Valve, the corporate behind the Steam online game platform, has introduced a brand new safety characteristic after a number of experiences of sport updates being poisoned with malware.

Final month, some sport gamers reported receiving messages from Steam’s assist group telling them that up to date video games they performed through the platform had contained malware.

Valve claimed that fewer than 100 individuals had downloaded the malware-laced video games – a determine that, after all, is not possible to independently confirm.

One of many video games stated to have been affected was “NanoWar: Cells VS Virus”, by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.

The brand new SMS-based safety characteristic will see sport builders obtain a affirmation code through a textual content message as they try to log into any account which may replace a brand new construct for a launched app. If the individual trying to entry the developer account does not enter the right affirmation code, they will not be capable of login.

In brief, it is a approach of including an extra degree of verification past a easy username and password. However, sadly, it isn’t the easiest way to do it.

As we have mentioned earlier than, SMS-based two-factor authentication will be bypassed by a decided attacker via a SIM swap assault.

If a legal can efficiently trick a cell provider into switching a cellphone quantity to a distinct SIM card (maybe via social engineering to impersonate the true proprietor of the cellphone quantity) they are going to be routinely despatched any verification codes or account restoration tokens despatched to the quantity through SMS.

It is simple to think about that Steam sport builders will proceed to have their accounts compromised even after the SMS-based safety verify is launched on October 24 2023. If a malicious hacker is decided sufficient they are going to merely SIM swap their focused developer as a part of the assault.

In my view, Valve would have accomplished higher to have adopted a type of two-factor authentication which wasn’t reliant on SMS messages, equivalent to app-based TOTP (Time-based One-Time Passwords) authenticators, {hardware} safety keys, or passkeys as an alternative.

Do not get me fallacious. SMS-based two-factor authentication is best than no 2FA in any respect, however it at all times appears like a mistake and a missed alternative when a stronger type of safety may have been supplied as an alternative.

Valve has been criticised up to now for introducing a technique of two-factor authentication known as Steam Guard that, sadly, is a proprietary home-brewed resolution which doesn’t comply with business requirements.

Everybody with a Steam developer account is being suggested so as to add their cellphone quantity to their account earlier than October 24 2023. In Valve’s personal phrases “Sorry, however you’ll want a cellphone or some method to get textual content messages if you might want to add customers or set the default department for a launched app.”

Clearly in the event you’re a  sport developer you now don’t have any selection however at hand over your cellphone quantity to Valve. I’d additionally advocate, nonetheless, guaranteeing that you’ve got ample defences in place on the gadgets you utilize to log into your Steam developer account, and on the computer systems that you simply use to code and construct your video games.

Maintaining your computer systems free from malicious assaults and intruders is important if you’re releasing software program that could possibly be utilized by others.