Account Security Update

April 11th 2018

Today, we're making some changes to the way two-factor auth operates, as well as slightly changing how you manage the email addresses associated with your account.

First, a brief explanation of the way the two-factor auth system worked before today. After setting up two-factor, you will be asked to enter a code upon login, as well as when you must enter "sudo mode". Sudo mode is simply "elevated privileges" on your account. For example, to request a payout, change your email, set an item's price, etc., you must be in sudo mode (or not have two-factor auth enabled). To enter sudo mode, you are prompted for a code from your two-factor app. Sudo mode persists (for a single login session / IP) for a few hours before requiring another code to perform elevated actions.

Sudo mode is designed to increase account security beyond the initial login gate; requiring an additional code ideally stops most phishing attacks. However, there are still scenarios in which unauthorized access to an account can be devastating; for example, changing your payout email requires sudo mode, but if you are sudo'd or don't have two-factor, there is no further verification required. The same is true for requesting a payout.

To solve these issues, we're making some changes to two-factor as well as how you change your payout email.

If you use two-factor, here's what changes for you:

  • Certain actions, such as changing your payout email or requesting a payout, will require a unique (never used before) two-factor code every time, regardless of your sudo state.
  • We've slightly updated the two-factor code entry dialog to better report errors with authentication.

Here's what changes for everybody:

  • Changing your payout email now requires that you confirm the change through a link sent to your account's primary email address. This is in addition to any potential two-factor requirements for the change. 

We highly recommend that you use two-factor on your Marketplace.tf account. To set up two-factor authentication, click here. If you sell items or retain any credit on Marketplace, these are inherently at risk if you do not use two-factor authentication. We are committed to account security, but it's a two-way street: your account is most secure when you take the steps provided to protect it.

PSA: Your Steam account may be at risk

April 8th 2018

In the past few weeks, we have seen a growing number of users lose their items to a sophisticated new attack designed to bypass the Steam Mobile Authenticator. What's worse, the attack makes it appear as if legitimate traders and services have scammed users, when in fact these legitimate traders never received any trades at all.

Here's how the attack works:

  1. The attacker manages to get the victim to enter their Steam username and password on a phishing website; additionally, they gain a single login code as part of the phish. Although they can now login and control your account, they do not have the ability to confirm trades.
  2. Sometime after gaining access to your account, the attacker poses as a trade asking the victim to trade their items to a trade service, such as Marketplace.tf. The user is instructed to click the deposit link directly from Marketplace.tf, which leads them to the trade offer page of a legitimate Marketplace.tf bot. The user sends a trade offer depositing their items to a real Marketplace.tf bot. Nobody has been scammed yet.
  3. As soon as the user sends the trade offer to the real bot, the attackers cancel the trade offer (remember, they have access to the victim's account, just not their mobile authenticator app) and send an identical trade offer to a different account that looks exactly like the intended recipient.
  4. By the time the victim has loaded their Steam Mobile Authenticator confirmations page, the trade offers will already have been swapped. They will see a confirmation for a trade that looks exactly like the one they sent to the real recipient -- but it's the fake one. They confirm it, and their items are never seen again.

It's important to note that this process can be done for any trade offer your account sends after being hijacked -- any time you send an item to someone else, they could swap the trade offers and you would be none the wiser. 

Therefore, if your account has been hijacked, simply avoiding trading with bots or suspicious individuals is not adequate protection. Phishing sites can be extremely convincing and anyone can fall victim to them. After being hijacked, any trade offer you send can be hijacked.

What to Do

Don't worry: there are simple ways to protect yourself.

  • Change your password. This will force their current login session on your account to be terminated. They will lose access to your account, and you will be safe. Even if you don't think you've been hijacked you should consider changing your password. Additionally, changing your password does not give you a temporary trade suspension, as many believe; rather, resetting your password through the "forgot password" menu temporarily suspends you from trading on Steam. Properly changing your password has no penalty.
  • Revoke API Keys. Many times, the account hijackers will set up an API key on your account in order to efficiently control it. Click here to see if your account has an API key registered to it. If so, you should probably revoke it. Unless you specifically remember setting up your API key for a specific task, you do not need one. Even if you do need one, the attackers have almost definitely stolen it, so you should generate a new one to ensure they cannot use  it.
  • Avoid Phishing Websites. I know, easier said than done. That said, there's one way to be 100% safe with Steam logins: whenever a webpage asks for your Steam account credentials, visit the official Steam website in a new tab, and log into it. Then go back to the other website and try logging in through Steam; if it is a legitimate Steam login page, you will not be asked for your username / password; it will simply be a "Sign In" button. This is because you will have already logged into the official Steam website. If it asks for a username or password, you should not log into the website.

It's important to note that it is very difficult to know if your account has been hijacked. If you find your account has an API key attached to it (as mentioned above), and you don't remember setting it up, it's very possible your account has been compromised. Changing your password and revoking your API key will restore your account's security.

