
     
  20. Law
    OP

    Law rip ninjacat that zarcon made me

    Member
    4,132
    217
    Aug 14, 2007
    ‭jerkland
    The username you log into Steam with should be private, your profile/display name is public. The kiosks should be updated to require password validation though.

    It would be easy to find a list of usernames, and in some cases it could be easy to guess a username. My steam username isn't "law", but it's damn close to it.

    A steam representative replied to the twitter saying it was a support snafu, and that they were updating their tools to prevent it from happening in the future. He didn't comment regarding the automatic charge backs from the kiosks locking the account so they're being hush hush about that.