Or people could learn secure their account(s) / devices and not visit shady websites. That would be a lot easier.

Accounts are only ever hijacked due to poor security on the owners part.

So you want to limit my security options because you can't keep your account secure? Hard pass.

How does removing this benefit the user? I am afraid I do not understand. If the account is locked, the hijacker cannot access it also, correct? And the owner should be obviously alert to enemy action and capable of working to recover the account in this time. How does removing this do anything but provide the enemy unimpeded access to the account?

Origineel geplaatst door Lone Wolf:

Or people could learn secure their account(s) / devices and not visit shady websites. That would be a lot easier.

Accounts are only ever hijacked due to poor security on the owners part.

If this is the standard, there is no need for a self lock system to begin with.

Adding a delay to the self-locking tool defeats the purpose of the self-locking tool

Origineel geplaatst door William Shakesman:

How does removing this benefit the user? I am afraid I do not understand. If the account is locked, the hijacker cannot access it also, correct? And the owner should be obviously alert to enemy action and capable of working to recover the account in this time. How does removing this do anything but provide the enemy unimpeded access to the account?

Origineel geplaatst door Lone Wolf:

Or people could learn secure their account(s) / devices and not visit shady websites. That would be a lot easier.

Accounts are only ever hijacked due to poor security on the owners part.

If this is the standard, there is no need for a self lock system to begin with.

Highjackers are locking accounts instantly by changing emails TWICE and using the self-locking feature themselves before the original owner gets a chance to. they then unlock it later on and cheat on it or sell it or whatever.

Origineel geplaatst door Lone Wolf:

Or people could learn secure their account(s) / devices and not visit shady websites. That would be a lot easier.

Accounts are only ever hijacked due to poor security on the owners part.

that's silly. Of course they SHOULD but they don't. This is about foolproofing, not mocking people like a ...... waste of time.

Origineel geplaatst door z333nja:

Origineel geplaatst door William Shakesman:

How does removing this benefit the user? I am afraid I do not understand. If the account is locked, the hijacker cannot access it also, correct? And the owner should be obviously alert to enemy action and capable of working to recover the account in this time. How does removing this do anything but provide the enemy unimpeded access to the account?


If this is the standard, there is no need for a self lock system to begin with.

Highjackers are locking accounts instantly by changing emails TWICE and using the self-locking feature themselves before the original owner gets a chance to. they then unlock it later on and cheat on it or sell it or whatever.

I don't want to REMOVE the slef-locking tool, I want it to work normally for the primary user, but NOT send locking links to an email that has just been changed. ONLY to emails that have been linked for, say, 3-7 days already.

Origineel geplaatst door Lone Wolf:

Or people could learn secure their account(s) / devices and not visit shady websites. That would be a lot easier.

Accounts are only ever hijacked due to poor security on the owners part.

that's silly. Of course they SHOULD but they don't. This is about foolproofing, not mocking people like a ...... waste of time.

Origineel geplaatst door Tito Shivan:

Adding a delay to the self-locking tool defeats the purpose of the self-locking tool

you're misunderstanding. a delay to NEWLY ADDED/CHANGED emails getting a self-locking link. No change for emails that have been linked for 3-7 days or more

Origineel geplaatst door nullable:

So you want to limit my security options because you can't keep your account secure? Hard pass.

no, I want to limit ABUSE of security options by NEWLY ADDED contact info. There would be no change to normal use of the self-locking tool.

Origineel geplaatst door z333nja:

Origineel geplaatst door Tito Shivan:

Adding a delay to the self-locking tool defeats the purpose of the self-locking tool

you're misunderstanding. a delay to NEWLY ADDED/CHANGED emails getting a self-locking link. No change for emails that have been linked for 3-7 days or more

You're misunderstanding.

I notice my account has been hijacked and the email has been changed. With your implemented cooldown, I now must wait and allow the hijacker full access to my account for a week before I can lock them out of my account. How is that beneficial to me?

Origineel geplaatst door z333nja:

Origineel geplaatst door William Shakesman:

How does removing this benefit the user? I am afraid I do not understand. If the account is locked, the hijacker cannot access it also, correct? And the owner should be obviously alert to enemy action and capable of working to recover the account in this time. How does removing this do anything but provide the enemy unimpeded access to the account?


If this is the standard, there is no need for a self lock system to begin with.

Highjackers are locking accounts instantly by changing emails TWICE and using the self-locking feature themselves before the original owner gets a chance to. they then unlock it later on and cheat on it or sell it or whatever.

If a supposed security feature ends up being used by enemies to aid them in their bad deeds, that does sound like a design failure on Valve's part. I have little knowledge of the feature but it sounds like Valve is an inadvertant helper in preventing victims of this specific vector from retrieving their account assuming there is not something we are missing.

Origineel geplaatst door William Shakesman:

If a supposed security feature ends up being used by enemies to aid them in their bad deeds, that does sound like a design failure on Valve's part.

Not really.
If a burglar locks you out of your car, is it a design failure of the locks?

Origineel geplaatst door z333nja:

Highjackers are locking accounts instantly by changing emails TWICE

What's the point of changing the mail TWICE?

Origineel geplaatst door z333nja:

Hackers/Phishers are changing emails twice on stolen accounts and using the self-locking tool within minutes to prevent use by the original account owners. This could easily be circumvented by adding a 1-7 day delay for use of the self-locking tool by newly added emails after the primary setup email. This would give a significant window where the original account owner can learn of the self-locking tool and use it properly.

Take proper care of the account.

I am going out on a limb and say that the person who "messaged you bro" is the same person who claims they will not message people regarding trades, one thing lead to another and account details were entered where they should not be.

Origineel geplaatst door z333nja:

Origineel geplaatst door nullable:

So you want to limit my security options because you can't keep your account secure? Hard pass.

no, I want to limit ABUSE of security options by NEWLY ADDED contact info. There would be no change to normal use of the self-locking tool.

If I add new contact info and want to lock my account, that's not abuse. So again, you want to limit my security options because you can't keep your account secure? No thank you.

Origineel geplaatst door Tito Shivan:

Origineel geplaatst door William Shakesman:

If a supposed security feature ends up being used by enemies to aid them in their bad deeds, that does sound like a design failure on Valve's part.

Not really.
If a burglar locks you out of your car, is it a design failure of the locks?

Comparing physical analogies to digital products always leads people to errors. You may as well be doing the usual bit where people ask to sell used Steam games with this.

Doubly so when they miss the mark, if you insist on the asinine car analogy it is more akin to saying the anti-theft device prevents your key from working when you attempt to retrieve the car.

We only have an accusation from OP but it might be helpful to understand the charge he is making. You could only ever change the email if you already had access to the account, so, as before, if the answer is "don't get hijacked" there is zero purpose then for the lockout feature to begin with and this entire conversation is pointless. Otherwise, what is the success case of this feature supposed to look like then?

Origineel geplaatst door William Shakesman:

there is zero purpose then for the lockout feature to begin with

There is purpose. It's a damage reduction feature.