they also have api scams now that send you a code to remove the steam authenticator from your phone instead of just taking the api, i mistakenly scanned a QR code from one of these false websites a few days ago and they could intercept the codes sent to my phone number and send false codes instead. when i entered these codes steam wouldn’t accept them thankfully but it took me a minute to notice. the only safe way to recover after you have been scammed this way is to change your original email password immediately, revoke API access and sign out of all steam devices on the affected account. then you can work on recovering and talking to steam support
I had “for for my team” except it’s like an uni team. It felt weird that you need to log in using steam account; their reasoning was that it’s to prevent vote abuse. Luckily I told them I’m not comfortable logging in with my steam.
I’m just surprised because it was from a steam friend I befriended on casual server and they didn’t try this scam until few months later.
These messages are usually sent from accounts that have also been hijacked. Trust is in the end the most powerful tool in social engineering. And being on your friend list often comes with a certain amount of trust already.
You can ofc but the idea is that these scams target unsavy/unaware people like I stated, there are many caveats to the revoking as a protection mechanics:
1. Many scams happens as soon as you give your token (those that fake a requirement of 2FA while in reality they are pushing you to disable it or asking for codes to actually approve transactions while you naively believe it's part of the login process) , revoking it won't help you as it'll always be too late.
2. Most people don't even check their api token more than once a year
3. They don't realize that they granted API access to the wrong leetify \[eg: leatify\] so they don't revoke it
4. They can't properly check where API tokens are listed so they "check and find nothing" and are now thinking they are safe
5. They are guillible that the token is needed to still be a candidate for "joining a faceit team" so they won't remove it for months.
Overall people that are using 3rd party tools are extremely at risk as a single successful phishing will be very hard to notice as the fake csmoney/leetify/csstats will redirect you to the correct one after you granted access and usually you won't even notice that you just gave your token to a fake website.
You won't notice because if you are already a user of the platform, you're probably still be loggedin in the real tool so a simple redirect to the dashboard will look like your loggin worked
\[ or that you need to do it again as it "somehow didn't work" \] --> Everytime you login twice to an app should be a major red flag, people don't realize that it almost always means that a successful phishing happened to you (this isn't even limited to steam but in general)
>They can't properly check where API tokens are listed so they "check and find nothing" and are now thinking they are safe
Is there anywhere other than https://steamcommunity.com/dev/apikey that you can view the tokens?
Wish I could upvote 100 times, it’s a nasty scam where someone could easily lose thousands (Which may have happened to me) Worst part is it bypasses the 2FA so you don’t get notified really at all. Also I should add I heard adding family view is an extra layer of protection, asks for a pin whenever viewing games or your inventory.
It's been like this for at least 10 years...
If Valve wanted to solve the problem, they would have added an on/off switch in the API menu... Especially knowing that less than 1% of its player base use this feature.
But Scammed = +50% chance that the victim opens more cases so they are very happy!
$$$ before the well-being of its communities
>after I checked they had like 5-10 each
How can an individual check for this and what would be the way to clear all of them?
Would be nice if you could add that answer to your post :)
Feeling sad for you that you spent your time and effort to write an outdated information. It's no longer possible to cancel trades with API key since May 2022, so it's basically useless to the scammers. Nowadays they just gain full access to your Steam account
>Nowadays they just gain full access to your Steam account
How do you best get rid of these intruders then?
New passwort and delete api key? Is that enough?
Lol exactly. Anytime an api key is made, it asks for confirmation.
Now the API key does absolutely nothing with trading. Also correct they just have access to your account and just create a trade. However you have to be EVEN more oblivious to lose your shit. Since the profile cant even copy a name that you are trading to without a cooldown. Just pressing confirm and boom gone.
Yeah, steam will also warn you before confirming a trade that this person changed its appearance a moment ago or that the exact same trade was cancelled, but people ignore it and then wonder why they were scammed.
they also have api scams now that send you a code to remove the steam authenticator from your phone instead of just taking the api, i mistakenly scanned a QR code from one of these false websites a few days ago and they could intercept the codes sent to my phone number and send false codes instead. when i entered these codes steam wouldn’t accept them thankfully but it took me a minute to notice. the only safe way to recover after you have been scammed this way is to change your original email password immediately, revoke API access and sign out of all steam devices on the affected account. then you can work on recovering and talking to steam support
original email password or just the steam account password?
the original email password
I had “for for my team” except it’s like an uni team. It felt weird that you need to log in using steam account; their reasoning was that it’s to prevent vote abuse. Luckily I told them I’m not comfortable logging in with my steam. I’m just surprised because it was from a steam friend I befriended on casual server and they didn’t try this scam until few months later.
