Steam fights malware with SMS verification for game updates

Valve takes action against malware in Steam updates

Steam introduces SMS verification for updates but many think it is not enough

On Steam, the well-known gaming platform, a worrying trend has recently alarmed the gaming community. The platform has been plagued by malicious upgrades that are packed with malware, making many users exposed to intrusions. The maker of Steam, Valve, has made the decision to fight this problem head-on.

To distribute their games and software on the Steam platform, developers and publishers employ a combination of tools and services called Steamworks. It enables multiplayer, video streaming, matchmaking, achievements, in-game voice and chat, microtransactions, statistics, cloud saving, and community-created content sharing (Steam Workshop). It also supports digital rights management (DRM).

Many creators and publishers have found success thanks in large part to Steamworks, which made it possible for their games to be played by millions of gamers worldwide. However, tremendous power also comes with great responsibility, and the current spate of malicious updates has prompted questions about the ecosystem's security.

The malware threat and Valve's response

Early in the fall of 2023, news of compromised Steamworks accounts started to surface. Attackers had been breaking into these accounts and submitting updates that were malware-infected, endangering the safety of Steam users.

The harm was quickly contained by Valve, assuring the gaming community that only a tiny number of players had been impacted by the attacks, and that everyone had been properly informed of the potential breach. To avoid similar situations in the future, Valve realized a stronger security mechanism was necessary.

The new SMS-based security check for game creators is Valve's solution to this security problem. Developers will have to successfully complete this SMS-based verification starting on October 24, 2023, before publishing any updates to the default release branch.

This new security requirement will not only apply to updates but also to any attempts to add new users to the Steamworks partner group, an additional layer of security for the platform. To add an additional layer of security, group admins will now need to confirm these operations using SMS-based codes.

The challenge of SMS verification and future considerations

According to Valve's statement,^[1] in order to enable SMS verification, Steamworks accounts must be linked to a phone number. This upgrade attempts to strengthen the platform's security and safeguard both users and developers:

As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account so that Steam can text you a confirmation code before continuing,

Valve is committed to continue strengthening Steam's security and is not content to stop at SMS verification. In the future, they plan to extend this requirement to more Steamworks actions, underscoring their commitment to upholding a secure gaming environment.

Even for users of the SetAppBuildLive API, Steam has taken steps to bolster security generally. Particularly when making changes to the default branch of released software, developers will now be required to give a steamID for validation. This precaution aims to stop unauthorized changes to game updates.

Despite these proactive steps, some programmers and industry professionals think the SMS-based authentication system^[2] may have certain drawbacks.

One game developer, Benoît Freslon,^[3] had a harrowing experience when he fell victim to an information-stealing malware attack. His credentials were stolen by this software, which allowed the attacker to release a malicious update for the video game “NanoWar: Cells VS Virus.”

Until the tokens were canceled or expired, the attackers had access to Freslon's accounts, which gave them the ability to send malicious game updates to unwary players. Two-factor authentication (2FA) via SMS is not perfect. It is vulnerable to SIM-swap attacks, in which bad actors can move the phone number of a game developer to a different SIM card and therefore get around the SMS-based security feature.

Many experts advise using more sophisticated authentication techniques, including authenticator apps or physical security keys, to significantly strengthen Steam's security. These techniques are superior options, especially for projects with big communities since they provide a higher level of protection and are more resilient to different cyberattacks.