Toutes les discussions > Forums Steam > Steam Discussions > Détails du sujet
Jakob Fel 2 avr. 2023 à 4h12
Theoretically, could my Steam account ever be in danger of a SIM swap attack?
Hi, I have a phone number attached to my Steam account because it claims that it makes it easier to recover your account if you lose access and whatnot. However, I'm also very aware of SIM swap attacks, thus why most security experts and enthusiasts agree: SMS-based 2FA is a bad idea when email or TOTP apps are available.

My question is this: does anyone know how the recovery process works if you use your phone? Is it a standard SMS 2FA or is it just a layer of information Valve needs to help you recover your account? It seems to imply that it's SMS 2FA and if that's the case, then I'm thinking I may just remove my number to avoid the possibility of a SIM swap at some point, relying solely on Steam Guard via the mobile app.

I removed my number from my Epic account for this same reason. However, I have no issue keeping a number attached if it's merely meant to be just a layer of verification in the event of losing access to my account.

Anyways, thanks in advance if anyone can answer this definitively. I appreciate any input!
< >
Affichage des commentaires 1 à 2 sur 2
RiO 2 avr. 2023 à 4h19 
They can send you an SMS recovery code, iirc.
So yes - SIM swap attacks would be possible.

Not sure if you can configure your account anywhere to disable that - and rely solely on a pre-printed sheet of one-time emergency recovery codes.


That said, this would only be at risk of abuse if a bad actor can pair your real world name and mobile number to your Steam account user name and can social engineer their way passed your telco's customer support safeguards to prevent these kind of attacks.

Check your telco's business processes for that and see if it's even remotely an issue for you.
E.g. I'm with a telco that will only allow consumer SIM swaps to be initiated from a physical store, at which point they will require an ID check.
Dernière modification de RiO; 2 avr. 2023 à 4h22
#1
Jakob Fel 2 avr. 2023 à 4h21 
RiO a écrit :
They can send you an SMS recovery code, iirc.
So yes - SIM swap attacks would be possible.

Not sure if you can configure your account anywhere to disable that - and rely solely on a pre-printed sheet of one-time emergency recovery codes.

Gotcha, thanks for the quick response! I know you can remove your number from your account entirely (at least, that's what it says you can do). I just wish that there was a way to set it up so it's strictly used as one of several layers for account recovery, rather than SMS 2FA.

Thanks again!

EDIT: Actually, it almost looks like I can't remove it. It has an option to do so but any time I try to do it, it just takes me to a page that doesn't seem to offer the option. Oh well, I needed to look into locking my SIM card down anyway.
Dernière modification de Jakob Fel; 2 avr. 2023 à 4h35
#2
< >
Affichage des commentaires 1 à 2 sur 2
Par page : 1530 50

Toutes les discussions > Forums Steam > Steam Discussions > Détails du sujet
Posté le 2 avr. 2023 à 4h12
Messages : 2
Nouvelle discussion

Procédures à suivre et règles des discussions