Introducing GeelCoin

April 1st 2018

For our first major feature update of 2018, I'm extremely excited to introduce to you all GeelCoin! GeelCoin is a revolutionary new crypto-cryptocurrency that turbocharges the exchange of virtual goods. Read on for more details.

 

We started by asking ourselves one simple question: "What does the world need?" The answer was immediately clear: the world needs a blockchain-based cryptocurrency tied to Steam items. This amazing new coin will allow us to exert an unprecedented amount of control over the Steam economy, which is good for you as a consumer.

 

To kickstart GeelCoin's adoption, Marketplace.tf now accepts GeelCoin as a payment option. This strategic partnership between ourselves is extremely exciting, and we're very happy with it. 

 

GeelCoin miners will be available through our upcoming cloud-based, Cryptocurrency-as-a-Service platform InfiniGeeler. Basic subscription packages will start at $10/month and guarantee at least 50 GigaGeels of computation power.

Win Marketplace.tf Gift Cards during TF2PL Season 2

March 31st 2018

 

TF2 ProLeague (or TF2PL) is TF2's latest up-and-coming competitive scene. Running on the FACEIT platform, TF2PL offers ranked play at all stages of competitive experience -- from Beginner to Invite. Starting with Season 2, they're opening up their European League for public play.

Also coming with Season 2 is an official ScrapTF Sponsorship! Thanks to ScrapTF, $1,500 of Marketplace.tf Gift Cards will be up for grabs by everyone on TF2PL.

Here's how it works: at the end of a match, every player on the winning team has a chance to win a Marketplace.tf gift card, which can be activated by the winner, or the code can be given as a gift to friends. Every division is eligible to win gift cards, so why not try it out?

Important things to know:

  • You must register properly through tf2pl.com before you can begin playing matches.
  • You must have logged into Marketplace.tf and added + verified an email address. This is so we can attribute your card to your account and email you when you have won a prize.
  • Every player has the same chance to win a card, regardless of division or location.
  • Each match is processed for potential winners 1-2 minutes after it concludes.
  • Season 2 runs from April 1st, 2018 to May 1st, 2018 PST. Basically just the month of April in PST.

Enjoy!

Address Verification

February 22nd 2018

Note: the limited-time free key promotion has ended. Free keys are no longer available for verifying your address.

Starting today, you'll notice a new section on your account page: Verified Billing Addresses. Simply put, you can now verify your billing address on Marketplace.tf. This helps us keep Marketplace.tf safe from fraud and increases our trust in your account, helping you speed through checkout uninterrupted. Plus, you can get a free key! Read on for more details.

How it works

To begin the address verification process, enter your current address on the address verification page. We'll utilize the magic of the United States Postal Service to send you a postcard containing a unique verification code -- free of charge. When it arrives, follow the instructions on the card and your address will be verified. It's quite easy!

For US-based customers, expect your verification postcard within 5 business days. International deliveries may vary.

 

Spam & Privacy

Besides the verification process outlined above, we will never send you unwanted mail. To be clear, "unwanted mail" refers in this instance to any mail you have not explicitly requested. At the moment, we only send verification postcards; in the future, it is possible we will have additional features involving mail delivery -- which users would explicitly opt into. Basically, we're not going to be spamming you.

We will never share your address information with outside parties except as required by law or as required for the operation of this website (read: to actually send you the postcard, we've got to give your address to someone).

 

But Why?

As part of our services, we provide 100% fraud protection to sellers. Put short: if there's a chargeback, we cover it. This means we need to take certain measures to prevent fraud. In most instances, a simple card verification -- involving two random charges -- is sufficient. However, in cases with high fraud potential, we sometimes ask users to verify their identity through other means. Currently, this means we request documents verifying their identity. 

While this is certainly helpful for cutting back on fraud, it isn't particularly great for the end user (trust me, we don't love having to screen orders for fraud either). To this end, we hope address verification can be a happy medium between the strength of identity verification and speed. It doesn't require the user provide us with any information we don't already have, it just requires a little patience on the front end. Once you're through address verification, you don't need to do it again.

Ideally, users would verify their address in the background while they begin their usage of Marketplace.tf. Even if it's not immediately necessary, it's a great way to indicate trustworthiness and heavily reduce the chances that an order will be held. To that end, read on for details about the free key!

 

Free Key

Now, for the moment you've all been waiting for skipped ahead to. To claim your free key, simply verify your address. Once you've successfully verified your address, you'll be granted a $2.00 Marketplace.tf Gift Card, enough for one free key (and then some).

There are, of course, some rules:

  • You must be verifying an address for the first time. That means only one gift card per account or per address. 
  • You must have placed at least one order with Marketplace.tf.

These conditions are simply to prevent potential abuse vectors of the free key. This is why we can have nice things.

 

That's it! If you have any questions or concerns, consider joining our Discord or subreddit.