November 13, 20241 yr 25 minutes ago, bofhlusr said: Thank you. The Steam scam is news to me. How does that work? That's what Steam told me too. That I was scammed. But doesn't a scam involve participation on my part? Steam said the proceeds of the theft were used to purchase something in another game, a game which I never heard of or have any interest in. In this incident I didn't do anything other than use the account for MSFS and another game (WARNO, by the way, which I would highly recommend for its graphics and as real-as-it-gets physics - and coincidentally, by French devs too - Eugen Systems). It's a standard phishing scam, they send you an email or a link to click on that might be marked up even, so it's indistinguishable from the real site. Usually, there are signs when you end up on the actual page - as you can see below the link looks legit but it's not. It's trying to look like steamcommunity.ru provided you don't look too closely lol. Once on the page (this one is dead btw), there are usually signs - rarely does a phishing attack get the fonts, layout, etc. 100% correct. Either way - double-check the address bar, if you click on the link your browser will show you the actual website you're connected to. Very very common type of scam being done at all levels - from Steam account scamming, to large enterprise (that MGM Grand hack was a phishing attack - they targeted and managed to snag the director of IT for the company). Edited November 13, 20241 yr by mspencer
November 13, 20241 yr Author 1 hour ago, Funky D said: Run a full malware scan on your system. If you clicked on a phishing link and your browser was logged into Steam, malware can steal the 2fa cookies from your machine and allow others to log into your account without needing 2fa. Whenever you have a compromise like this, it is important to change passwords. You should change your email password along with the Steam password that you already changed. Consider a password manager such as 1Password or Bitwarden, which can also store 2fa codes. Unfortunately, in the case of Steam, you need to use their mobile app in order to use 2fa securely (email and sms 2fa are better than nothing but not as secure as app-based tokens). You can find some more info on common Steam scams here: https://steamcommunity.com/discussions/forum/1/4041481833171822554/ Here's the thing about password managers though. How do you know if they are secure as everything else? Thanks for the link. I'll check it out. P.S. Nice link. I found this comment in the link really interesting: "Be aware that Steam Support will not restore stolen items nor stolen wallet funds. In accordance with Section 1 C of the Steam Subscriber Agreement, you are responsible for all actions on your account, no matter who used the account." Ok, who's honest enough to admit that they don't read software license agreements? Three software practices I'd recommend: a vpn, shadow defender (Shadow Defender - the easiest PC/laptop security and privacy protection tool), and Chrome's Incognito or Edge's InPrivate modes. Edited November 13, 20241 yr by bofhlusr Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
November 13, 20241 yr The first protection idea is to not have funds in your steam account. I link my Steam wallet to Paypal. Paypal requires a password and if you wish you can setup paypal to require double authentication. I keep zero funds in my wallet. My Steam account was hacked by someone in Malaysia. I had no funds in wallet, they go no money. But they played FSX flight simulator. And they changed my Steam password. All that I had to do to get my own password back was to convince Steam support that I was the real account holder was to tell them any of my Paypal transaction numbers for any past purchase. And so Steam knew I was the legitimate owner of the account and restored it to me and my new password. Thereby locking out the Malaysian crime syndicate from my account. That syndicate was seizing accounts and selling them to individuals. Whoever bought mine from them only got to play FSX, but no money. 5800X3D, RTX4070, 600 Watt, one or two 1440p 32" screens, 64 GB RAM, 4 TB PCle 3 NVMe, Warthog throttle, VKB NXT EVO stick, Honeycomb Alpha yoke, CH quad, 3 Logitech panels, 2 StreamDecks, Desktop Aviator Trim Panel. Crystal Light VR.
