From the beginnings of CS:GO trading, the community was always plagued with numerous scammers. The collective efforts to weed out the dishonest users were undertaken and many methods employed by the phishing websites have become regonized in the community, yet even a veteran skill trader can fall prey to scams.
One of the most popular and most advanced methods is the Web API Key Scam but can be quite easy to catch once you know what exactly it’s all about.
How Steam API Key Scam usually looks like
The scam we’re talking about can be simplified to several steps that follow.
- The scammer targets a popular marketplace or similar service that uses Steam account to log in and creates its copy under a near-identical web address, even going as far as advertising it.
- Potential users that fall for the fake webiste use their Steam credentials to log in, thus providing scammers with access to their account and allowing them to prop the Steam Guard and monitor user’s actions via Web API key.
- Once a compromised user initiates or recieves a legitimate trade offer, the scam bot automatically cancels the trade and initiates its own fake offer. Scammers make sure that their bots have the same name and/or avatar as the trading service bots have.
- Since the fake offer looks the same (it has the same trade in the message) and the real trade was already canceled the user accepts the fake offer giving away his/her skins and valuables for free.
- If the trader looks into the trading history, he/she will see a two almost identical offer, the real one being rejected.
Is there a way to undo such a scam?
This one will be a hard-hitter, but no, there’s no way to turn back time here. If you accepted a trade, according to all terms and conditions – both Steam’s and any other services’ – you did it willingly and took responsibility for who you trade with. Take this as a costly lesson in awareness.
De-scamming – how to regain security
This scam scenario functions for quite a while now and unfornutaley, if users don’t exercise precautions, there’s not much to do to fight it system-wise. However, there is a set procedure to follow if you’ve become a victim of API key scam to prevent scammers from further stealing your trades.
- First and foremost – change your Steam account password immediately. This should automatically log out any instances of log in that you might be unaware of.
- Go to http://store.steampowered.com/twofactor/manage and deuathorize all devices from logging in to your Steam account. This is a further precaution against anyone logging in without your knowledge.
- Go to Steam API Key page and click “Revoke My Steam Web API key”. This will turn your old API key obsolete and generate a new one. This way you make sure no one retrieves data through your Steam account’s API.
- Reset your Steam Trade URL. This will disallow scammers from sending you trade offers once you made sure they cannot access your account. Make sure to add your new Trade URL to accounts on websites that you trust so you can otherwise keep on trading as per usual.
3 Ways to protect your Steam account
For future tradings, it’s better to make sure that you don’t become a victim of similar scams anymore. Below are three things you might want to do to make your Steam account is more secure. While it won’t probably save you from all scam attempts. it will certainly help in defending against most of them.
Authenticate only via trusted websites or Steam
If a website requires you to log in with your Steam account, make sure that it does it via Steam’s popup window or widget, not some custom address. Steam interface will inform you that you’re about to use your account for a third-party website. Never give your Steam account name and password outside that.
Password and Trade URL change
Regular changes to your Steam account password and Steam Trade URL are very good ways to make sure no one is tracking you and your transactions. This is also a good way to terminate your current sessions on Steam throughout any devices and block any scam bots from accessing your account. You can alter your Steam login credentials either by clicking ‘Forgot password’ or ‘Change my password’ options. The first variant is preferable, since it allows you to continue trading on Steam without any trade suspension period.
Double check all trade offers
Whenever you’re about to accept a trade offer from a trade bot, be sure to check if the details and characteristics that the valid bot from that particular site or marketplace. Similarly, if you check your trade history and see an identical offer from an identical bot that was canceled by you without you knowing, it’s pretty sure the offer you’re seeing right now is made by scam bot.
Steam API key scam is the cockroach plague of skin trading world. It’s pervasive, hard to detect and hard to get rid of. The only thing that can really save you is your own caution and dubious following of procedures given by both Steam and third-party service regulations. In case you got scammed, there’s a way to de-scam your account to prevent further abuse. Stay safe and please, be careful.