Please read! Important notice regarding Steam Accounts!

[JCitron]

http://www.geek.com/articles/games/...ccount-details-may-have-been-stolen-20111110/

http://www.zdnet.com/blog/hardware/...trusion/16206?tag=search-results-rivers;item1

I'm not sure how many people this affects, but be aware of this. I saw this in a tech email I receive, and felt it was important to post here since I know some people have purchased items through Steam.

The thing is it was the forums that got hacked, and user information was stolen including credit card and account information if this was stored in their profiles. They are telling people to watch their credit cards for any weird activity.

John

 

[sniper297]

That actually happened almost 3 weeks ago, and notices were posted at trainsim.com and UKtrainsim.com in the railworks forums for everybody to watch the credit cards that STEAM had on file. No reports of credit card numbers being stolen yet, but there were a few email accounts hijacked and over at trainsim.com we got a huge influx of new spammers targeting only the railworks general forum (MSTS, BVE, Railroad Tycoon, Open Rails, and Trainz forums had zero new spammers in that same two week period that railworks was averaging 5 per day, which is why I suspect it's related). Credit card numbers are unlikely to be a problem since (1) the STEAM store is a separate server, no credit card info in the forum software, and (2) even if they did get into the store database the numbers have a 128 bit encryption which would take so long to hack that the credit cards would all be expired by the time they got the first number. A lot faster and easier to get fools to bite on the "prince in Nigeria" type scams than to crack 128 bit encryption, so most crooks wouldn't bother to try unless they were really stupid and really optimistic (is that redundant?).

Anyone with a STEAM account who is worried about it, go to the bank that issued the card and ask them to cancel the old card and issue a new one with a new number. Banks have been doing that type of thing for physically lost or stolen credit cards since credit cards were invented, long before the internet, so it won't be a major hassle.

 

[JCitron]

Thanks, Jim.

I saw the date on the articles after I posted this. I just got the link in email today. Wonderful emails from the tech sites of ZDnet, CNet, etc.

It's still important information because people do buy Trainz and stuff through Steam.

That's pretty interesting about the spamming on the MSTS and RWks side!

John

 

[sniper297]

That's what was odd about it, an occasional spammer gets past the security bots and usually goes for the MSTS general forum since that's the top one in the list. Our forums;

MSTS
Railworks
Railsim
Trainz
Open Rails
BVE
Railroad Tycoon
World of Subways

Along with general railroading, Raildriver tech support, PC tech and assorted other odds and ends.

And for the past 3 weeks the only forum getting hit with new spammers was Railworks general - which is the only train simulator or game that absolutely requires a STEAM account. Unlikely to be coincidental, the STEAM forum hackers probably sold some of the links data to spammers, so any website linked to in a STEAM forum post would get hit - and since Railworks general is the most likely subforum to get linked to in the STEAM forums, they go directly to that one. Taking a look now with my "moderator vision" (regular members don't see the posts since new member posts have to be approved for the first few weeks);

The ones in the darker color are invisible unless you're logged in as a moderator, four new ones today in RW general. Out of 37 subforums it's still the only one they're attempting to hit. We ban them as soon as we catch them, but new ones come in every day since the STEAM forum hack. Normal times you might see 3 or 4 spammers per month scattered around all the different subforums.

 

[boleyd]

The Internet is a sewer and the stench is increasing. You may trust a vendor but is that really the vendor when you click on a link? One of these days PayPal will be hacked and that is a disaster waiting to happen. Despite all of the precautions there is always someone who will reveal the keys when offered enough money. The old days of buying from a merchant in your area at least allowed you to take some meaningful action. Today, if you have a problem you enter a maze designed to protect the vendor and discourage the customer. Have you seen the adverts on TV with Peggy answering the phone?

 

[ftldave]

The Internet is a sewer and the stench is increasing...

Yes, cons and criminals use the Internet, too. But you'll find bad, greedy people in any large group. That's why there MUST be laws and regulations. If there was any justice, Steam's management (and owners/shareholders) would be paying big punitive damages for not properly securing their systems. That said, the Internet enriches our lives in countless ways too, in business activities and in our personal lives. Would I be enjoying beautiful routes made by talented French and Russian hobbyists if I didn't use the Internet? Or getting wise advice from sim gurus in England and Switzerland? Don't think so. Any technology can be used for good or bad ends. I think boleyd is actually complaining about human nature, not the Internet.

 

[bendorsey]

Yeah - I love those peggy ads but its all too sadly true. Also have you tried to talk to any sort of customer support or help support lately? I did recently and had to give up because I simply could not understand the gent on the other end. He was trying to be helpfull but between his Indian or Pakastani accent and my inability to hear high frequencies (he had a high pitched voice) it was impossible (15 years working around jet engine at full power will do that to ya, lol).

Ben

 

[boleyd]

Yes, cons and criminals use the Internet, too. But you'll find bad, greedy people in any large group. That's why there MUST be laws and regulations. If there was any justice, Steam's management (and owners/shareholders) would be paying big punitive damages for not properly securing their systems. That said, the Internet enriches our lives in countless ways too, in business activities and in our personal lives. Would I be enjoying beautiful MSTS routes made by talented French and Russian hobbyists if I didn't use the Internet? Or getting wise advice from sim gurus in England and Switzerland? Don't think so. Any technology can be used for good or bad ends. I think boleyd is actually complaining about human nature, not the Internet.

I will grant you that Human Nature sets atop the pile. But that is an age-old given. The Internet is a breeding ground that allows those who used to harbor bad thoughts or actions to now actually engage in them. Given the almost total corruption of modern governments means you cannot allow them to manage the Internet. It is up to individuals to follow good practices and hope for the best.

I also agree that companies that accept personal private data to conduct a transaction must be held to much higher liability than they are today. Here a government can strengthen laws to punish those that allow breaches. Customers simply do not know the state of the security of a site when they submit personal data to buy a virtual choo-choo. That seemingly innocent purchase has the potential to ruin your life and the poorly protected company that allowed the loss has very limited expsure. That is the core of the issue. Steam's cost in this case, if harm was done, would be trivial. How do you prove that the breach at Steam was the source that allowed someone to ruin your credit. The really big messes come by way of a bit of info from Steam added to bits of info from other sources and the crook has all the data needed to fully represent you in a very large transaction.:''(

 

[sniper297]

The internet is also a natural magnet for weenies - all the nerds trying to get everyone in their home town to form ranks and march to the weenie drumbeat ran out of people who would talk to them at all, so when the internet was invented they all flocked to the forums to see if they could get new people who might march to their drumbeat. :hehe: Still, beats the old ATDT3122614980 FLOW CONTROL XON/XOFF TRANSFER PROTOCOL ZMODEM and whatever else it was to log onto a bulletin board system, only to find the BBS is down for maintenance and you gotta exit the modem program and start over to dial another number.

Again if you're really worried about it go to the bank and have the credit card canceled and a new one with a different number issued, the problem and the solution existed 50 years before the internet. Before the magnetic strips were invented they used to slide a gadget over the raised numbers to print them on a piece of paper with a sheet of carbon paper - if the merchants were careless about disposal of the carbon paper, the crooks could steal the number from that and make a fake card. Solution in 1961, get the bank to cancel that card and issue a new one with a different number, solution in 2011, get the bank to cancel that card and issue a new one with a different number.

 

[JCitron]

The internet is also a natural magnet for weenies - all the nerds trying to get everyone in their home town to form ranks and march to the weenie drumbeat ran out of people who would talk to them at all, so when the internet was invented they all flocked to the forums to see if they could get new people who might march to their drumbeat. :hehe: Still, beats the old ATDT3122614980 FLOW CONTROL XON/XOFF TRANSFER PROTOCOL ZMODEM and whatever else it was to log onto a bulletin board system, only to find the BBS is down for maintenance and you gotta exit the modem program and start over to dial another number.

