331
Valve adds new security check after attackers compromise Steam accounts of multiple game devs and update their games with malware (www.pcgamer.com)
submitted 8 months ago by nanoUFO@sh.itjust.works to c/games@sh.itjust.works
19 comments fedilink hide all child comments
all 20 comments
sorted by: hot top controversial new old
[-] chemical_cutthroat@lemmy.world 69 points 8 months ago

I don't want to be too cynical, but I get the feeling this is working as intended on the parts of the "developers." If less than 100 people had the game installed, there is a good chance it was shovel-ware with a low or free upfront cost that was then sold to scammers. The scammers push the malware, get all the information they want from compromised machines, and then move on. The SMS will really only be a sort of "you gave the OK for this update to be pushed out, so you are responsible," type thing, which won't matter in the case of malicious shovel-ware and fly by night devs who only plan to sell out their install base, anyway.

[-] JackGreenEarth@lemm.ee 14 points 8 months ago

It's not a confirmation via SMS, it's a verification via SMS, so the attacker has to have your phone number as well as your steam account to attack it, which makes it harder.

[-] chemical_cutthroat@lemmy.world 15 points 8 months ago

That's why I was saying that this is "working as intended" and that more than likely this was perpetrated by less-than-savory devs who purposefully sold out the people who bought their games. There were no "hackers" only shitty devs that claimed they were hacked after they got caught distributing malware. Again, I may just be overly cynical.

[-] TWeaK@lemm.ee 10 points 8 months ago* (last edited 8 months ago)

They're saying the people who bought the game from the original devs may have been the ones to upload the malware. In that case, they could confirm the SMS very easily.

[-] ahriboy@kbin.social 3 points 8 months ago

And SMS messages can be intercepted. Not a good option, use physical security keys instead!

[-] TWeaK@lemm.ee 7 points 8 months ago

Even authenticator apps are generally better than SMS.

One thing no one talks about with SMS verifications, though, is that it frequently confirms your phone number to the business you're giving it to. If they're in the habit of trading user data, this makes the data much more valuable. I think this is the real reason for many businesses that push for it, when normally they could hardly care less about user security.

[-] smeg@feddit.uk 3 points 8 months ago

Seriously, while 2FA via SMS is generally much better than nothing, it has zero security so might even make things worse in some cases by providing a false sense of security!

[-] LoafyLemon@kbin.social 1 points 8 months ago* (last edited 8 months ago)

RCS messages are encrypted using TLS.

[-] smeg@feddit.uk 6 points 8 months ago

RCS isn't SMS though, nobody mentioned RCS!

[-] LoafyLemon@kbin.social 1 points 8 months ago

RCS is a replacement for SMS, used by the majority of mobile carriers in Europe, Northern America, and Asia. It is used by default in all supported regions.

[-] smeg@feddit.uk 2 points 8 months ago

I know what it is, but it's got nothing to do with this discussion. What company provides 2FA codes via RCS instead of SMS?

[-] LoafyLemon@kbin.social 2 points 8 months ago* (last edited 8 months ago)

Most of them do, because as you have noted before, SMS protocol is not secure.

[-] smeg@feddit.uk 5 points 8 months ago

Do they? I've never seen this as an option. In fact, I've never even seen RCS mentioned anywhere outside Android enthusiast forums!

[-] LoafyLemon@kbin.social 1 points 8 months ago* (last edited 8 months ago)

It's not surprising if you haven't come across the rollout of RCS. Google developed this feature as a replacement for the less secure SMS standards and aimed for a seamless implementation without causing user disruptions. This could be a rare instance where we commend Google for a change that benefits users, not just their bottom line.

[-] smeg@feddit.uk 2 points 8 months ago

Except there's still very little support for it as they haven't opened up the protocol for people to actually write clients to use it

[-] sugar_in_your_tea@sh.itjust.works 1 points 8 months ago

And it appears Apple isn't on board, and since the vast majority of my text messages go to my wife on her iPhone, it's largely useless for me.

I'm also considering moving to a Linux phone (PinePhone), which I assume also won't be able to use this. So it's a nice gesture, but ultimately has limited impact.

[-] LoafyLemon@kbin.social 2 points 8 months ago

Only if you have the access to the same mast, otherwise no. This vastly reduces the number of attack vectors.

[-] Potatos_are_not_friends@lemmy.world 13 points 8 months ago

This totally makes sense. There's so much shovelware.

Every day, there's like 10 new hentai games. It makes it impossible to have the "adult" option turned on and look at new releases.

[-] MashedTech@lemmy.world 13 points 8 months ago

Well, I'm glad they're taking security so seriously.

this post was submitted on 12 Oct 2023
331 points (99.7% liked)

Games

15812 readers
483 users here now

Video game news oriented community. No NanoUFO is not a bot :)

Posts.

  1. News oriented content (general reviews, previews or retrospectives allowed).
  2. Broad discussion posts (preferably not only about a specific game).
  3. No humor/memes etc..
  4. No affiliate links
  5. No advertising.
  6. No clickbait, editorialized, sensational titles. State the game in question in the title. No all caps.
  7. No self promotion.
  8. No duplicate posts, newer post will be deleted unless there is more discussion in one of the posts.
  9. No politics.

Comments.

  1. No personal attacks.
  2. Obey instance rules.
  3. No low effort comments(one or two words, emoji etc..)
  4. Please use spoiler tags for spoilers.

My goal is just to have a community where people can go and see what new game news is out for the day and comment on it.

Other communities:

Beehaw.org gaming

Lemmy.ml gaming

lemmy.ca pcgaming

founded 1 year ago
MODERATORS
nanoUFO@sh.itjust.works