After hackers distribute malware in-game updates, Steam adds SMS-based security check for developers

Valve, the company behind the Steam video game platform, has announced a new security feature after multiple reports of game updates being poisoned with malware.

Last month, some game players reported receiving messages from Steam's support team telling them that updated games they played via the platform had contained malware.

Valve claimed that fewer than 100 people had downloaded the malware-laced games - a figure that, of course, is impossible to independently verify.

One of the games said to have been affected was "NanoWar: Cells VS Virus", by developer Benoit Fresion. Fresion posted on Twitter that his Steam developer account had been compromised after by malware that had stolen session cookies from his browser.

The new SMS-based security feature will see game developers receive a confirmation code via a text message as they attempt to log into any account which can update a new build for a released app. If the person attempting to access the developer account doesn't enter the correct confirmation code, they won't be able to login.

In short, it's a way of adding an additional level of verification beyond a simple username and password. But, unfortunately, it's not the best way to do it.

As we've discussed before, SMS-based two-factor authentication can be bypassed by a determined attacker through a SIM swap attack.

If a criminal can successfully trick a mobile carrier into switching a phone number to a different SIM card (perhaps through social engineering to impersonate the real owner of the phone number) they will be automatically sent any verification codes or account recovery tokens sent to the number via SMS.

It's easy to imagine that Steam game developers will continue to have their accounts compromised even after the SMS-based security check is introduced on October 24 2023. If a malicious hacker is determined enough they will simply SIM swap their targeted developer as part of the attack.

In my opinion, Valve would have done better to have adopted a form of two-factor authentication which wasn't reliant on SMS messages, such as app-based TOTP (Time-based One-Time Passwords) authenticators, hardware security keys, or passkeys instead.

Don't get me wrong. SMS-based two-factor authentication is better than no 2FA at all, but it always feels like a mistake and a missed opportunity when a stronger form of security could have been offered instead.

Valve has been criticised in the past for introducing a method of two-factor authentication called Steam Guard that, unfortunately, is a proprietary home-brewed solution which does not follow industry standards.

Everyone with a Steam developer account is being advised to add their phone number to their account before October 24 2023. In Valve's own words "Sorry, but you’ll need a phone or some way to get text messages if you need to add users or set the default branch for a released app."

Clearly if you're a  game developer you now have no choice but to hand over your phone number to Valve. I would also recommend, however, ensuring that you have adequate defences in place on the devices you use to log into your Steam developer account, and on the computers that you use to code and build your games.

Keeping your computers free from malicious attacks and intruders is essential if you are releasing software that could be used by others.