Valve, the corporate behind the Steam online game platform, has introduced a brand new safety characteristic after a number of stories of recreation updates being poisoned with malware.
Final month, some recreation gamers reported receiving messages from Steam’s help crew telling them that up to date video games they performed through the platform had contained malware.
Valve claimed that fewer than 100 individuals had downloaded the malware-laced video games – a determine that, after all, is unattainable to independently confirm.
One of many video games mentioned to have been affected was “NanoWar: Cells VS Virus”, by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.
The brand new SMS-based safety characteristic will see recreation builders obtain a affirmation code through a textual content message as they try and log into any account which may replace a brand new construct for a launched app. If the individual making an attempt to entry the developer account does not enter the right affirmation code, they will not be capable of login.
In brief, it is a means of including an extra stage of verification past a easy username and password. However, sadly, it is not the easiest way to do it.
As we have mentioned earlier than, SMS-based two-factor authentication will be bypassed by a decided attacker by way of a SIM swap assault.
If a legal can efficiently trick a cell provider into switching a cellphone quantity to a special SIM card (maybe by way of social engineering to impersonate the actual proprietor of the cellphone quantity) they are going to be robotically despatched any verification codes or account restoration tokens despatched to the quantity through SMS.
It is simple to think about that Steam recreation builders will proceed to have their accounts compromised even after the SMS-based safety verify is launched on October 24 2023. If a malicious hacker is decided sufficient they’ll merely SIM swap their focused developer as a part of the assault.
In my view, Valve would have achieved higher to have adopted a type of two-factor authentication which wasn’t reliant on SMS messages, resembling app-based TOTP (Time-based One-Time Passwords) authenticators, {hardware} safety keys, or passkeys as an alternative.
Do not get me improper. SMS-based two-factor authentication is best than no 2FA in any respect, nevertheless it all the time looks like a mistake and a missed alternative when a stronger type of safety might have been provided as an alternative.
Valve has been criticised up to now for introducing a way of two-factor authentication known as Steam Guard that, sadly, is a proprietary home-brewed resolution which doesn’t observe trade requirements.
Everybody with a Steam developer account is being suggested so as to add their cellphone quantity to their account earlier than October 24 2023. In Valve’s personal phrases “Sorry, however you’ll want a cellphone or some technique to get textual content messages if it is advisable add customers or set the default department for a launched app.”
Clearly if you happen to’re a recreation developer you now don’t have any alternative however at hand over your cellphone quantity to Valve. I might additionally suggest, nevertheless, guaranteeing that you’ve got ample defences in place on the units you utilize to log into your Steam developer account, and on the computer systems that you simply use to code and construct your video games.
Maintaining your computer systems free from malicious assaults and intruders is important if you’re releasing software program that could possibly be utilized by others.
