By Mark A Gregory, RMIT University
One of the world’s largest online video gaming networks, Steam, has been hacked and its 35 million users may have had their accounts “compromised”. And yes, “compromised” means their (encrypted) credit card details may have been stolen.
At the risk of asking the obvious, have we finally reached the moment for stricter regulation of e-commerce, the buying and selling of products online? In Australia, the amount of cash spent in this way now sits at around AU$30 billion a year; globally online spending is projected to reach US$1.24 trillion a year by 2015.
Staff at the game company Valve, which owns and operates Steam, uncovered an intrusion into a user database while investigating a security breach of its discussion forums earlier this month. At first the firm said the discussion groups were offline for maintenance.
But a message posted on Steam by Valve co-founder Gabe Newell last week revealed the sites were shut down because of defacement – and that the breach may have gone beyond the company’s discussion forums.
The worst of times
The Steam hack comes in an already bad year for internet companies and their reputations for data management – not least the Sony Playstation Network, which saw 77 million accounts compromised by hackers in May.
E-commerce sites have become something of a staple for hackers. Even security firms offering security devices that are meant to protect customers by providing second level log-in security have been hacked.
The hackers, in the case of Steam, gained access to “information including user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information”.
Newell stated that he was “truly sorry”, and tried to assure users that, “We don’t have evidence of credit card misuse at this time. Nonetheless you should watch your credit card activity and statements closely”.
Yet another company closing the stable door after the horse has bolted.
The big question I’d be asking myself as a user is: will Valve take responsibility for any losses incurred by me? No information has been issued on this as yet.
Newell recommended Steam and forum account passwords be changed, but was not going to “force” users to do this.
Steam account passwords can be different to the forum passwords, which is why he added: “if you have used your Steam forum password on other accounts you should change those passwords as well”.
One golden rule should be instilled, very clearly, in everyone’s mind: you should never, under any circumstances, use the same password for more than one site on which you use your credit card.
There are solutions, provided there is will – and it’s getting hard to argue against doing something urgently.
Credit card companies should force large and medium e-commerce sites to utilise secondary security such as tokens or SMS confirmation when users log in. Some of the Australian banks now offer secondary security and this should be replicated throughout e-commerce more generally.
Further regulation of online e-commerce providers is necessary – internet crime is growing and governments need to act now to reverse this trend.
Mark A Gregory does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations.