Roblox currently has a huge social engineering issue, anybody with any of your old emails or billing information can contact roblox support under your name and use that as an attack vector to compromise your accounts multiple times, and there’s nothing you can do about it unless you have a direct relationship with roblox staff.
This has the potential to be a huge problem on roblox, we’ve seen developers and star creators get targeted and compromised through this method before (I’m a current victim of this method and luckily have a direct line with roblox staff to help me with this issue, others are not so fortunate however), and there’s no way you would have any idea what happened to your account as its all done completely silently with no notifications sent to you.
My proposal as a potential solution to this major security issue is to allow devex portal members and star creators to set up a roblox support passcode. This passcode would be required to be given to roblox support to verify your identity, along with the usual details needed to provide verification. Roblox support would not be able to modify or view any of your account details unless you provide them this passcode. Ideally support members would not be able to see the passcode either to prevent them from giving any hints to someone fraudulently attempting to verify your identity via guessing the passcode, removing any possible human error.
The only way you would be able to create, modify, or remove a roblox support passcode is if you supply roblox with your government issued ID and selfie. This would prevent any compromiser from getting into your account via other means and setting up a passcode themselves, and the reason why I said for devex portal members/star creators, they already have our ID on file.
As much as I like roblox pushing for proper 2 factor authentication, it ultimately won’t matter if someone can go through support and disable it altogether silently. Implementing a support passcode or something similar for high value targets would be a step in the right direction to proper account security and close off a very viable attack vector that bypasses any form of 2 factor authentication
A better solution (and something that would be more memorable) is security questions. E.g. “What was your first pet’s name?”. For security purposes, this could be submitted via a web form (sent to you by CS) instead of sent over e-mail.
the idea of it being a passcode is that it’s completely unrelated to any question or personal information. Ideally you would set it to a random string of letters and numbers that would have no connection to you whatsoever and remove the human error element on roblox’s side by preventing roblox support access to modify the account unless they enter the passcode you give them when verifying your identity through email (preventing support viewing the passcode is of course a more extreme direction and a risk that you would have to consent to)
Full support. I’ve been pretty concerned with some of the things that’ve happened via support to others over the years, and this would be a simple, effective and actionable countermeasure.
Fully agree that a “support passcode” would be better than a security question, but…
people should be using a randomly generated password for these security questions anyway.
Honestly, support passcode is too specific. I want to be able to directly have a personal note on my account that all CS staff must read before dealing with me.
My threat model is not your threat model and as a developer and security focused person I want to have specifics in the way I want to interact with CS.
Side note: DevEx portal members and STAR creators (assuming content creators) isn’t broad enough. I would prefer to refer to these users as “High Risk” and/or “High profile” which would more appropriately describe those who would need such specialist support.
There is some rumours of internal CS work for these high risk and high profile users, which do handle this issue better than what we know publicly. Hopefully Roblox can be more open with that.
As much as I would like to trust notes on accounts, I have had countless experiences with customer service representatives in the past from numerous companies who completely ignore any notes associated with accounts, even if forced to read them. Ultimately a passcode would be a more extreme step to remove any human error from roblox’s end, the part we can’t control. Call it paranoia, but some of these accounts are worth as much if not more than most people’s bank accounts, and human error with those accounts are unacceptable.
And i’ve ultimately only accounted for roblox users who I know for sure have an ID card on file with roblox in order to verify identity of their account, which is of course already standard procedure with these users. I’m unsure of a countermeasure that would be effective for a broader range of users that couldn’t be exploited, but the main targets of these compromisation methods are users with devex portals that can properly verify their identification.
Of course a much better solution to this would be having these users be rejected altogether from roblox support and only allow contact regarding account status with a private support branch, but this would be harder to implement logistically and just setting a passcode would most likely be the path of least resistance for roblox
As someone who had their account comprised by Customer Support (complete misreading of anything I said) at RDC. I understand what you mean, but the way this is very likely to be implemented would result in the same issue you deny my reply for.
I’m expecting to be a little note in your customer support notes and not much more. For those wanting a pin, you can make it as long or as short as you need and your support not can be simply…
Required for each new interaction to verify identity
PIN: XXXX (or XXXXXX)
I understand what you’re getting at with implementation. I’ve attempted to describe proper implementation in my initial post, but roblox ultimately has jurisdiction over the implementation method if they decide to go this route (whether or not I agree with their implementation method is a different story)
Ultimately my goal with this post was to get this issue as much exposure as possible. Roblox is of course free to go for any implementation they see fit, as long as they’re aware that they should be taking countermeasures against this and not just ignoring it (or not being aware of it)
Can someone actually silently disable 2FA with just an old piece of information? As far as I know I’ve never given my billing information to anyone except authorised sellers, but I have given out my email on occasion for things like Google Drive collaboration or receiving some mail.
The prospect of someone being able to disable and hijack your account that easily is scary. I’d be a bit more at ease if they need both and not just one or the other, unless I’ve misinterpreted the words “any of your old emails or billing information”. It would’ve been good to have known this risk existed, because then I’d make a private email address completely detached from anything.
The lack of security features for support is staggering and needs to be fixed, since we’re talking about losses so great they could be damaging to someone’s real income or ability to create on the platform.
You can verify with either, you don’t need both. It’s an extremely insecure method of verification as for most of us that would be targets for this kind of attack, we’ve been on the platform for over 5 years; which means we’re talking about information that’s extremely old and extremely vulnerable. The internet goes through an obscene amount of data breaches each year and it’s highly likely your information from 5+ years ago would have been exposed in some data breach that is now publicly available
It should be available to everyone then. I’m not a high value target; I’m not in the stars program, and I don’t have a devex portal account, yet my account has almost been compromised numerous times. Someone managed to figure out my password a while ago and 2FA was the only thing that saved me. It shouldn’t be limited to “high value” targets. It should be available for everyone to set.
The only reason I’m not including everyone in this post is because it’s a potential security threat. People who don’t have connections with roblox admins wouldn’t be able to verify their identity with roblox support if someone got into their account and set a support passcode for them that the original owner wouldn’t know, and adding methods to bypass this passcode would defeat the purpose of it altogether. And of course setting up this passcode and verifying identity via any other identifying information that would work within the confines of the amount of information roblox stores about you would still be insecure as this is the same information the compromiser has about you in terms of this attack vector. The safest method would be giving a government issued ID if roblox already has that information on you, such as being a part of the stars program or having a devex portal.
It’s not that I don’t want everyone to be included, it’s that I can’t think of any way to securely roll out this feature to people who have limited verifiable information through roblox. Rolling it out in this state to everyone would open up an attack vector to permanently compromise your account and prevent you from going through support to recover it. It’s a hard problem to solve when you involve those types of users in this process, and the only way I could think of to verify them is through google-esque fingerprinting, which I know many roblox users will not be happy with
This should not be restricted to solely these individuals. Everyone should be able to access this passcode as a standard because everyone’s account is valuable to themselves.
I don’t think Roblox is allowed to handle systems based off private governmental information but the system to change this proposed passcode shouldn’t be automated. Perhaps a picture of something like a bed with piece of paper on top specifically in a certain color ink and your username written on it would be better? The only people that could forge that would be those who live in your house, unless an intruder gets in for some reason.
If this ends up being too complicated maybe require an account pin before contacting support? If pin is enabled on the account of course.