Steam already provides all of the security needed on their side of the system. Steam can not stop users from giving away the 3 keys to their account. Any further confirmation added will be useless if they have already got access to your account, they would just disable it.

Originally posted by pckirk:

Steam already provides all of the security needed on their side of the system. Steam can not stop users from giving away the 3 keys to their account. Any further confirmation added will be useless if they have already got access to your account, they would just disable it.

An attacker can gain access to an account without access to Steam Guard, which means that he cannot conditionally sell or exchange inventory, but he can use a wallet, simply buy an item and receive funds to his account.

Originally posted by Napok:

Originally posted by pckirk:

Steam already provides all of the security needed on their side of the system. Steam can not stop users from giving away the 3 keys to their account. Any further confirmation added will be useless if they have already got access to your account, they would just disable it.

An attacker can gain access to an account without access to Steam Guard, which means that he cannot conditionally sell or exchange inventory, but he can use a wallet, simply buy an item and receive funds to his account.

No they can't. You need the accounts login name, password, and the 2FA code (that keeps changing) to get access to the account. You'd have better odds winning a big lottery jackpot than 'hacking' your way into someones account without that information.

Originally posted by JPMcMillen:

Originally posted by Napok:

An attacker can gain access to an account without access to Steam Guard, which means that he cannot conditionally sell or exchange inventory, but he can use a wallet, simply buy an item and receive funds to his account.

No they can't. You need the accounts login name, password, and the 2FA code (that keeps changing) to get access to the account. You'd have better odds winning a big lottery jackpot than 'hacking' your way into someones account without that information.

I started this discussion literally only because my account was hacked without access to Steam Guard on my phone, only the wallet was stolen through a fake purchase on the marketplace. Trivially at this stage, if I had received a confirmation on my phone that I was trying to buy something, my wallet would not have suffered. But now I am sitting with https://gtm.steamproxy.vip/market/listings/753/477310-Some%20Space%20Stuff and a receipt for this item in the amount of my entire wallet and I can’t do anything else with it.

Originally posted by Napok:

Originally posted by JPMcMillen:

No they can't. You need the accounts login name, password, and the 2FA code (that keeps changing) to get access to the account. You'd have better odds winning a big lottery jackpot than 'hacking' your way into someones account without that information.

I started this discussion literally only because my account was hacked without access to Steam Guard on my phone, only the wallet was stolen through a fake purchase on the marketplace. Trivially at this stage, if I had received a confirmation on my phone that I was trying to buy something, my wallet would not have suffered. But now I am sitting with https://gtm.steamproxy.vip/market/listings/753/477310-Some%20Space%20Stuff and a receipt for this item in the amount of my entire wallet and I can’t do anything else with it.

That will happen when you fail to keep your account secure.

Which 3rd party sites(s) have your info, I wonder.

Might want to secure your account so this doesn't happen again.

It certainly seems unusual to me that Steam has chosen to require two factor authentication for listing a 5 cent card but not for buying a $50 item. I think a lot of people's blind faith in Steam's practices haven't actually thought through what the practices actually are.

Originally posted by Napok:

Originally posted by pckirk:

Steam already provides all of the security needed on their side of the system. Steam can not stop users from giving away the 3 keys to their account. Any further confirmation added will be useless if they have already got access to your account, they would just disable it.

An attacker can gain access to an account without access to Steam Guard, which means that he cannot conditionally sell or exchange inventory, but he can use a wallet, simply buy an item and receive funds to his account.

They gain access due to a user's fault, either logging into sites that steal credentials, malware on their device, etc. It is rather delusional to believe another layer of security that the user allowed others to bypass will increase security.

At a certain point having access to an account has consequences no matter what security you slather on. Keeping your account secure is a better option than thinking of ways where giving your credentials away and avoid consequences of giving access to other people.

Originally posted by nullable:

At a certain point having access to an account has consequences no matter what security you slather on. Keeping your account secure is a better option than thinking of ways where giving your credentials away and avoid consequences of giving access to other people.

