Today, we're making some changes to the way two-factor auth operates, as well as slightly changing how you manage the email addresses associated with your account.
First, a brief explanation of the way the two-factor auth system worked before today. After setting up two-factor, you will be asked to enter a code upon login, as well as when you must enter "sudo mode". Sudo mode is simply "elevated privileges" on your account. For example, to request a payout, change your email, set an item's price, etc., you must be in sudo mode (or not have two-factor auth enabled). To enter sudo mode, you are prompted for a code from your two-factor app. Sudo mode persists (for a single login session / IP) for a few hours before requiring another code to perform elevated actions.
Sudo mode is designed to increase account security beyond the initial login gate; requiring an additional code ideally stops most phishing attacks. However, there are still scenarios in which unauthorized access to an account can be devastating; for example, changing your payout email requires sudo mode, but if you are sudo'd or don't have two-factor, there is no further verification required. The same is true for requesting a payout.
To solve these issues, we're making some changes to two-factor as well as how you change your payout email.
If you use two-factor, here's what changes for you:
Here's what changes for everybody:
We highly recommend that you use two-factor on your Marketplace.tf account. To set up two-factor authentication, click here. If you sell items or retain any credit on Marketplace, these are inherently at risk if you do not use two-factor authentication. We are committed to account security, but it's a two-way street: your account is most secure when you take the steps provided to protect it.
In the past few weeks, we have seen a growing number of users lose their items to a sophisticated new attack designed to bypass the Steam Mobile Authenticator. What's worse, the attack makes it appear as if legitimate traders and services have scammed users, when in fact these legitimate traders never received any trades at all.
Here's how the attack works:
It's important to note that this process can be done for any trade offer your account sends after being hijacked -- any time you send an item to someone else, they could swap the trade offers and you would be none the wiser.
Therefore, if your account has been hijacked, simply avoiding trading with bots or suspicious individuals is not adequate protection. Phishing sites can be extremely convincing and anyone can fall victim to them. After being hijacked, any trade offer you send can be hijacked.
Don't worry: there are simple ways to protect yourself.
It's important to note that it is very difficult to know if your account has been hijacked. If you find your account has an API key attached to it (as mentioned above), and you don't remember setting it up, it's very possible your account has been compromised. Changing your password and revoking your API key will restore your account's security.
For our first major feature update of 2018, I'm extremely excited to introduce to you all GeelCoin! GeelCoin is a revolutionary new crypto-cryptocurrency that turbocharges the exchange of virtual goods. Read on for more details.
We started by asking ourselves one simple question: "What does the world need?" The answer was immediately clear: the world needs a blockchain-based cryptocurrency tied to Steam items. This amazing new coin will allow us to exert an unprecedented amount of control over the Steam economy, which is good for you as a consumer.
To kickstart GeelCoin's adoption, Marketplace.tf now accepts GeelCoin as a payment option. This strategic partnership between ourselves is extremely exciting, and we're very happy with it.
GeelCoin miners will be available through our upcoming cloud-based, Cryptocurrency-as-a-Service platform InfiniGeeler. Basic subscription packages will start at $10/month and guarantee at least 50 GigaGeels of computation power.
TF2 ProLeague (or TF2PL) is TF2's latest up-and-coming competitive scene. Running on the FACEIT platform, TF2PL offers ranked play at all stages of competitive experience -- from Beginner to Invite. Starting with Season 2, they're opening up their European League for public play.
Also coming with Season 2 is an official ScrapTF Sponsorship! Thanks to ScrapTF, $1,500 of Marketplace.tf Gift Cards will be up for grabs by everyone on TF2PL.
Here's how it works: at the end of a match, every player on the winning team has a chance to win a Marketplace.tf gift card, which can be activated by the winner, or the code can be given as a gift to friends. Every division is eligible to win gift cards, so why not try it out?
Important things to know:
Enjoy!
Note: the limited-time free key promotion has ended. Free keys are no longer available for verifying your address.
Starting today, you'll notice a new section on your account page: Verified Billing Addresses. Simply put, you can now verify your billing address on Marketplace.tf. This helps us keep Marketplace.tf safe from fraud and increases our trust in your account, helping you speed through checkout uninterrupted. Plus, you can get a free key! Read on for more details.
To begin the address verification process, enter your current address on the address verification page. We'll utilize the magic of the United States Postal Service to send you a postcard containing a unique verification code -- free of charge. When it arrives, follow the instructions on the card and your address will be verified. It's quite easy!
For US-based customers, expect your verification postcard within 5 business days. International deliveries may vary.
Besides the verification process outlined above, we will never send you unwanted mail. To be clear, "unwanted mail" refers in this instance to any mail you have not explicitly requested. At the moment, we only send verification postcards; in the future, it is possible we will have additional features involving mail delivery -- which users would explicitly opt into. Basically, we're not going to be spamming you.
We will never share your address information with outside parties except as required by law or as required for the operation of this website (read: to actually send you the postcard, we've got to give your address to someone).
As part of our services, we provide 100% fraud protection to sellers. Put short: if there's a chargeback, we cover it. This means we need to take certain measures to prevent fraud. In most instances, a simple card verification -- involving two random charges -- is sufficient. However, in cases with high fraud potential, we sometimes ask users to verify their identity through other means. Currently, this means we request documents verifying their identity.
While this is certainly helpful for cutting back on fraud, it isn't particularly great for the end user (trust me, we don't love having to screen orders for fraud either). To this end, we hope address verification can be a happy medium between the strength of identity verification and speed. It doesn't require the user provide us with any information we don't already have, it just requires a little patience on the front end. Once you're through address verification, you don't need to do it again.
Ideally, users would verify their address in the background while they begin their usage of Marketplace.tf. Even if it's not immediately necessary, it's a great way to indicate trustworthiness and heavily reduce the chances that an order will be held. To that end, read on for details about the free key!
Now, for the moment you've all been waiting for skipped ahead to. To claim your free key, simply verify your address. Once you've successfully verified your address, you'll be granted a $2.00 Marketplace.tf Gift Card, enough for one free key (and then some).
There are, of course, some rules:
These conditions are simply to prevent potential abuse vectors of the free key. This is why we can have nice things.
That's it! If you have any questions or concerns, consider joining our Discord or subreddit.