• chemical_cutthroat@lemmy.world
    link
    fedilink
    English
    arrow-up
    72
    arrow-down
    3
    ·
    1 year ago

    I don’t want to be too cynical, but I get the feeling this is working as intended on the parts of the “developers.” If less than 100 people had the game installed, there is a good chance it was shovel-ware with a low or free upfront cost that was then sold to scammers. The scammers push the malware, get all the information they want from compromised machines, and then move on. The SMS will really only be a sort of “you gave the OK for this update to be pushed out, so you are responsible,” type thing, which won’t matter in the case of malicious shovel-ware and fly by night devs who only plan to sell out their install base, anyway.

    • JackGreenEarth@lemm.ee
      link
      fedilink
      English
      arrow-up
      15
      arrow-down
      1
      ·
      1 year ago

      It’s not a confirmation via SMS, it’s a verification via SMS, so the attacker has to have your phone number as well as your steam account to attack it, which makes it harder.

      • chemical_cutthroat@lemmy.world
        link
        fedilink
        English
        arrow-up
        16
        arrow-down
        1
        ·
        1 year ago

        That’s why I was saying that this is “working as intended” and that more than likely this was perpetrated by less-than-savory devs who purposefully sold out the people who bought their games. There were no “hackers” only shitty devs that claimed they were hacked after they got caught distributing malware. Again, I may just be overly cynical.

      • TWeaK@lemm.ee
        link
        fedilink
        English
        arrow-up
        10
        ·
        edit-2
        1 year ago

        They’re saying the people who bought the game from the original devs may have been the ones to upload the malware. In that case, they could confirm the SMS very easily.

      • ahriboy@kbin.social
        link
        fedilink
        arrow-up
        6
        arrow-down
        3
        ·
        1 year ago

        And SMS messages can be intercepted. Not a good option, use physical security keys instead!

        • TWeaK@lemm.ee
          link
          fedilink
          English
          arrow-up
          7
          ·
          1 year ago

          Even authenticator apps are generally better than SMS.

          One thing no one talks about with SMS verifications, though, is that it frequently confirms your phone number to the business you’re giving it to. If they’re in the habit of trading user data, this makes the data much more valuable. I think this is the real reason for many businesses that push for it, when normally they could hardly care less about user security.

        • smeg
          link
          fedilink
          English
          arrow-up
          3
          ·
          1 year ago

          Seriously, while 2FA via SMS is generally much better than nothing, it has zero security so might even make things worse in some cases by providing a false sense of security!

            • smeg
              link
              fedilink
              English
              arrow-up
              7
              ·
              1 year ago

              RCS isn’t SMS though, nobody mentioned RCS!

              • LoafyLemon@kbin.social
                link
                fedilink
                arrow-up
                2
                arrow-down
                1
                ·
                1 year ago

                RCS is a replacement for SMS, used by the majority of mobile carriers in Europe, Northern America, and Asia. It is used by default in all supported regions.

                • smeg
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  1 year ago

                  I know what it is, but it’s got nothing to do with this discussion. What company provides 2FA codes via RCS instead of SMS?

        • LoafyLemon@kbin.social
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          Only if you have the access to the same mast, otherwise no. This vastly reduces the number of attack vectors.

    • Potatos_are_not_friends@lemmy.world
      link
      fedilink
      English
      arrow-up
      13
      ·
      1 year ago

      This totally makes sense. There’s so much shovelware.

      Every day, there’s like 10 new hentai games. It makes it impossible to have the “adult” option turned on and look at new releases.