Valve, the corporate behind the Steam online game platform, has introduced a brand new safety function after a number of experiences of recreation updates being poisoned with malware.
Final month, some recreation gamers reported receiving messages from Steam’s assist crew telling them that up to date video games they performed through the platform had contained malware.
Valve claimed that fewer than 100 individuals had downloaded the malware-laced video games – a determine that, after all, is inconceivable to independently confirm.
One of many video games mentioned to have been affected was “NanoWar: Cells VS Virus”, by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.
The brand new SMS-based safety function will see recreation builders obtain a affirmation code through a textual content message as they try to log into any account which might replace a brand new construct for a launched app. If the individual making an attempt to entry the developer account would not enter the right affirmation code, they will not have the ability to login.
Briefly, it is a manner of including an extra stage of verification past a easy username and password. However, sadly, it is not the easiest way to do it.
As we have mentioned earlier than, SMS-based two-factor authentication may be bypassed by a decided attacker via a SIM swap assault.
If a legal can efficiently trick a cellular provider into switching a telephone quantity to a special SIM card (maybe via social engineering to impersonate the actual proprietor of the telephone quantity) they are going to be routinely despatched any verification codes or account restoration tokens despatched to the quantity through SMS.
It is simple to think about that Steam recreation builders will proceed to have their accounts compromised even after the SMS-based safety test is launched on October 24 2023. If a malicious hacker is set sufficient they’ll merely SIM swap their focused developer as a part of the assault.
In my view, Valve would have executed higher to have adopted a type of two-factor authentication which wasn’t reliant on SMS messages, resembling app-based TOTP (Time-based One-Time Passwords) authenticators, {hardware} safety keys, or passkeys as a substitute.
Do not get me improper. SMS-based two-factor authentication is healthier than no 2FA in any respect, but it surely all the time seems like a mistake and a missed alternative when a stronger type of safety might have been provided as a substitute.
Valve has been criticised up to now for introducing a way of two-factor authentication referred to as Steam Guard that, sadly, is a proprietary home-brewed answer which doesn’t comply with business requirements.
Everybody with a Steam developer account is being suggested so as to add their telephone quantity to their account earlier than October 24 2023. In Valve’s personal phrases “Sorry, however you’ll want a telephone or some approach to get textual content messages if it is advisable add customers or set the default department for a launched app.”
Clearly when you’re a  recreation developer you now don’t have any alternative however at hand over your telephone quantity to Valve. I’d additionally suggest, nevertheless, guaranteeing that you’ve got satisfactory defences in place on the units you utilize to log into your Steam developer account, and on the computer systems that you just use to code and construct your video games.
Retaining your computer systems free from malicious assaults and intruders is crucial if you’re releasing software program that could possibly be utilized by others.
