Option To Disallow Trades For 7 Days After Password/Email Change

I bet this has been said before, but why is this still not a thing.

Steam does this if you have Steam Guard (WHICH YOU SHOULD), and when it really boils down to it, if someone gets into your account, and steals a R$2,500,000 item, they just stole $6,250 from you. When value is that high, we need more protection. Should be implemented like so:

You HAVE to opt in. It is an additional layer of security for those who want their limited items (which often are worth more than your ROBUX count) from theft.

Within 7 days, any account stealing would be resolved, and this guard would even REDUCE the number of attempts.

It would also activate if the IP address is unknown, and also if the .ROBLOSECURITY cookie expires in less more 22 days (7 days).

Anyway, have to opt in. From there:

Any personal account change puts the account into “Lockdown Mode”. You cannot sell any limited items, trade any limited items, and if you choose to disable said lockdown, it takes 7 days to disable (so I can’t gain access to user X, turn it off, and steal items).

Poll time (every request should have a poll)

First:
Would You Use Such A Feature

Second:
Regardless of the first poll, should this be a feature?

Finally:
Would you want an optional “No ROBUX Spending” as well? This could be disabled and still restrict limited items from moving. This is just to protect your ROBUX. Optional due to obvious results (can’t buy new things, buy dev products, can’t make audio, etc)

So what if they get into your account, trade, THEN change password? Because this is AFTER password/email change.

What if instead, you had to verify a new ip address for trading? I mean… it could work.

• Guy steals .ROBLOSECURITY
• Can’t actually steal anything because it doesn’t allow it from that ip address
• Can still play games and such just fine.

As long as it only stays with trading, payouts, and any valuable things, it shouldn’t affect stuff like gaming and such.

Yeah, I forgot to add that bit. Steam Guard actually uses Mac Addresses cookies, with 2FA.

But roblox is all browser based, and Mac addresses wouldn’t work in this case.

I didn’t even mean to put Mac Address lol. Was just thinking that exact same thing.

In theory, this would work best once 2FA comes out, and used in conjuction with. The guard should be based on the cookie’s expiration. I’m actually going to test something.

Edit;

Cookies a good for on month, so to prevent what @ghostleader said, the system should check that there are 22 or less days left before the cookie expires. I tested, and adding my cookie to an incognito window, reset the cookies expiration date. I will add to OP>

skilled hackers sit on accounts anyway before making drastic moves with them, I know for botting at least, we worked around account age restrictions by cycling out accounts through a database, and ‘aging them’ by making them ahead of time and letting them sit, with a simple login and do X task script.

Then again, this is Roblox and is unlikely to attract that kind of attention, but to make it better, it should also alert your email if someone from a different IP logs in to your account if you have this feature enabled, that way the red flags start going off even if the hacker is just snooping around first instead of acting on his newly-gained access.

How about getting an email warning being sent if a trade is made and the outgoing value is much higher than the incoming value (like 3 rare Limiteds for a cheap hat)? If the email is not verified within 24 hours, the account is locked until the email is verified. It might be more difficult to track Robux transactions, but I suppose a similar method could work.

(This could probably be a separate post, but since we’re already talking about account and Limiteds theft)

Neat thinking. I’m pretty sure this could be expanded into a more elegant idea.

As long there is no “change of IP activates security stuff” I’m ok with it.
I have a dynamic IP, so my IP changes everyday.
(At home. Count for going to school or other places and you’re doomed)

Unless I’m mistaken, when IP address changes, the cookie is still valid.

But if your protection utilises the IP address, the security still kicks in for yourself.

What I mean, is obviously if the cookie is still valid, it’s the same device.

If I sign in at home, go through the guard stuff, then sign in on my same laptop at my pal’s house, it will see that while the IP is different, the cookie is still valid. Due to that, it goes: same device was authenticated, let in without throwing flag.

So basicly nothing changes.
That’s how the cookie gets used currently.

Maybe something can be done using browser data, but not just the User Agent:
http://whatsmyuseragent.com/
A combination of timezone + user agent would work nicely.
You would have log in again if you change timezones, but that shouldn’t happen everyday.
User-Agent would change when your browser updates (or W8 to W10 etc), which is fine.
Browsers don’t update everyday either (I think), although Chrome updates every 3-7 days it seems?
(Well, stable releases are every 2/3 days. My Chrome only tries to update when I go to the “About” tab)
EDIT: Link User-Agent to cookie/session. Allows to be logged in on mobile and pc at once without trouble.

It would be nice additionally to completely lock your account. Every trade or item buy would have to be authorized with your password or 2-step auth (whenever the heck that’s coming) additionally, you can make 1 certain computer ‘trusted’ to allow purchases/trades as normal. This feature would be optional but I’d certainly use it.

I had a great ideas about further account security a few months ago, I’ll try and find it.

The problem with locking the account if the email isn’t verified is if you lose your email (lost password, account deleted) then you basically loose your account. Putting a hold on the account when the email is changed should be sufficient.

I would recommend what steam does for trading and have a verification for each trade. Steam uses the mobile app for verification, but using an email should be fine. Any user should be able to opt out of this with an email verification or by changing their email with a 7 day trading freeze.

I think the real thrust here is that Roblox could do something more with account security, and that we can all agree that we’d rather they do that before other website changes (that are also needed, but don’t cause nearly as much heartache when gone wrong)

Moving forward, I’d like to see any feature that could be used to lock down accounts, and the ideas to make them optional is definitely a good point, as it won’t interrupt casual users.

This feels like a bandaid to protect one feature but leaving the rest open to abuse.

2 factor auth solves this problem. I think that should be an extremely high priority.

How does 2 factor auth solve people getting our ROBLOSEC cookies?

It doesn’t, your login cookie does not depend on authentication. @AbstractAlex might be referring to force login attempts.