Customer Service "one time stolen item restore" should be per x years

Background:

Customer Service currently has a nice policy where if you’re unfortunate enough to have your account broken into, they’ll restore your items for you. They only do this once, however – I understand the reasoning and don’t disagree with it. This policy is becoming dated as time goes on though.

The Problem:

We have accounts at or approaching 10 years since they were created, and that’s a lot of opportunity for their accounts to be breached more than once. Someone who may have gotten their account broken into due to a weak password back in 2008 may have their account broken into again in 2018, and they would be ineligible for item restores, assuming they used it for the first breach. The interval between the two breaches has been so long that the purpose behind the limitation doesn’t really apply to the account anymore. An interval that’s this long could legitimately be the person losing their account to misfortune both times, rather than any major fault of their own.

A Solution:

Instead of having a hard limit of one restoration, limiting the restoration to 1 per a decided ‘X’ years would make the limit’s application more accurate.

Item restoration seems like a retroactive fix to the fact that somebody got into your account.

The solution here is account security. If current 2FA is inadequate then this feature request should be for improvements there.

2-factor isn’t simple enough for all of ROBLOX’s age range, and even 2-factor can be bypassed via cookie theft which can be the result of just downloading an extension. If account security could be perfect, Alex, the world would be a much nicer place. It’s not. There’s no way to ensure perfect account security, so there has to be some process for when it does happen – even a tech giant such as Google has one of these processes, and they have some of the best resources available to stop account theft.

I had to use my one-time restore because of an exploit with the then-new trade system that allowed someone to steal my items without accessing my account. Never got a follow-up on exactly how it happened, but the result is that my restore was wasted on something completely out of my control.

That’s terrifying

At the same time we can only protect users who want to be protected. 2FA, account pins, etc is only as safe as the account owner wants to be. Anyone who has items of high value on their account should not be running arbitrary extension code, reusing passwords, etc.

Or we could remove trading/selling of accessories and eradicate the entire incentive to steal accounts

They should rewrite their policies to do with customer service as there’s more and more bots finding new ways to trick younger players into giving away their passwords, cookies etc. They might’ve spent a long time trading or they might’ve bought robux directly from the site to get some nice items - so why only restore them once?

I’m a victim to the policies as I had R$150,000 stolen through a Remote Access Tool directly through my computer where they sent a trade from my computer when I went to get a drink, this left no log of them on my account with an IP different to my own, yet the only action they took was deleting the user; further proving they clearly had scammed or stolen items yet they never once offered to restore or compensate me? I was stupid at the time for acquiring the virus obviously but everybody makes mistakes and they shouldn’t be held 100% responsible and allow ROBLOX to let them sit there and watch their money float into a void.

It isn’t fair, in my opinion.

I have stuff scammed from my account, from something I didn’t realise was a thing, so I lost items and ROBLOX were kind enough to restore them.

Forward about a year from me taking a long hiatus from ROBLOX, I realise my account has membership and all my items had been stolen. Albeit it was only about 20k worth of stuff, but to me that’s still quite a decent chunk of cash to be gone. The account they had been transferred to was deleted, and I was unable to get my items back. I was told next time to just be more careful, don’t download suspicious programs, and have 2FA.

2FA wasn’t a thing on ROBLOX when I had been playing, and since I hadn’t been playing in a decent chunk of time either, I hadn’t downloaded anything that could link me back to my ROBLOX account. So somehow, someone had got into my account, bought BC for my account (3 months worth), and then ran off scot-free.

The fact that the user who had stolen my stuff had been permanently deleted was probably a good indication that it wasn’t my fault, but sometimes what can you do.

It’d be nice if the policies could be rewritten, but I can see how it could be abused.

I fully agree with this.

It sounds like, in your case, you used the same password for multiple websites and services. If you do that, your master password for everything is exposed just by one website’s database being breached. Suddenly, your information is in a large database used by malicious people to get into accounts. They look up your username or email and find your password, and since you used it for multiple websites, they get into whatever they want. Unique passwords are hugely important.

@AbstractAlex It’d be nice if we could somehow keep everyone’s accounts safe despite their own account safety ignorance, but that’s not realistic. Educating children in account safety five times is redundant - many won’t even read it the first time. I agree that users need to be more careful with their accounts - but the fact of the matter is that there’s a huge amount of account scamming throughout Roblox. It used to be cookie theft and keyloggers. Now it’s Chrome extensions and phishing sites. More than half of the Roblox-related extensions in the Chrome store are malicious. Many of them impersonate staff members and developers. A young user isn’t going to know better. So while we should definitely continue pushing the account safety education agenda, it’s important to realize that we can’t educate users on everything. That said, I don’t know if I support this idea entirely - having your account breached should be a one-time thing that you learn from so it doesn’t happen again.

the purpose for the whole ‘one time restore’ is to educate the user

ok you lost your items but you could have prevented it, this is your one and ONLY restore!

normally this causes players to be more wary of situtations, obviously not everyone, but some

P.S: I’ve seen users (don’t want to mention usernames) on LMaD that lost all there multiple millions of RAP several times, and each time got an restore

why?