November 13, 20241 yr 13 minutes ago, bofhlusr said: Here's the thing about password managers though. How do you know if they are secure as everything else? In the case of 1Password, the password vault is secured by both a password and "recovery code", which are both required to decrypt the vault. But you're right, it's always good to be skeptical... LastPass had a huge breach a few years ago and their incompetence lead to poorly encrypted vaults being shared on the dark web. Browser password managers are also notoriously easy to hack, although I'm not sure if this is still the case (the last time I tried a year or two ago, it was still possible to download the Chrome password database to another computer and decrypt it in seconds with readily available utilities). I choose to trust 1Password due to their transparency on how their software and organization works, along with how they responded to the breaches of other companies. Folks trust Bitwarden because it's open source and regularly audited. For me, the ability to have randomized passwords for every account outweighs the risk of my 1Password vault existing in the cloud.
November 13, 20241 yr Author 8 minutes ago, Fielder said: The first protection idea is to not have funds in your steam account. I link my Steam wallet to Paypal. Paypal requires a password and if you wish you can setup paypal to require double authentication. I keep zero funds in my wallet. My Steam account was hacked by someone in Malaysia. I had no funds in wallet, they go no money. But they played FSX flight simulator. And they changed my Steam password. All that I had to do to get my own password back was to convince Steam support that I was the real account holder was to tell them any of my Paypal transaction numbers for any past purchase. And so Steam knew I was the legitimate owner of the account and restored it to me and my new password. Thereby locking out the Malaysian crime syndicate from my account. That syndicate was seizing accounts and selling them to individuals. Whoever bought mine from them only got to play FSX, but no money. I agree. I don't deposit funds. These funds were refunds from a Marketplace purchase. I'm hoping MSFS 2024 or Steam improves how they record purchases in the Marketplace by providing more details as to what the purchase was. Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
November 13, 20241 yr Author 3 minutes ago, Funky D said: In the case of 1Password, the password vault is secured by both a password and "recovery code", which are both required to decrypt the vault. But you're right, it's always good to be skeptical... LastPass had a huge breach a few years ago and their incompetence lead to poorly encrypted vaults being shared on the dark web. Browser password managers are also notoriously easy to hack, although I'm not sure if this is still the case (the last time I tried a year or two ago, it was still possible to download the Chrome password database to another computer and decrypt it in seconds with readily available utilities). I choose to trust 1Password due to their transparency on how their software and organization works, along with how they responded to the breaches of other companies. Folks trust Bitwarden because it's open source and regularly audited. For me, the ability to have randomized passwords for every account outweighs the risk of my 1Password vault existing in the cloud. Open source is nice but I'm remembering TrueCrypt, also open source which failed. Regular audits are better, but I also remember VERY large highly respected public auditing firms (KPMG, Pricewaterhouse, etc.) which failed to detect fraudulent activities of Barnard Madoff (which cost the public 50(?) Billion with a B). Still, probably better than nothing. Just a big plus for not being in the cloud I suppose. I hear some people never use the internet or email (eg. Trump). Maybe they have a point. Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
November 13, 20241 yr True Crypt was morphed into VeraCrypt which is outstanding. 5800X3D, RTX4070, 600 Watt, one or two 1440p 32" screens, 64 GB RAM, 4 TB PCle 3 NVMe, Warthog throttle, VKB NXT EVO stick, Honeycomb Alpha yoke, CH quad, 3 Logitech panels, 2 StreamDecks, Desktop Aviator Trim Panel. Crystal Light VR.
November 13, 20241 yr The funny (or scary) thing about TrueCrypt: No one knows why the project was abandoned. It didn't fail any security audits at the time. There have been some vulnerabilities unrelated to the encryption algorithm that have since been fixed in VeraCrypt. Whispers about state actors and conflicts of interest, but I don't believe anything was ever confirmed by the devs. As for Bitwarden, if it ever goes under, we can assume a similar fate... The project will be forked and another team will take over. The main thing killing open source these days isn't buggy code or a lack of security, but greed.
November 13, 20241 yr 1 hour ago, Funky D said: The funny (or scary) thing about TrueCrypt: No one knows why the project was abandoned. It didn't fail any security audits at the time. There have been some vulnerabilities unrelated to the encryption algorithm that have since been fixed in VeraCrypt. Whispers about state actors and conflicts of interest, but I don't believe anything was ever confirmed by the devs. As for Bitwarden, if it ever goes under, we can assume a similar fate... The project will be forked and another team will take over. The main thing killing open source these days isn't buggy code or a lack of security, but greed. I mean you can be pretty well assured that if it was a US company, they were contacted in the last 5 years to put an NSA back door in the code.
