Login History and Geolocation

It’s 2017, and cybercrime is always on the rise.

Sites like Google and Twitter has login history and sends a usual report to the email of the account. I feel like ROBLOX could use the same.

Many people get hacked, especially through downloading malware and bad extensions.
We already have 2FA, but the .ROBLOSECURITY cookie can bypass it.

I feel like ROBLOX should know where you are accessing the site from and show a history of it in your emails. In each entry (place where the site was accessed) there will show the location and the time, and even the IP. Users can choose to opt in or not.

If a hacker does login to your account and do bad things to it, it will show up in the logs. Even if he had a VPN and set it to Germany or something, and you live in Florida, it’d seem sketchy. Therefore when contacting ROBLOX customer support, you can simply present your proof that you were hacked and it’d make the job easier for them.

Plus, it’s a solid indicator if you were hacked.
Often, the hacker may not touch your account at all; but copy places you have, and ultimately leak them.

There’s a button in the settings saying “Send login history” in the security tab and it will do so. Of course there’s a “cooldown” because the hacker could spam your email by clicking it too much.
Also, since it is sent to your email, the hacker probably doesn’t have access to it (unless he has RAT-ted you, hopefully that’s rare :grimacing:) so you could feel safe that the IP and the location you receive is privatized.

There’s also the option, aforementioned, to opt in and out of the monthly/weekly log of logins sent to your email. It’s shown as a checkbox below the “Send login history”.

I believe that this could help the security system be a bit more robust pairing this up with 2fa, and prevent future hackers from hacking other’s accounts.

28 Likes

This could be abused by claiming someone else had hacked you when the login attempt was made by you with a VPN.

Otherwise, yeah, I’d agree.

4 Likes

Aren’t there ways of detecting VPNs though? Granted I don’t know much about it but I’ve seen sites that detected if I were using a VPN or not.

That aside, I agree on the fact this could be abused.

1 Like

VPNs* :slight_smile:

I’m not sure - I think there is no proper way to do it (How do you detect a VPN or Proxy connection? - Stack Overflow) .
The only real detectable & unique difference of a user when using a VPN is their IP - but that is what VPNs are designed to change, so really there is none.

Technically, on many VPNs you can just check what ports are open. There are a few key ports indicative of VPNs - however some VPNs use port 443 / 80 which makes it far more difficult.

Support! This would be great to have.

Honestly I don’t see why 2FA/MFA isn’t enough. You can also use 2FA on your email (at least on gmail). Thus, even if someone got both your email and roblox password, they’d have to have your physical phone to get in. So unless your best friend is trying to hack you, you’ll be fine.

I’ve had attacks like this happen to me, and the 2FA layer has prevented it.

Otherwise, just have some common-sense and don’t download sketchy software. For instance, if a ROBLOX dev made software, I would highly recommend not trusting it. It could be malicious, or just vulnerable to attacks, since it’s probably made by someone with little software development experience.

2 Likes

Roblox’s target audience is young players. We can’t expect an eight-year-old to understand account security or hold them to the same standard we do ourselves – even adults sometimes have difficulty: we’ve had a number of account breaches at my university from employees not understanding that “URGENT CLICK HERE” is phishing.

Ideally users would be more secure with their accounts, but look where that’s gotten us. We’ve had multiple breaches even within the devforum since 2FA.

Roblox already logs IPs that access accounts, so this could already happen and would not be an issue for geolocation.

Rather than just notifying, it’d probably be a good idea to have an actual effect. If someone uses desktop session from a different IP, we should invalidate that session and require logging in again. If someone uses a mobile session from a different geolocation, we should require logging in again. If someone’s logging in with the password from a different gelocation, then we can just do the notification.

Malicious users can already spam your email by using “Forgot Password”. We probably don’t need to worry about this too much until “Forgot Password” spam is resolved.

3 Likes

In a perfect world, 2FA is enough, but with things constantly changing and malicious people constantly trying to find new ways to attack users, it’s always better to provide more options for safety. Wouldn’t it be better to have an extra option and keep your account safe, rather than not have that and have a breach catch you by surprise?

Another thing to consider is that in the past, just a simple password was considered enough, and look where we are now. You saying you defend yourself with two layers of 2FA for your account, because just a simple password isn’t as secure as you wish for it to be.

Roblox doesn’t have 2FA for the phone though like the Google does, wish it did.

1 Like