Categories
biz

Thoughts on Steam Trade Holds (Escrow)

Valve’s Steam service is set to roll out an escrow on non-two-factor-authorized trades. They are calling this a “Trade Hold.”

Alice wants Bob’s hat and Bob wants Alice’s key. They agree to trade.

Alice has Steam Guard Mobile Authenticator (SGMA), Bob does not. After the trade, they wait three days to get their items.

At this point, it’s unknown whether Alice could know at the point of trade whether she was risking the trade hold. It seems likely she will, and thus she could avoid it.

Problems with the system include:

  1. People without Android or iOS devices being unable to use SGMA.
  2. Automated trades via bots being unable to deal with escrow without major changes.
  3. People feeling that, generally, they are being disadvantaged due to a minority of users who fall for scams or install malware.

Valve has a scam/malware problem masquerading as a customer service problem. They have looked at improving customer service, but correctly realize that will not really solve the problem. They do need better customer service, but they also need to do more to address the problem of fraudulent trading. The escrow is supposed to be a pressure valve, to relieve some stress by limiting the damage that fraud traders can mete out.

Education of users is important, but simultaneously unrealistic short of Valve creating a trading simulator game that people want to play and it teaching them the hard-learned lessons of what to avoid. Users that would be helped by education either already educate themselves or will be a minority. Forcing education (e.g., through testing prior to granting trade privileges) would deter users from trading altogether.

Previously, Valve has used e-mail confirmations. This failed for hijacked accounts, because the users would simply have their e-mail accounts compromised in the hijacking. SGMA differs in that the likelihood of also compromising a mobile device is much lower.

If machine learning is mature enough, Valve may be able to leverage it to identify fraudulent trading patterns in a bulk of cases, in a manner similar to the credit card industry. It isn’t clear if it is up to this task, nor is it clear how easily Valve could implement such a filter. It seems reasonable to expect that will be a large part of their eventual strategy in fraud prevention.

What does not seem likely is Valve Customer Service becoming a peudo-law-enforcement agency. Investigating claims of fraud and trying to uncover the realities of events after the fact is just not in the cards for a video game services company. They will undoubtedly continue to seek to prevent the fraud.

It seems reasonable to say nobody wants to wait three days for a trade to go through, including Valve who will have to keep track of the trades. But Valve also does not want to have the volume of scammed items and problems sustain their current rates or grow. So they have to keep trying stuff, even if the community feels burdened.

Some minority of users may circumvent the protections of SGMA via emulators and desktop applications implementing the HMAC technology that SGMA uses. It’s a risk, and there doesn’t seem to be a easy way to avoid it, but that user count will likely stay small, sustaining the general integrity of SGMA/trade holds.

Categories
biz

Mobiles versus Wallets

(Calling it a phone anymore is sort of silly. Mobile makes more sense, as a shorthand for mobile device or mobile computer. Better words may come forth, but phone is dead.)

Apple, Inc. is working to bring mobile payments or digital wallets to market. These novel technologies allow you to provide payment information with a mobile computer, rather than through something like a credit card. The market position is that with vendors upgrading their point-of-sale systems to handle more modern chip-and-PIN credit card systems (a response to mass attacks on credit systems of major vendors), they might as well also add digital wallets to the mix.

So far, so good. And maybe this will spell the death of the traditional wallet as mobile payments become the norm. But that is no reason to start thinking of your mobile as your wallet. Wallets are bad enough.

The wallet problem is this: you store important, valuable, or otherwise sensitive documents in your wallet (like currency, or identification). If your wallet is lost or destroyed, you are stuck with rebuilding your lost hoard of necessary items it comprised.

But one of the biggest advantages to digital storage is the ability to have redundant copies of data. If you lose your mobile, it should be a minor inconvenience. You might be sans ID, payment information, etc. for the time it takes to replace the mobile, but you should no longer need to go through the lengthy process of replacing credit cards (i.e., replacing payment data), replacing identification cards (i.e., getting a new driver’s license issued), etc.

Your mobile should be more like a pair of shoes than your wallet. If your shoes are lost or destroyed, it would be an inconvenience. But it wouldn’t be a major life disruption. If the move to digital payment does not come with some simple and fast way to transfer authority to a new device and revoke authority from an old device, and if the digital wallet becomes too much like a real wallet, it will be a disappointing missed opportunity.

That doesn’t mean that everything needs to be cloud-based, or at least not cloud-readable. It mainly means that mobile payments should still require authentication. So, at least a PIN or a biometric check. It might also prove useful to have small amounts available without authentication, with the risk of loss like cash in your wallet if you fail to report a theft before it can be spent.

So how is the mobile payment like a wallet? If pre-authenticated money is in it, it’s got a form of cash. But everything else should be locked down behind authentication. It should not be a major pain to lose it, beyond the cost or aggravation of replacing the device itself.

Even the cash-like money could be triggered only by context. For example, walking into a coffee shop could trigger the availability of what you normally spend, and excess could be revoked if you leave without spending it. Or if you use a transportation app, it could trigger the availability of the payment funds. That could either happen when you hail a cab or enter the subway, or at the time you actually get in the taxi.

And here’s the kicker: if people start buying things with mobiles, why shouldn’t they log in with them? That is, why should they keep creating new logins and passwords for each service, when they don’t have to do that to actually spend money? So at the very least, maybe something good will come from mobile payments beyond just making moving money easier.