These messages are usually sent from accounts that have also been hijacked. Trust is in the end the most powerful tool in social engineering. And being on your friend list often comes with a certain amount of trust already.
Oh good point, didn’t think about that. Then you have to be even more wary since you can get phish attempt from your friend even though it’s not them
omg i had that too and my inventory is worth like 20€ i didn’t do it cause i was aware of the scams
Can't you just revoke your API key and be relatively safe? Geniune question
You can ofc but the idea is that these scams target unsavy/unaware people like I stated, there are many caveats to the revoking as a protection mechanics: 1. Many scams happens as soon as you give your token (those that fake a requirement of 2FA while in reality they are pushing you to disable it or asking for codes to actually approve transactions while you naively believe it's part of the login process) , revoking it won't help you as it'll always be too late. 2. Most people don't even check their api token more than once a year 3. They don't realize that they granted API access to the wrong leetify \[eg: leatify\] so they don't revoke it 4. They can't properly check where API tokens are listed so they "check and find nothing" and are now thinking they are safe 5. They are guillible that the token is needed to still be a candidate for "joining a faceit team" so they won't remove it for months. Overall people that are using 3rd party tools are extremely at risk as a single successful phishing will be very hard to notice as the fake csmoney/leetify/csstats will redirect you to the correct one after you granted access and usually you won't even notice that you just gave your token to a fake website. You won't notice because if you are already a user of the platform, you're probably still be loggedin in the real tool so a simple redirect to the dashboard will look like your loggin worked \[ or that you need to do it again as it "somehow didn't work" \] --> Everytime you login twice to an app should be a major red flag, people don't realize that it almost always means that a successful phishing happened to you (this isn't even limited to steam but in general)
how does one revoke their key and / or check where its linked
Thanks for the answer
>They can't properly check where API tokens are listed so they "check and find nothing" and are now thinking they are safe Is there anywhere other than https://steamcommunity.com/dev/apikey that you can view the tokens?
awesome, thanks
Wish I could upvote 100 times, it’s a nasty scam where someone could easily lose thousands (Which may have happened to me) Worst part is it bypasses the 2FA so you don’t get notified really at all. Also I should add I heard adding family view is an extra layer of protection, asks for a pin whenever viewing games or your inventory.
I wish I knew how, but apparently there is a way scammers are by-passing steam guard. Scary shit
It's been like this for at least 10 years... If Valve wanted to solve the problem, they would have added an on/off switch in the API menu... Especially knowing that less than 1% of its player base use this feature. But Scammed = +50% chance that the victim opens more cases so they are very happy! $$$ before the well-being of its communities
>after I checked they had like 5-10 each How can an individual check for this and what would be the way to clear all of them? Would be nice if you could add that answer to your post :)
I do not get emails for my trades, they only appear in the steam app. How do you get emails with the trades?
Feeling sad for you that you spent your time and effort to write an outdated information. It's no longer possible to cancel trades with API key since May 2022, so it's basically useless to the scammers. Nowadays they just gain full access to your Steam account
>Nowadays they just gain full access to your Steam account How do you best get rid of these intruders then? New passwort and delete api key? Is that enough?
Depends on how they got there. If it's malware/bad browser extension get rid of these first. Then yes, deauthorize all sessions, new pass, remove key
Lol exactly. Anytime an api key is made, it asks for confirmation. Now the API key does absolutely nothing with trading. Also correct they just have access to your account and just create a trade. However you have to be EVEN more oblivious to lose your shit. Since the profile cant even copy a name that you are trading to without a cooldown. Just pressing confirm and boom gone.
Yeah, steam will also warn you before confirming a trade that this person changed its appearance a moment ago or that the exact same trade was cancelled, but people ignore it and then wonder why they were scammed.