Valve‘s Mandatory SMS-Based Two-Factor Authentication Raises Security Concerns
SMS-Based 2FA: Not Really Secure
Valve, the game maker behind the Steam game-distribution platform, recently announced that it would require developers to provide their phone numbers for two-factor authentication (2FA) using SMS. However, this move has raised questions about the security of SMS-based 2FA. Hackers have found ways to circumvent this method using techniques such as machine-in-the-middle attacks, social engineering, and even exploiting SIM-swapping vulnerabilities. In one case, a banking Trojan called Xenomorph compromised over 50,000 Android devices by intercepting SMS messages to bypass 2FA codes.
The Vulnerability of Phone Numbers
One inherent flaw in SMS-based 2FA is the reliance on phone numbers. Attackers can easily obtain phone numbers through leaked information on the internet or by simulating social engineering tactics. By canceling a phone contract and porting the number to another carrier, an attacker gains control over the SMS messages sent to that number. Recent data breaches, such as those affecting MGM Resorts and Caesars Entertainment, have exposed millions of records, including phone numbers, increasing the risk of further attacks.
2FA Is Better Than Nothing
Despite the security vulnerabilities, SMS-based 2FA persists because it provides a relatively painless security mechanism for end users. Customers only need to provide their phone numbers to receive a one-time passcode via SMS. Consumer-facing companies prioritize reducing friction for their users, and any form of multifactor authentication (MFA) is considered better than none. Lookout’s Vice President of Endpoint and Threat Intelligence, David Richardson, suggests that SMS-based MFA makes an account ten times harder to hack compared to not having any MFA at all.
Case Study: Protecting Independent Developers
An example that highlights the importance of 2FA is the case of Benoît Freslon, an independent developer whose game, NanoWar: Cells VS Virus, was compromised through a social engineering scam. A cybercriminal posing as another developer sent a direct message with malicious content, leading to the hacking of Freslon’s social network accounts, including Steam. Valve eventually removed the infected version of the game from Steam. This incident shows how an SMS code could have protected the developer from falling victim to the scam.
Moving Beyond SMS: App-Based Factors
Companies concerned about the additional friction caused by 2FA can explore alternative options that are already widely adopted, such as app-based factors like Google Authenticator and Microsoft Authenticator. These apps provide an extra layer of security by eliminating the vulnerability associated with SMS messages. They are not subject to SIM cloning or malware that reads SMS messages through the operating system’s permissions system. App-based factors can be further secured using a passkey or biometrics, making them a more robust choice for ensuring the authenticity of user authentication.
Game Industry Focus on Security
Enhancing security measures has become crucial for game companies, given the increasing value of digital in-game assets and the desire for cybercriminals to exploit these assets. Additionally, cheaters try to access other players’ accounts to gain an unfair advantage. Valve, recognizing these risks, intends to implement more security measures in the future to protect developers, customers, and its own reputation.
Editorial: The Need to Rethink SMS-Based 2FA
The recent move by Valve to mandate SMS-based 2FA raises important questions about the security practices of consumer-facing online services. While any form of MFA is considered better than none, it is high time for companies to reconsider their reliance on SMS as the primary second factor for authentication.
Given the growing sophistication of cyberattacks and the vulnerabilities associated with SMS, it is crucial for organizations to explore more secure alternatives. App-based factors, such as Google Authenticator and Microsoft Authenticator, offer a higher level of security by eliminating the risk of SMS interception. These alternatives provide additional layers of protection and reduce the risk of attackers gaining unauthorized access.
Companies must prioritize the security and privacy of their users by adopting more robust authentication methods. This includes educating their customers on the importance of MFA and encouraging them to use app-based factors that offer a higher level of protection. Investing in security measures not only protects businesses and developers but also demonstrates a commitment to customer trust and satisfaction.
Advice: Protecting Your Online Accounts
As individuals, we must take responsibility for our own online security. While SMS-based 2FA may not offer the highest level of protection, it is still better than relying solely on passwords. Here are some steps you can take to enhance your online security:
1. Enable 2FA: Whenever possible, enable two-factor authentication on your online accounts. While SMS-based 2FA is convenient, consider using app-based factors like Google Authenticator or Microsoft Authenticator for added security.
2. Use Strong and Unique Passwords: Create strong, unique passwords for each of your online accounts to minimize the risk of unauthorized access. Consider using a password manager to help you generate and securely store complex passwords.
3. Stay Informed: Stay updated on the latest security practices and vulnerabilities. Regularly check for security alerts and news about the services you use and take the necessary precautions.
4. Be Wary of Phishing Attempts: Be cautious when clicking on links or downloading files from unfamiliar sources. Phishing attempts often trick users into revealing sensitive information or installing malware. Verify the authenticity of any requests before providing personal or login details.
5. Regularly Update Software: Keep your operating systems, apps, and security software up to date. Updates often include security patches that address vulnerabilities.
By following these best practices, you can significantly reduce the risk of falling victim to cyberattacks. Remember, your digital security is in your hands, and taking proactive measures can make a substantial difference in protecting your online accounts.
<< photo by Petter Lagson >>
The image is for illustrative purposes only and does not depict the actual situation.
You might want to read !
- “How Island Banks Secured $100M to Revolutionize the Enterprise Browser Industry”
- Ragnar Locker Ransomware Boss Arrested in Paris: Unveiling the Underworld of Cybercrime
- The Impact of Data Breach on the DC Voter Roll: Exploring the Consequences
- “SolarWinds Takes Action: Addressing Critical Vulnerabilities in Access Rights Manager”
- A Deeper Dive into Digital Security: The Latest Developments in Protecting Your Data
- The Rise of Yubico: Exploring the Implications of Going Public
- The Importance of Choosing the Right Authentication Method for Your Business
- How Can Engineering-Grade OT Protection Safeguard Critical Infrastructure?
- The Rise of AI Tools: Exploring Adoption in Organizations
- The Rise of Malicious Apps: A New Battleground in the Israeli Attack Detector Conflict
- Quasar RAT: Evading Detection with DLL Side-Loading
- The Rise of North Korean IT Actors: Freelance Market Flooded
- Strengthening the cybersecurity of federal networks: Beyond financial investment
- Why Traditional Security Awareness Training Fails and How to Make It More Effective
- DoD Nears Nomination for Cyber Policy Chief: Examining the Future of Cybersecurity Leadership
