Securing your Account PSA

Hey developers!

This is a friendly reminder on how to keep your account secure. Lately, we have been investigating reports of fake Roblox phishing links directing users off-platform. Phishing is when an attacker sends a fake message attempting to trick a user into sharing important account or personal information. As an important reminder, you are one of the best defenses your account has. Be cautious, be safe and make sure to remember these important tips:

• Never click on links or give your Roblox login credentials on sites you do not recognize. When you log in, ensure you are logging into Roblox by verifying the URL in your browser (see the attached image). Roblox platform links will always start with www.roblox.com (not www.roblox.com.tz or any other variation).
  

  

  roblox_phishing_education1600×770 86.8 KB

• Do not click on any links or give credentials to any site advertising free or discounted Robux.

• If you ever receive an email from an account that looks like Roblox, check if the sender email address is “@roblox.com”. If it is not an “@roblox.com” email address, you can contact our Customer Support team at www.roblox.com/support to check or alert them to a suspicious email.

• Never share your screen with others while you enter or change any login credentials.

• Roblox moderators and Customer Support will never ask for your password, 2 Step Verification code, screen share or use of a 3rd party app/browser extension to access your system, so do not share with anyone requesting this information.

Add additional layers of security to keep your account secure:

• Turn on Authenticator 2 Step Verification by going to Account Settings > Security
• Passwords should be a mix of special characters, numbers, and lowercase/uppercase characters that is longer than at least 15 to 25 characters. They should also be unique (ie. not “password123” or “abcdefg”).
• Consider utilizing a password manager so you never have to reuse passwords.

Remember to follow these tips even if a message is coming from a friend or friendly face. If a family or friend’s account is compromised, phishers can use that connection to phish or gather more information about you. If you would like to learn more about this, check out this article: Keep Your Account Safe - Roblox.

Regards,

Developer Relations Team

This topic was automatically opened after 10 minutes.

So one major motivation that thieves have to breach into users’ accounts is the large amount of valuable limited items that we have in our inventories. Over the years, as limiteds have grown in value, this has only made it more and more rewarding for anyone successful in breaking in. David Baszucki recently mentioned in an interview that “there are items on Roblox worth twenty thousand dollars”. There are sites out there which will let you see, at a glance, which users have the most valuable inventories across the platform.

While we’ve seen occasional updates to trading over the years, I believe there’s still a lot of room for improvement. We don’t even have the ability to require a 2-factor confirmation when accepting trades, something Steam has had for years at this point. Will we be seeing improved security for buying and trading items in the near future?

Thank you! There’s been a crazy amount of accounts stolen because of these reasons, and all you need to do is take a second to set up 2 factor authentication or get a password manager to properly secure your account.

Glad to hear that you guys are still taking this stuff into consideration. Many people are getting lured off platform with fake links and everything getting their account compromised. This is a great PSA and I appreciate you guys for doing something.

Just a suggestion, maybe lock accounts if a login was done by an unknown IP (one that you haven’t used)… And if you’re trying to login from a new address, send an email confirmation?

Also move the site report somewhere else other than DMCA as not many people will know where it is

Screenshot_2022-05-20-19-49-55-694_com.android.chrome1067×318 24.6 KB

Just some category like “Report offsite content”

Something else I want to point out, since this has happened in the past:

Got an “@roblox.com” email that looks illegitimate? If you use an email client that is capable of showing the email headers, you can confirm validity by checking to see if the header contains a “Received:” tag that starts with “##.email.roblox.com”. This header is incredibly hard to fake.

If you use gmail, here’s how to check:

1. Open the email
2. Click the Three Dots menu
3. Click “Show Original”.
4. In the new window that opens, search for a “Received:” tag that includes “email.roblox.com”

Foldout: Here's an all-in-one picture that demonstrates the process, highlighting the tag you want

UoLLfPquvQ1904×707 207 KB

Is it still a recommendation that we do not link our phone number to our account to prevent Sim Swapping?

