Thoughts on Steam Trade Holds (Escrow)

Valve’s Steam service is set to roll out an escrow on non-two-factor-authorized trades. They are calling this a “Trade Hold.”

Alice wants Bob’s hat and Bob wants Alice’s key. They agree to trade.

Alice has Steam Guard Mobile Authenticator (SGMA), Bob does not. After the trade, they wait three days to get their items.

At this point, it’s unknown whether Alice could know at the point of trade whether she was risking the trade hold. It seems likely she will, and thus she could avoid it.

Problems with the system include:

  1. People without Android or iOS devices being unable to use SGMA.
  2. Automated trades via bots being unable to deal with escrow without major changes.
  3. People feeling that, generally, they are being disadvantaged due to a minority of users who fall for scams or install malware.

Valve has a scam/malware problem masquerading as a customer service problem. They have looked at improving customer service, but correctly realize that will not really solve the problem. They do need better customer service, but they also need to do more to address the problem of fraudulent trading. The escrow is supposed to be a pressure valve, to relieve some stress by limiting the damage that fraud traders can mete out.

Education of users is important, but simultaneously unrealistic short of Valve creating a trading simulator game that people want to play and it teaching them the hard-learned lessons of what to avoid. Users that would be helped by education either already educate themselves or will be a minority. Forcing education (e.g., through testing prior to granting trade privileges) would deter users from trading altogether.

Previously, Valve has used e-mail confirmations. This failed for hijacked accounts, because the users would simply have their e-mail accounts compromised in the hijacking. SGMA differs in that the likelihood of also compromising a mobile device is much lower.

If machine learning is mature enough, Valve may be able to leverage it to identify fraudulent trading patterns in a bulk of cases, in a manner similar to the credit card industry. It isn’t clear if it is up to this task, nor is it clear how easily Valve could implement such a filter. It seems reasonable to expect that will be a large part of their eventual strategy in fraud prevention.

What does not seem likely is Valve Customer Service becoming a peudo-law-enforcement agency. Investigating claims of fraud and trying to uncover the realities of events after the fact is just not in the cards for a video game services company. They will undoubtedly continue to seek to prevent the fraud.

It seems reasonable to say nobody wants to wait three days for a trade to go through, including Valve who will have to keep track of the trades. But Valve also does not want to have the volume of scammed items and problems sustain their current rates or grow. So they have to keep trying stuff, even if the community feels burdened.

Some minority of users may circumvent the protections of SGMA via emulators and desktop applications implementing the HMAC technology that SGMA uses. It’s a risk, and there doesn’t seem to be a easy way to avoid it, but that user count will likely stay small, sustaining the general integrity of SGMA/trade holds.