1. it wasn’t his fault he lost his items, he didn’t click any links etc etc, they found creative ways to gain control of his account

2. this doesn’t apply for all users, but this user was one of the most wealthy users on the site, he was a bigger target than most, so he being compromised was (I don’t wanna say more likely, but I can’t think of an better word) more likely, because multiple users, using multiple different tactics, were constantly targeting him.

so the rule isn’t 100% in stone, but youknow, I think it’s more for ignorance than actually losing your items (losing your items by doing offsite deals etc, purposefully breaking roblox rules)

As you mentioned, phishing methods evolve over time, so even if someone is very careful to avoid certain vectors of attack, a new method may pop up later that they don’t know about. This has nothing to do with education @Materking at this point because even though the user has already educated themselves on past approaches, they may fall victim to a new method that not many people have heard about.

I work in my university’s Information Security department, and one of our roles is to investigate how a user’s account was compromised. I can confirm Lilly’s statement that phishing is always evolving, and that there is always a new method of phishing that sometimes I wouldn’t even notice. If someone’s account was compromised in 2008, it would be ignorant to insist that they not fall victim to a single zero-day phishing method over the next ten years. We had a large number of devforum accounts compromised last year, so even tech-savvy users can’t avoid this.

Apologies for a bit of a late and lengthy response, but this issue is too important to me to ignore.

I have been collecting limited items since they were originally released. As years passed, the value of these items skyrocketed, and I found that my naive but evidently smart investments garnered me the equivalent of thousands of dollars in limited items. I was one of Roblox’s richest users. But then, I lost it all.

It wasn’t something I could’ve avoided, and I certainly never left the door open to it happening. I’ve always used two-factor verification, varying passwords, or whatever method there was available to secure my accounts. But, as Roblox (or ambiguously, the internet) has aged, the discovery and abuse of loopholes has become increasingly evident. A sophisticated attack alike to the one I faced is not as simple as downloading a sketchy .exe or giving my information to a phisher. My instance required the exploitation of various intricacies and loopholes that practically nullified the methods of security I sought. Nearly a year later, I still don’t fully understand everything the hacker did that allowed him to execute the breach so perfectly, but here’s what I do know: to access my Twitter and Google accounts, the hacker used loopholes to bypass mobile verification, allowing him to discover my personal email which my Roblox account was connected to; to access my Roblox account, he manipulated a Comcast security flaw in which he managed to claim that he was me, giving him access to my personal email and thus my Roblox account. These manipulations - quite literally out of my control - allowed him to steal thousands of dollars from me, not even taking into account the rare and otherwise sentimental items he deleted from my inventory.

I am forever grateful for the actions Customer Service is willing to take in these situations. Justice was served: he was banned, I was given back my robux and limited items (although not the deleted non-limiteds), and my account. But as Roblox continues to advance in value as a platform and income, the masterminds behind such attacks increasingly have reason to continue seeking devious ploys to breach the security of users. As a prime target for attack who has already been restored before, I face the harsh reality that if it happens again, I will lose everything permanently. To this day, I continue to take every precaution possible to prevent such an attack from happening again, but I am always reminded that workarounds are possible will eventually emerge - seemingly, nothing is foolproof. With unease, I wonder: will my efforts even be enough?

There is definite merit to one-time restoration, being that it “inclines users to take precautions, so it isn’t Roblox’s fault if someone gets into their account”, but it’s not that one-sided. I’ve continually taken every precaution I could, and even then it didn’t even pay off. It’s pretty clear that, although there is value to just providing one restoration, providing multiple opportunities to senior or otherwise vulnerable users is definitely warranted.

It’s not inconsistent. ROBLOX does not require the allotted restoration when item loss is their fault. Linkmon’s account was most recently broken into because of a ROBLOX security flaw. I agree that restorations should be given after a certain period of time since the last account breach, but ROBLOX is not favoring users or anything with their current approach.

Ah, I understand. Admittedly, I didn’t know that, and it obviously changes the scope of the situation. I would like to clarify that I don’t believe that there is favoritism and I also do not intend to sound accusatory. I’ve now modified my reply to compensate for this detail and to alleviate what might be taken as accusation.

Complete support for this.

Roblox is over a decade old. It’s downright brutal and unreasonable to uphold the one-time restore policy at this point. It is not reasonable to bar all users from another restore 5+ years after their first accident under the guise that it “educates users to be more careful”. Even the most careful, well-educated users can have their accounts compromised through an insane variety of constantly evolving methods, especially over long stretches of time.

