Security Flaw Found in Steam Guard Process
Never dish out your SSFN file.
The Inquirer reports that security firm Malwarebytes has discovered a way to steal Steam accounts by bypassing Steam Guard.
Typically, when a Steam customer tries to log in using a different PC, a different browser and/or a different device, a pop-up window will appear asking to enter a code that is delivered to the user's email address. Without this code, it's nearly impossible to log into the account.
However, in order for scammers to break into a Steam account, the victim must be driven to a fake login page. "Typically a Steam phish page asks for Username and Password, like all phish attacks - often these can be foiled by enabling Steam Guard on your account," said Malwarebytes intelligence analyst Christopher Boyd.
The fake Steam page will present the same pop-up Steam Guard window, but will ask for something different: the user's SSFN file. This file is what prevents users from having to reveal their identity through Steam Guard each time they try to log into their account via a browser. If the user deletes this file, then he/she would be required to identify themselves again, thus generating a new SSFN file.
Thus in order to get into a user's account, all hackers supposedly have to do is take that SSFN file and drop it into the Steam directory on the scammer's computer.
"We did some testing and can confirm that this technique - asking a victim to send their SSFN file to the scammer - does indeed work," Boyd explained. But if the Steam user tries to log in from a different computer or browser, they will get the original credentials request. At this point, the hacker can't get into the account unless he/she has control over the user's email address.
So why is stealing a Steam account a big deal other than acquiring a boat-load of free games?
"Compromised Steam accounts are big business, especially for those wanting to hijack accounts which have rare in-game items in their inventory. They'll 'trade' the items off to an account owned by the scammer, who will then go on to sell them for their own gain on the Steam Marketplace, buying games with the newly acquired funds in their Steam Wallet," Boyd said.
Hackers will also have access to the victim's purchase library, and be able to change the account's current email address, the current password, disable Steam Guard, change the payment info and so on. Of course, if users don't store their credit card information in Steam, that's one less thing to worry about.
Valve Software is currently aware of the issue, and the forum moderators are alerting all Steam users. Unfortunately, the report doesn't say how users end up on a fake Steam login page. Just keep in mind that if anyone asks for the SSFN file, ignore the request because handing that file over will be very bad news.

So i logically assumed the security info was stored somewhere in a file in the steam folder.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
I've seen warnings around, even by moderators on reddit (/r/steam) to not give out that file; about a month ago. Lots of people talking about this on different locations, so unless this was found out months ago by MalwareBytes, I don't think they deserve the credit.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.
I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
I do not expect IPs change that often even if dynamically assigned.
I've had the same IP for months, before that years. Only reason the IP change was me replacing router.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
Kevin was on the right track but took a turn too soon. Locking the SSFN to a machines MAC address would be a much better alternative.
I was ready to +1 this at first, but now I'm not to sure what you mean by this. Simply keeping the MAC address in the file wouldn't help since macs can be spoofed. The best way would be to use the MAC address as a salt in some sort of encryption scheme. It's a hell of a lot slower, but the frequency of doing this per user shouldn't cause an impact on user experience.
The idea would be for Valve at login to check the file information, they know the IP address of requester, MAC address could alternatively be fetched and checked, then compare information with their own internal database. They MAC or IP would not have to be in file, although could be part of a hashing scheme.
Another drawback: IP adresses are assigned dynamically by your ISP, so you can't expect to hold onto one even in your own home for more than a few days / weeks, unless you pay for a static one.
Steam Guard remembers your PC for 30 days after a successful login (snapshot of system config). This also takes a snapshot of your MAC address. As long as those two line up you won't have a problem. Dynamic IP address or not.
Almost, not acces to the computer, just send over the SSFN file from your steam folder.