Great. How would mobile users do that though?

(it doesn’t exist)

Reminder, most Roblox players are on mobile devices and are prone to phishing (due to many being children and are easier to trick)

Sorry if this is off topic but I’d just like to say that account security goes farther than just securing the log-in. You have to consider that an account’s Robux, it’s most valuable asset, can be exchanged with just a click.

Purchases are currently not secured at all, it only takes 1 click to completely drain your account in some cases. Incidents in the past where users were able to hide the prompts and get people to click showcase how damaging this is.

You should seriously consider options to make purchases more secure. Maybe a 2FA for large purchases or a captcha to ensure that the purchase is intentional. Many people lose Robux without having their accounts compromised because of flaws with the purchase system.

Attackers will always target the weakest link in the account security chain, and Roblox has serious work to do on purchase prompts.

See:

https://devforum.roblox.com/t/the-scam-that-hides-the-purchase-popup-is-back/1793279

This functionality doesn’t exist on the default Gmail mobile client, but there are alternatives that let you do this. My preferred is Aquamail (Google App store only, unfortunately)

It still doesn’t let you see the original headers, but you can “favorite” a sender, which as far as I can tell, uses those specific headers (i.e. you can favorite something from internal email address that wasn’t meant to be a link, oops instead of just @roblox.com)

(also it supports any IMAP or POP3 email address)

One recent scheme going on involves “wanting to use your avatar for a render.” This was attempted on me twice within the last week. I knew not to use the Chrome extension thing or whatever it was they wanted me to use and got a .obj file of my character safely. I got no response from them after sending it during the first attempt. The second time, I shut it down fast and moved on.

Remember not to use any special downloads anyone may suggest! If you can’t use Roblox itself to do something, it’s best not to do it at all.

I already signed up for 2FA, but it keeps on telling me I should sign up for it. Is that a bug or does it mean I have to re-set it up?

I’d also like to point out that attacks that can successfully fake an @roblox.com email address are rare, since Google has implemented so many security controls on SMTP headers that it’s almost (but not) impossible to pass all the checks successfully. Even then, you’d still basically be blind-firing since you’d have to give up useful things like read receipts and Reply-To (meaning you won’t receive replies)

When will Roblox remove the 14 days wait period for groups and instead require 2 factor authentication check to be completed before Roblox completes the payout transaction?

Also when will trading and purchasing high value items require 2 factor authentication check?

I feel like it is worth noting that blox.com / ro.blox.com is an official Roblox domain. These links are used for share links generated on mobile.

Post going more in-depth: https://devforum.roblox.com/t/replace-the-robloxcom-share-link-with-the-normal-roblox-domain/730943

Please add mobile 2FA support for Windows 10. It’s ridiculous that I have to turn it off, log in, and turn it back on again, just to use the Win10 client.

Also, some sort of automated system for detecting PM scams would be great. There was a point where I was receiving this type of message daily, with little variation. It seems to have stopped now, but I have no doubt that these PM bots will become a thing again in the future.

image952×714 173 KB

There’s also the classic scam where someone tells you your account got flagged for “unauthorized purchases”, and that they’re a special power user within Roblox and you must contact them to get things taken care of. I was getting those daily too, and they were through Roblox PMs. The user would buy an old account to send these PMs to try and seem more legitimate, which would end up getting locked or terminated.

Maybe it could be implemented like the pin so you can pay out for 5 minutes or lock it early.
It might be annoying but needed. It could also be opt in as long as people know about it.
Same for purchases in my opinion.

I would recommend using the website version it supports vip links and also recording.
And at least in my experience it’s also way less laggy.
But I agree with you such basic feature should work properly.

Some people prefer the Windows 10 client you know. Plus, I find Roblox recording quite depressing (idk why) so I would choose Nvidia Experience or whatever AMD and Windows offer

And yes, they should really implement 2FA for the client