Extend list of features which require PIN

As a Roblox user, it is currently too hard to protect yourself from being compromised. The only real protection right now is the PIN code which is only available for changing settings and transferring groups (and that’s why such things do not take place so often). Your account is vulnerable to breaches via Facebook / email / telephone number and when it happens PIN is the last and most crucial protection layer.

So could we please have PIN code requirement extended to other features?

It is important to patch methods that let people access others’ accounts without authorization, but a complete fix won’t ever be possible. People will always face social engineering attempts which might succeed, therefore it is more important to mitigate issues after the account is already compromised.

The PIN is a perfect tool for that as it is nothing login-related. If the user forgets it, its change is possible but requires few days to be processed by support.

Those could be:

  • purchasing and selling limiteds (!!!) - limiteds system is outdated and severely flawed. It is currently the only way of transferring funds if the account is breached and has restricted trades (along with PIN protection). It doesn’t require much effort as transactions done with this method are instantly processed and don’t require any authorization.

image

Another flaw related to limiteds

Making this change would make reverting unauthorized transactions much easier. Account comps wouldn’t be as harmful as they are now.

  • payouts - adding PIN requirement to payouts would prevent unauthorized group payouts. I don’t think that would make processing payouts less comfortable but would help a lot. The person who broke into the account wouldn’t be able to payout themselves money. Currently they can just payout money to the breached account (group owner) and then transfer using other methods.

  • purchasing items - could be a good long-term plan to have it as an additional requirement. This is not as important as other elements as those transactions already have 7 days pending time.
    NOTE: Might require additional consideration as people can still fall for in-game scam guis which ask for PIN and look like purchase modals.

In long-term this chance could be replaced with planned 2SV update mentioned by @buildthomas in posts below.

14 Likes

No, a PIN is way too weak for this. It’s only 4 numbers long and a static value. PIN is intended for parents to lock their children out of changing account settings without their consent, not as an actual account security feature.

We should get proper 2SV methods such as an authenticator app with time-based one time passwords (TOTP). This is much more secure because it is a true second auth factor. Attacking a PIN code is way too easy.

Roblox is already working on TOTP integration: https://twostepverification.roblox.com/docs#/ (see Authenticator section)

18 Likes

I’m not sure about that one. 2SV methods won’t really protect you after an account is already breached. I also doubt that Roblox adds a separate cookie for that. Seeing how ROBLOSECURITY works now, it will still be stored as one cookie with no additional checks (accessed IP address comparison, etc). Even if Roblox plans to add additional checks for that to ensure it’s safe, that will require a long time to be implemented as it modifies their current system a lot. It would also be harmful to users as it would have log them off every time their IP changes to be really secure at all…

I am aware that Roblox is working on TOTP, but as you see - it doesn’t solve anything. Might be one additional cookie still vulnerable for attacks.

Probably, but it gives the support a lot of time to react before any money is stolen. Worth mentioning that PIN has already rate limits implemented so it is not so easy to guess it.

That’s a shame, I really wish it was.

4 Likes

Sorry what? Yes it will, this is the point of 2SV. The attacker wouldn’t have access to e.g. your phone where the authenticator details live for generating temporary 2SV codes.

They can put 2SV code prompts on sensitive actions. Even if the attacker steals your cookie, they wouldn’t be able to do those sensitive actions without a 2SV code.

Not really, there’s only 10k combinations to try for an attacker and will typically find the PIN within 5k attempts on average (and lower when using a list of most common PIN values from elsewhere to poll likely PIN values first). This is trivially automated. Not sure what rate limits exist on the API but I assume it’s not that well-throttled since again, this is meant as a parental safeguard feature for kids 13- and not to protect against account security threats.

1 Like

If you take a close look into how the current 2FA works, you’ll notice its downsides. Currently the .ROBLOSECURITY cookie is given to browser AFTER user passes 2FA gate. No additional checks or variables, that’s why accessing an account is as simple as having its cookie.

This is a fair point and such solution would be much better than adding PIN requirement, but until that happens - it is a perfect temporary fix. After all PIN requirement has already been implemented into group transfer (which is beyond locking children out of changing account settings without their consent).

Please take a look into this post.

Yes, please read my reply again. I’m saying Roblox can implement 2SV gates (instead of PIN gates) on other features. Basically your feature request, but 2SV checks instead.

Currently there are no 2SV/PIN gates on developer features apart from the one on groups, correct.

I really hope that happens. And sorry - with 2SV I was referring to the current mail “2FA” gate, which is vulnerable to many attacks and I thought you assumed this particular gate would be fixed completely after TOTP update is implemented and I don’t think this will happen as it would most likely require critical changes to auth system.

After taking a closer look into the current TOTP API doc I can see that it only aims to solve the “purchasing items” issue (“RobuxSpend” option in the actionType), which isn’t as dangerous as others thanks to the 7-day funds pending time.

image

We also can’t predict when that change goes live. Adding PIN requirement as a quick & temporary fix wouldn’t be harmful and would for sure save lots of people from losing their savings.

Only currently* aims, it’s an enum so they can (and likely will) add more enum items over time as they decide what features to put 2SV checks on.

I’d rather Roblox not spend X hours on PIN checks first and then Y hours on 2SV checks if they can just spend Y hours on 2SV checks right away. Especially since this is technically outside of the scope of PIN.

It really depends on how long it will take until the 2SV is released (and if those checks are a part of the initial release). PIN code doesn’t seem to have lots of back-end nor front-end stuff. Can see that PIN doesn’t even have a prompt rn when trying to transfer a group (person has to visit settings, unlock PIN and then transfer), so if it is nothing more than an is pin unlocked check (Authentication Api - endpoint for that) it is worth implementing.

I would’ve preferred HOTP, not TOTP, however thats not relevant for this discussion.

Replying to OP
The owner cannot pay out new members for an undisclosed period of time after joining a group, where if you have manual join enabled, makes this a non-issue since you can get through to support.

I am aware - this only prevents payouts automation.
The attacker can still payout the money to an account which:

  • has been in the group already for quite some time
  • the account which has been breached

Basically - nothing prevents the attacker to payout the whole money to the compromised account and then transfer to other accounts with other methods (eg. by selling limited items).

1 Like