November 13, 20241 yr Author 53 minutes ago, mspencer said: I mean you can be pretty well assured that if it was a US company, they were contacted in the last 5 years to put an NSA back door in the code. Microsoft and Steam have backdoors? Arguably very hard to prove or disprove if it involves the NSA. The more immediate question is who to go with for MSFS 2024. Steam or the Marketplace. If both have backdoors, I doubt the NSA would be wasting their time 'gaming' gamers. Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
November 14, 20241 yr 1 hour ago, bofhlusr said: Microsoft and Steam have backdoors? Arguably very hard to prove or disprove if it involves the NSA. The more immediate question is who to go with for MSFS 2024. Steam or the Marketplace. If both have backdoors, I doubt the NSA would be wasting their time 'gaming' gamers. MS definitely, Steam probably not. Confirmed in Meta, many other products, this was all part of the Wikileaks stuff. Basically if you think your data is safe or anything is 100%, you’re being silly. It’s about protecting against 99% of threats. Dashlane is a good solution.
November 14, 20241 yr 1 hour ago, bofhlusr said: Steam or the Marketplace. This is completely personal preference. When 2020 was released the Microsoft store had its kinks, but those have been ironed out. I'm using the store and never had issues, but I use Steam for other games, also without issues. Both can be hacked through phishing and malware. You can possibly make your Microsoft login that you link to the store more secure by enabling passkeys and removing your password from the account. For Steam, you should use the mobile app for 2fa instead of email.
November 14, 20241 yr Author 3 hours ago, mspencer said: MS definitely, Steam probably not. Confirmed in Meta, many other products, this was all part of the Wikileaks stuff. Meta as in Facebook? Interesting if it is (have not heard anything - my son works for Meta but in Reality Labs though so it might have not anything to do with security). Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
November 14, 20241 yr On 11/13/2024 at 7:50 AM, bofhlusr said: I use Steam for MSFS. For MSFS 2024, maybe not. I'm having second thoughts. Steam uses two-factor verification to authenticate users by sending a security code to the user's email. The user has to have access to his email to get the code. My Steam account was accessed without my knowledge and funds were withdrawn from the account. Steam tech support is apparently unwilling or unable to do anything about it. I'm posting here to see if anyone else had the same experience I recently had. Does anyone else have similar concerns as I now have regarding Steam? I use Steam since 2005 and I never had issues. First of all, why would you keep funds on it? You can insert your CC data manually when you make a purchase. Second, the purpose of 2FA is giving you an additional protection so it makes sense to use a different method not accessible from your PC as second authentication device (such as a phone number that can receive SMS or an authenticator app installed on your mobile). Otherwise if someone breaks into your PC/mailbox, they also gain access to everything else. e-mail shouldn't even be considered "2FA". 7800X3D | 2x32 GB DDR5-6000 CL32 | RTX 5080 | Alienware OLED 34" | 1 Gbps fiber
November 14, 20241 yr Author 17 minutes ago, MrFuzzy said: First of all, why would you keep funds on it? This was funds from a refund from an MSFS item which I was going to use for MSFS 2024. 17 minutes ago, MrFuzzy said: Second, the purpose of 2FA is giving you an additional protection so it makes sense to use a different method not accessible from your PC as second authentication device I'm learning that 2FA as used in Steam just give you a SENSE of protection. But not really. Which kinda begs the question: why does it even exist ie. giving people a false sense of protection by sending 2FA to email instead of text messages to a cell phone? Edited November 14, 20241 yr by bofhlusr Hardware: i7-8700k, GTX 1070-ti, 32GB ram, NVMe/SSD drives with lots of free space. Software: latest Windows 10 Pro, P3Dv4.5+, FSX Steam, and lots of addons (100+ mostly Orbx stuff).
Create an account or sign in to comment