Steam has several policies in place that incovenience the user already precisely to protect accounts already compromised, and users on this board feel that more functionality still should be denied to protect accounts already compromised. This specific request is certainly more reasonable and more targetted to actual consequences of financial value than some other policies used by Steam or championed by the users of this forum.

+ More security to the user, not that I need it myself today but, who knows?

I don't see an issue with this as long as it was set up where it's not every small purchase on the market. Something like x.xx dollar amount triggers it (say $1 or whatever arbitrary number) and x amount of purchases in y time to prevent a mass amount of low value purchases.

I get that ultimately it is the user's responsibility to secure their account, but you can still do things to mitigate the damage knowing that inevitably a percentage of users will be phished and not a small amount given the sheer size of the player base. If you can do this with minimal inconvenience to the majority of your user base, then I don't see much reason not to.

Originally posted by Napok:

Originally posted by JPMcMillen:

No they can't. You need the accounts login name, password, and the 2FA code (that keeps changing) to get access to the account. You'd have better odds winning a big lottery jackpot than 'hacking' your way into someones account without that information.

I started this discussion literally only because my account was hacked without access to Steam Guard on my phone, only the wallet was stolen through a fake purchase on the marketplace. Trivially at this stage, if I had received a confirmation on my phone that I was trying to buy something, my wallet would not have suffered. But now I am sitting with https://gtm.steamproxy.vip/market/listings/753/477310-Some%20Space%20Stuff and a receipt for this item in the amount of my entire wallet and I can’t do anything else with it.

Accounts don't get hacked, but hijacked via phishing or malware. And yes, that is entirely the responsibility of the account owner, in this case you.

Keep your account secure and there is no issue.

Originally posted by Napok:

I started this discussion literally only because my account was hacked without access to Steam Guard on my phone,

Accounts are PHISHED not hacked because the end user gave away all their account details.

The account name, the password and the KEY to the door, the Steam Guard Mobile code, or scanning the QR code or authorising via fingerprint giving them access to the account.

How? by either logging into a known scam site or sites, tailored malware on your PC, the vote for my team scam, you have a pending ban scam on Discord, free knife click the link etc.

How does Steam (a program) know it is not you when all the account details are correct? It doesn't, therefore any action taken on your account is seen as you doing said actions.

The alternative is not plausible:

1) Someone would have to "GUESS" your account name from "millions of possible combinations".

2) Next they would have to "GUESS" your password from "millions of possible combinations" and then match it to your account name with "millions of possible combinations".

3) And finally they would have to "GUESS" the Steam Guard Mobile code "which changes every 30 seconds" to match both your account name and password to then have access your account, or you scanned the QR code or authorised via fingerprint.

Or please explain how i have never lost access to my account in 20+ years and that includes before Steam Guard Email and Steam Guard Mobile existed.

Originally posted by Crazy Tiger:

Originally posted by Napok:

I started this discussion literally only because my account was hacked without access to Steam Guard on my phone, only the wallet was stolen through a fake purchase on the marketplace. Trivially at this stage, if I had received a confirmation on my phone that I was trying to buy something, my wallet would not have suffered. But now I am sitting with https://gtm.steamproxy.vip/market/listings/753/477310-Some%20Space%20Stuff and a receipt for this item in the amount of my entire wallet and I can’t do anything else with it.

Accounts don't get hacked, but hijacked via phishing or malware. And yes, that is entirely the responsibility of the account owner, in this case you.

Keep your account secure and there is no issue.

This is not Valve's policy. If it were, they would not have implemented the mobile app to begin with or forced it to be used on the market so constantly. Valve clearly does not operate on this premise, and neither do most users on this board. And that's a good thing. It is their site and they may protect the users as they see fit.

Adding extra confirmation for Steam Wallet purchases is more than a security tweak it reflects the deeper need to protect trust and value within the system. From the perspective of pure awareness, each safeguard honors the interconnectedness of users, accounts, and transactions, allowing actions to unfold consciously. Strengthening protections aligns with the infinite possibilities of preventing harm, showing care and unconditional respect for both individual effort and shared digital space.