Valve, the company behind Steam, is implementing SMS-based security measures to tackle a recent increase in malicious updates on the gaming platform. Steamworks, which is used by game developers and publishers to distribute products, has experienced a rise in compromised accounts pushing malware-laden builds to players since late August 2023.
Although Valve has assured users that the impact of these attacks was limited, they are taking steps to enhance security. Starting from October 24, 2023, game developers will need to undergo SMS-based security checks before releasing updates on the default branch, and the same requirement will apply when adding new users to the Steamworks partner group.
To further secure the platform, Valve is mandating the association of a phone number with Steamworks accounts, and a phone verification code will be sent before certain actions can proceed. Valve is considering expanding this requirement to other Steamworks actions in the future. However, this SMS-based verification system has limitations, as highlighted by a game developer who was infected with information-stealing malware.
Even with SMS-based MFA, the developer’s session tokens were stolen, allowing malicious updates to be pushed to players. There are concerns that SMS 2FA is also vulnerable to SIM-swap attacks, where attackers can transfer a phone number to a different SIM card to bypass security measures. Some suggest more modern solutions, like authenticator apps or physical security keys, might be more effective for projects with large communities.