After hackers distribute malware in-game updates, Steam provides SMS-based safety test for builders

Valve, the corporate behind the Steam online game platform, has announced a brand new safety characteristic after a number of stories of recreation updates being poisoned with malware.

Final month, some recreation gamers reported receiving messages from Steam’s assist group telling them that up to date video games they performed by way of the platform had contained malware.

Valve claimed that fewer than 100 individuals had downloaded the malware-laced video games – a determine that, in fact, is unattainable to independently confirm.

One of many video games stated to have been affected was “NanoWar: Cells VS Virus”, by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.

The brand new SMS-based safety characteristic will see recreation builders obtain a affirmation code by way of a textual content message as they try to log into any account which might replace a brand new construct for a launched app. If the particular person trying to entry the developer account would not enter the proper affirmation code, they will not have the ability to login.

Briefly, it is a method of including an extra stage of verification past a easy username and password. However, sadly, it isn’t one of the best ways to do it.

As we have discussed before, SMS-based two-factor authentication could be bypassed by a decided attacker by means of a SIM swap assault.

If a prison can efficiently trick a cellular service into switching a cellphone quantity to a special SIM card (maybe by means of social engineering to impersonate the true proprietor of the cellphone quantity) they are going to be routinely despatched any verification codes or account restoration tokens despatched to the quantity by way of SMS.

It is easy to think about that Steam recreation builders will proceed to have their accounts compromised even after the SMS-based safety test is launched on October 24 2023. If a malicious hacker is set sufficient they’ll merely SIM swap their focused developer as a part of the assault.

For my part, Valve would have accomplished higher to have adopted a type of two-factor authentication which wasn’t reliant on SMS messages, comparable to app-based TOTP (Time-based One-Time Passwords) authenticators, {hardware} safety keys, or passkeys as a substitute.

Do not get me unsuitable. SMS-based two-factor authentication is healthier than no 2FA in any respect, nevertheless it all the time appears like a mistake and a missed alternative when a stronger type of safety might have been supplied as a substitute.

Valve has been criticised previously for introducing a technique of two-factor authentication referred to as Steam Guard that, sadly, is a proprietary home-brewed resolution which doesn’t observe business requirements.

Everybody with a Steam developer account is being suggested so as to add their cellphone quantity to their account earlier than October 24 2023. In Valve’s personal phrases “Sorry, however you’ll want a cellphone or some solution to get textual content messages if it’s worthwhile to add customers or set the default department for a launched app.”

Clearly in case you’re a  recreation developer you now don’t have any selection however handy over your cellphone quantity to Valve. I might additionally advocate, nevertheless, guaranteeing that you’ve got ample defences in place on the gadgets you employ to log into your Steam developer account, and on the computer systems that you just use to code and construct your video games.

Preserving your computer systems free from malicious assaults and intruders is crucial in case you are releasing software program that might be utilized by others.