Valve introduces SMS-based confirmation to prevent malicious games on Steam

Video game publisher/digital distribution company Valve is forcing developers who publish games on its Steam platform to “validate” new builds with a confirmation code received via SMS.

The Steam SMS confirmation requirement

Valve sent out notices last month to select users to inform them that they may have been infected with malware after playing a specific game via Steam.

“The Steam account for the developer of this game was recently compromised and the attackers uploaded a new build that contained malware,” the notice said. “The build containing the suspected malware was promptly reverted and purged from Steam, but we strongly encourage you to run a full-system scan using an anti-virus product that you trust or use regularly, and inspect your system for unexpected or newly installed software.”

Last week, the company announced that, starting on October 24, 2023, they will be enforcing a new SMS-based security check for developers who want to update a build to the default branch.

“As part of a security update, any Steamworks account setting builds live on the default/public branch of a released app will need to have a phone number associated with their account, so that Steam can text you a confirmation code before continuing,” the company explained. “The same will be true for any Steamworks account that needs to add new users.”

If the app has not yet been released or if the developers are updating a beta branch, the additional confimation will no be required.

Security updates are welcome, but…

Although introducing additional security checks to the development lifecycle is generally a positive practice, Valve’s update was not greeted with enthusiasm by those whom it will affect.

Besides not being particularly keen to associate their personal number with the platform, developers say that this update will block automated release pipelines and delay the release process. They also rightly pointed out that SMS-based authentication is not secure anymore (due to SIM-swapping and MITM attacks) and that more secure alternatives (e.g., mobile apps providing time-based one-time passwords) should be offered.

Thomas Uhlemann, security specialist for ESET, doubts that this move will considerably improve the security of developers and users.

“To mitigate the issue of developer accounts being taken over or even worse – their equipment – other, proven tactics have to be applied,” he told Help Net Security.

“Firstly, for developers, we recommend applying non-SMS-based MFA to protect all of their accounts as with authenticator apps as a bare minimum, in addition to strong passphrases. Then, of course, the equipment used for development needs to be protected by strong security software as well to avoid information-stealing malware taking over the whole identity of a developer.”

“For Steam/Valve, we would suggest introducing a certificate-based, strong MFA solution (as they could employ their own Steam Guard app) to maximize the security posture of their ecosystem as a whole. We must not forget that users trust the platform, believing they take care of the security of the individual developers,” he added.