Valve, the corporate behind the Steam online game platform, has introduced a brand new safety function after a number of studies of recreation updates being poisoned with malware.
Final month, some recreation gamers reported receiving messages from Steam’s help staff telling them that up to date video games they performed by way of the platform had contained malware.
Valve claimed that fewer than 100 individuals had downloaded the malware-laced video games – a determine that, in fact, is unimaginable to independently confirm.
One of many video games stated to have been affected was “NanoWar: Cells VS Virus”, by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.
The brand new SMS-based safety function will see recreation builders obtain a affirmation code by way of a textual content message as they try and log into any account which may replace a brand new construct for a launched app. If the individual trying to entry the developer account does not enter the right affirmation code, they will not be capable of login.
In brief, it is a means of including an extra stage of verification past a easy username and password. However, sadly, it isn’t one of the best ways to do it.
As we have mentioned earlier than, SMS-based two-factor authentication might be bypassed by a decided attacker by way of a SIM swap assault.
If a felony can efficiently trick a cellular service into switching a telephone quantity to a unique SIM card (maybe by way of social engineering to impersonate the true proprietor of the telephone quantity) they are going to be mechanically despatched any verification codes or account restoration tokens despatched to the quantity by way of SMS.
It is easy to think about that Steam recreation builders will proceed to have their accounts compromised even after the SMS-based safety test is launched on October 24 2023. If a malicious hacker is set sufficient they may merely SIM swap their focused developer as a part of the assault.
In my view, Valve would have executed higher to have adopted a type of two-factor authentication which wasn’t reliant on SMS messages, resembling app-based TOTP (Time-based One-Time Passwords) authenticators, {hardware} safety keys, or passkeys as a substitute.
Do not get me mistaken. SMS-based two-factor authentication is best than no 2FA in any respect, nevertheless it all the time looks like a mistake and a missed alternative when a stronger type of safety might have been supplied as a substitute.
Valve has been criticised prior to now for introducing a way of two-factor authentication known as Steam Guard that, sadly, is a proprietary home-brewed answer which doesn’t comply with business requirements.
Everybody with a Steam developer account is being suggested so as to add their telephone quantity to their account earlier than October 24 2023. In Valve’s personal phrases “Sorry, however you’ll want a telephone or some solution to get textual content messages if you could add customers or set the default department for a launched app.”
Clearly in the event you’re a recreation developer you now don’t have any selection however at hand over your telephone quantity to Valve. I’d additionally suggest, nonetheless, guaranteeing that you’ve ample defences in place on the gadgets you employ to log into your Steam developer account, and on the computer systems that you simply use to code and construct your video games.
Holding your computer systems free from malicious assaults and intruders is important in case you are releasing software program that might be utilized by others.