Things you take for granted such as extensions and software can be clever impersonations, secretly malicious, or change for the worse without you ever knowing (eg. Stylish changing to track every website you visit, fake Chrome extensions). Sources you trust can provide false information (eg. YouTubers), people can be fooled by convincing phishing emails, people who aren’t you can be tricked into providing access to your accounts via social engineering, and nothing is preventing developers of popular extensions from selling or changing ownership to malicious parties. Nothing is ever completely secure. With accounts over half a decade old still very active on this platform, it’s insane to assume they’ll never have another accident, and unrealistic to pin that on them having “not learned” anything.

This approach is only fair when your one time use is per some number of years. Accidents will happen, and no amount of education can prevent that. Incidents through brief oversight or even through no fault of your own will realistically not happen to educated users more than once every few years. Users who get breached more often than that have bigger problems.

Allowing users to restore once every few years is by no means unreasonable.

The Problem:

Accounts nowadays have varying opportunities to be bruteforced and keylogged. The loss of items and Robux can be very damaging to a career of a Roblox developer. They might’ve wanted to use it for sponsoring or hiring team members for a game. Someone could have saved thousands of Robux for something like this; and then just lost it because they had already used there one time restore. There’s legitimately no way for a developer to get the thousands of robux they worked so hard for back. Other than the one time restoration, which shouldn’t be one time at all in my opinion. As I do believe the one time restoration is made to prevent abuse of the system. It doesn’t change the fact that this problem really needs to be fixed.

A Solution:

Limiting a restoration to a certain amount of years could help. If someone tries to change your email; enabling a certain amount of security questions so no one can get into your account. Or maybe 2FA account security upgrade. Just one of these changes could take a big step towards helping many developers, who have lost years and years of earnings.

I have recently had my account hacked and had a large sum of my items and Robux stolen. I’m not able to get any of this back as a little over 2 years ago my account was hacked, and I had to use my restoration on that. I have had my account for over 10 years and this policy is very disproportionately bias against older users.

Roblox is trying to market itself as a platform powered by the Players and a serious competitor toward the traditional gaming space. Any purchase on platforms like Steam are done using real-world money, which leaves lots or rule and regulations per country. Roblox on the other hand has its unique currency and isn’t bound to similar regulations. If there are fraudulent purchases on your Steam account you can call support, message your bank, and a variety of other things to fix the issue that doesn’t have a limit on them. It only takes two clicks on Roblox for someone on my account to transfer over $1000 worth of currency and items that are impossible for me to do anything about since an incident over 2 years ago. If I were to transfer $5000 between multiple bank accounts, my account would be locked, and I would need to verify my identity. Why would anyone want creating on Roblox be a full-time job if the systems put on place don’t protect the creators at all? I could understand this policy back in 2008 when the economy on Roblox was relatively small and the developer exchange was not a thing. We are living in an age where the top games are making millions of dollars every year, and even creators who aren’t on the front page can still make a couple thousand per month. The way it is now if someone were to get into the account of any decently skilled game creator it could easily be the end of their career on this platform. If this platform is so volatile that at any moment you could lose everything you’ve built up, why would anyone join or even stay?

I want to present some ideas for changing this platform for the better.
–Roblox needs a better way to lockdown and put restrictions on your account. I have set a PIN to prevent trading as I never trade, but all the PIN can do is lock your current account settings. Why can I not restrict purchases made on my account? There should be a way to require the input of a PIN on all transactions made. Force me to input my PIN to sell limited, buy any items, and anything that would require the transfer of Robux from the account. This alone would have saved me from losing all my stuff twice.
–Give the ability to give game passcodes, so random people can’t copy a game if they were on your account. (Same idea as locking transactions) Games are the lifeblood of the platform.
–The one restoration policy should be revised to either by one restoration that has a cool-down such as ever 3 months or by removing this restoration limit entirely. If the only reason for this policy is to limit it from being abused then maybe add a minimum to the amount of Robux needed to be restored before there could be a restoration. In any case, you could argue this policy would be abused, but Roblox at this point should have a large enough staff to manage.

Sorry for the long rant, but I am just fed up with losing a lot of my time and money I’ve built up over the years. In just 30 mins over $1000 worth of Robux on my account was taken, a lot of which I was planning to DevEx at the end of the Summer and advertise my game. I’m conflicted because I really like the platform, but these policies just push me away and not want to recommend this site to anyone.

My 'Support' Email

Screenshot_393173×577 72.6 KB

Pretty sure they will always be able to restore group ownership, it does not fall under item restore.

Try to take security more seriously in the future. Don’t run scripts, programs, extensions, etc that people send you. There are much more sophisticated phishing schemes than this and this applies to any part of your online presence – not just Roblox. You are the first line of your own defences.

Note that Roblox is working on TOTP (e.g. authenticator app codes to guard login / other actions): https://twostepverification.roblox.com/docs#/ (I assume it will release somewhere in 2021).

I’m glad to hear about the fact they will restore group ownership. I would also be really pleased to see TOTP apply, by default, to many important account actions, just like how Steam does it.