Again if you're really worried about it go to the bank and have the credit card canceled and a new one with a different number issued, the problem and the solution existed 50 years before the internet. Before the magnetic strips were invented they used to slide a gadget over the raised numbers to print them on a piece of paper with a sheet of carbon paper - if the merchants were careless about disposal of the carbon paper, the crooks could steal the number from that and make a fake card. Solution in 1961, get the bank to cancel that card and issue a new one with a different number, solution in 2011, get the bank to cancel that card and issue a new one with a different number.

I almost forgot about modems..., well not really! They were great when they worked, but awful slow. In those days I used CompuServe. My old ID was 124732,251 - It's funny I still remember it after all these years! Back then my sister would hog the phone while talking to her friends for hours. (What else are sisters supposed to do, right!), After awhile I'd get tired of waiting so I'd set my modem to auto dial while she was blabbering on. Hehe. The beeps and squeal would get her to hang up after lots of screaming and whinging!

I did get my Amex card number stolen once at a Chinese restaurant about 15 years ago, just before they went carbonless. The owner's nephew rummaged through the trash and got a hold of the old carbon slips before the trash was emptied. His parents and uncle caught him, and he was forced to pay back the money and write apologetic letters to everyone. My card was canceled immediately by Amex as they were contacted by the police. I wasn't responsible for any of the money spent, but I got a nice fat check for compensation!

John

 

[overkill650]

thats funny john. hows it going by the way?

 

[JCitron]

thats funny john. hows it going by the way?

Pretty good. Just really, really tired cuz I work 60 hours-plus every week.

How bout you? Working yet?

John

 

[ish6]

It's time to give these hackers 15 year terms in state prison -- it will not stop the hardcore criminals; But those who are novice would think twice!;l
Ish

 

[wreeder]

I'm not saying the Internet is safe because it isn't but you are far more likely to have your credit card number stolen in a restaurant where the waiter or waitress disappears to run the card than from an online vendor. The real problem is weak passwords. I work for an ISP and we get accounts hacked all the time and when we ask the user what password they were using we get answers like their dog's name or the street they live on. Do you want to guess how often you can find those answers on their facebook page? Once one account is compromised, it isn't real hard to use several widely known exploits to hack the server.

Good password:25$3polikuio%

Weak password:trainzisfun

William

 

[leeferr]

Very wise advice. I used to work for the Military and they have a very strict protocol regarding passwords. My advice, never use anything that is personal to you in your password and always use a mix of alphas, numerics, special characters and a combination of upper/lower case and as many characters as is allowed for the password. Nothing is absolutely protected, but don't make it too for the hackers and thieves.

Mike

 

[wreeder]

Here is a tip I saw that is good if you have trouble remembering passwords. Use a pattern of keys on the keyboard, throwing in the shift key every 5th character. Like this:
1qaz@wsx3Edc

Then you just have to remember the top keys 123 and the pattern you used. Which in this case is down to the right.
Can anyone see this pattern?
1q2w#e4r5T6y7u8

William

 

[JCitron]

Very wise advice. I used to work for the Military and they have a very strict protocol regarding passwords. My advice, never use anything that is personal to you in your password and always use a mix of alphas, numerics, special characters and a combination of upper/lower case and as many characters as is allowed for the password. Nothing is absolutely protected, but don't make it too for the hackers and thieves.

Mike

I see this all the time in usernames and in passwords when I configure people's systems for them.

There was an interesting article on how someone's innocuous log in to his local newspaper's website ended up costing the user his bank account. The guy had used the same password on all his internet logins, so once the password was compromised, the hackers had access to everything the guy owned.

So, use a different password for different things such as stronger ones for online banking, and make these more complex than those used for forums.

John