As of recent, there has been an uptick in account compromises due to compromisers using leaked information such as leaked apple receipts and other information to social engineer support into giving away the account they’re targetting. By the time you contact support, get your account back (if the compromisers didn’t self-terminate the account, which would increase the length of the process), and your rollback request is reviewed, they have already traded the items multiple times to different people, which makes getting a rollback insanely hard, without support acting very quickly. You pretty much have only 2 days for a rollback, as that’s when the items become tradable (after they traded your items to their dummy storage account). From what I’ve seen, once the items are traded from this dummy account, getting a rollback is almost impossible.
Therefore, I believe Roblox should introduce a 7 day trade and selling lock when your account information is changed, like Steam already does. This allows you enough time to recover your account from a compromise without losing your valuable items, improving security in the platform by alot, while not affecting the average player. The lock should also apply when Support changes the account information, to also protect against social engineering attacks.
This sounds like a pretty good idea. Some questions to get more clarity:
Which account info changes, specifically, should trigger the lock? Just passwords? Or other details as well? I think you have to be very precise here or else this could be useless/annoying.
If malicious actors breach an account remotely to steal items, would they necessarily trigger this lock? If so, then perhaps this account-based hold could completely replace the ineffective 2-day hold that is automatically applied to trades. This would be a really important UX change.
There are content creators with massive audiences (millions of subs/followers) who would love to stream trading but can’t do so because their items go on hold every 2 days.
Mostly email change as social engineering support into changing the account email using leaked info remains a primary method. Changing your password could also apply, or deactivating your 2FA. This shouldn’t affect the vast majority of players regularly.
I had a friend who was compromised after installing malware. The compromiser is unable to do anything with 2FA turned on, however he social engineered my friend by sending him a good trade, which made him insert his 2FA (when 2FA is inserted, it doesn’t ask again for a few hours). After that, he immeaditely stole all his items. Unfortunately, his rollback was rejected as support responded too late and the compromiser had already traded his items away after the 2 day hold ended.
Unfortunately, this likely wouldn’t protect against RAT attacks.
This suggestion is mostly intended for you being able to recover your account in time in the case of a compromise where the account info is changed.
For example, there’s been a few compromises recently where support was social engineered. The people in question did recover the account after a few days through support, but by then, the items are long gone and rollback chances are minimal. This gives plenty of time to recover the account without needing to request a rollback, which is one time thing. I hope this answers your questions.
I see, thanks. Overall I’d be interested in seeing this feature implemented.
For your friend’s case w/ the malware + 2FA bait, I think this could maybe be solved with a separate change that forces 2FA approval for all trades above 100k RAP (or just all trades in general, tbh). If smarter restrictions are implemented, I’m hopeful the 2-day trade hold can be retired one day.
I’m against support even being allowed to make changes to accounts but this is the next best option. Block all robux purchases, item sales, trades, and other transactions for 7 days if account info is changed via support. Can optionally do the same if 2FA is disabled.
It’d also be a nice feature to add to allow users to place blocks on themselves (for everything or certain things like trading/selling) that only lift after X period.