Securing your Account PSA

Thank you! There’s been a crazy amount of accounts stolen because of these reasons, and all you need to do is take a second to set up 2 factor authentication or get a password manager to properly secure your account.

12 Likes

Just a suggestion, maybe lock accounts if a login was done by an unknown IP (one that you haven’t used)… And if you’re trying to login from a new address, send an email confirmation?

Also move the site report somewhere else other than DMCA as not many people will know where it is

Just some category like “Report offsite content”

30 Likes

Something else I want to point out, since this has happened in the past:

Got an “@roblox.com” email that looks illegitimate? If you use an email client that is capable of showing the email headers, you can confirm validity by checking to see if the header contains a “Received:” tag that starts with “##.email.roblox.com”. This header is incredibly hard to fake.

If you use gmail, here’s how to check:

  1. Open the email
  2. Click the Three Dots menu
  3. Click “Show Original”.
  4. In the new window that opens, search for a “Received:” tag that includes “email.roblox.com
Foldout: Here's an all-in-one picture that demonstrates the process, highlighting the tag you want

9 Likes

Is it still a recommendation that we do not link our phone number to our account to prevent Sim Swapping?

9 Likes

Great. How would mobile users do that though?

(it doesn’t exist)

Reminder, most Roblox players are on mobile devices and are prone to phishing (due to many being children and are easier to trick)

4 Likes

Sorry if this is off topic but I’d just like to say that account security goes farther than just securing the log-in. You have to consider that an account’s Robux, it’s most valuable asset, can be exchanged with just a click.

Purchases are currently not secured at all, it only takes 1 click to completely drain your account in some cases. Incidents in the past where users were able to hide the prompts and get people to click showcase how damaging this is.

You should seriously consider options to make purchases more secure. Maybe a 2FA for large purchases or a captcha to ensure that the purchase is intentional. Many people lose Robux without having their accounts compromised because of flaws with the purchase system.

Attackers will always target the weakest link in the account security chain, and Roblox has serious work to do on purchase prompts.

See:

https://devforum.roblox.com/t/the-scam-that-hides-the-purchase-popup-is-back/1793279

12 Likes

This functionality doesn’t exist on the default Gmail mobile client, but there are alternatives that let you do this. My preferred is Aquamail (Google App store only, unfortunately)

It still doesn’t let you see the original headers, but you can “favorite” a sender, which as far as I can tell, uses those specific headers (i.e. you can favorite something from internal email address that wasn’t meant to be a link, oops instead of just @roblox.com)

(also it supports any IMAP or POP3 email address)

4 Likes

One recent scheme going on involves “wanting to use your avatar for a render.” This was attempted on me twice within the last week. I knew not to use the Chrome extension thing or whatever it was they wanted me to use and got a .obj file of my character safely. I got no response from them after sending it during the first attempt. The second time, I shut it down fast and moved on.

Remember not to use any special downloads anyone may suggest! If you can’t use Roblox itself to do something, it’s best not to do it at all.

5 Likes

I already signed up for 2FA, but it keeps on telling me I should sign up for it. Is that a bug or does it mean I have to re-set it up?

3 Likes

I’d also like to point out that attacks that can successfully fake an @roblox.com email address are rare, since Google has implemented so many security controls on SMTP headers that it’s almost (but not) impossible to pass all the checks successfully. Even then, you’d still basically be blind-firing since you’d have to give up useful things like read receipts and Reply-To (meaning you won’t receive replies)

3 Likes

When will Roblox remove the 14 days wait period for groups and instead require 2 factor authentication check to be completed before Roblox completes the payout transaction?

Also when will trading and purchasing high value items require 2 factor authentication check?

11 Likes

I feel like it is worth noting that blox.com / ro.blox.com is an official Roblox domain. These links are used for share links generated on mobile.

Post going more in-depth: Replace the ro.blox.com share link with the normal Roblox domain

7 Likes

Please add mobile 2FA support for Windows 10. It’s ridiculous that I have to turn it off, log in, and turn it back on again, just to use the Win10 client.

Also, some sort of automated system for detecting PM scams would be great. There was a point where I was receiving this type of message daily, with little variation. It seems to have stopped now, but I have no doubt that these PM bots will become a thing again in the future.

There’s also the classic scam where someone tells you your account got flagged for “unauthorized purchases”, and that they’re a special power user within Roblox and you must contact them to get things taken care of. I was getting those daily too, and they were through Roblox PMs. The user would buy an old account to send these PMs to try and seem more legitimate, which would end up getting locked or terminated.

12 Likes

Maybe it could be implemented like the pin so you can pay out for 5 minutes or lock it early.
It might be annoying but needed. It could also be opt in as long as people know about it.
Same for purchases in my opinion.

4 Likes

I would recommend using the website version it supports vip links and also recording.
And at least in my experience it’s also way less laggy.
But I agree with you such basic feature should work properly.

1 Like

Some people prefer the Windows 10 client you know. Plus, I find Roblox recording quite depressing (idk why) so I would choose Nvidia Experience or whatever AMD and Windows offer

And yes, they should really implement 2FA for the client

2 Likes

Maybe they could even implement physical security keys. But I’m not sure if many people have such keys.

4 Likes

I rather be annoyed to put my 2 factor authentication code than wait 14 days which doesn’t provide any real protection. I am glad that you agree.

Also I think security keys should be a login option as well because Google Chrome supports it.

2 Likes

I think that’s quite unnecessary and unreliable

2 Likes

Its ironic to see a couple people saying that the post is bad when DevRel is literally going out of there way to remind us to keep our account secure.

1 Like