Skip to content

After hackers distribute malware in-game updates, Steam adds SMS-based security check for developers

Valve, the company behind the Steam video game platform, has announced a new security feature in response to reports of game updates being infected with malware. Last month, some players reported receiving messages from Steam’s support team notifying them that updated games they played via the platform contained malware. Valve claims that fewer than 100 people downloaded the infected games, but this figure cannot be independently verified. One affected game was “NanoWar: Cells VS Virus” by developer Benoit Fresion, who stated on Twitter that his Steam developer account had been compromised by malware that stole session cookies from his browser.

The new security feature is SMS-based and requires game developers to receive a confirmation code via a text message when logging into their accounts to update a new build for a released app. If the correct confirmation code is not entered, access to the developer account will be denied. While this provides an additional level of verification beyond username and password, it is not the most secure method. As previously discussed, SMS-based two-factor authentication can be bypassed through SIM swap attacks, where a criminal tricks a mobile carrier into switching a phone number to a different SIM card. This allows them to intercept any verification codes or account recovery tokens sent via SMS.

Although the introduction of the SMS-based security check on October 24, 2023, may deter some attacks, determined hackers can still compromise Steam game developers’ accounts through SIM swapping. It would have been wiser for Valve to adopt a stronger form of two-factor authentication, such as app-based TOTP authenticators, hardware security keys, or passkeys. While SMS-based authentication is better than no 2FA, it feels like a missed opportunity to provide stronger security measures.

Valve has faced criticism in the past for its proprietary two-factor authentication solution, Steam Guard, which does not adhere to industry standards. All Steam developers are advised to add their phone numbers to their accounts before October 24, 2023. This requirement means that game developers have no choice but to provide their phone numbers to Valve. In addition to this, it is recommended that developers ensure their devices used for logging into their Steam accounts and coding their games have adequate defenses against malicious attacks and intrusions.

Key Points:
– Valve introduces an SMS-based security feature for game developers after reports of malware-laced game updates.
– The new security measure requires developers to enter a confirmation code received via text message when logging into their accounts.
– SMS-based two-factor authentication can be bypassed through SIM swap attacks.
– Valve could have adopted stronger authentication methods, such as app-based TOTP authenticators or hardware security keys.
– Steam developers are advised to add their phone numbers to their accounts, but it is crucial to have additional defenses on their devices against attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *