Securing your Account PSA

This functionality doesn’t exist on the default Gmail mobile client, but there are alternatives that let you do this. My preferred is Aquamail (Google App store only, unfortunately)

It still doesn’t let you see the original headers, but you can “favorite” a sender, which as far as I can tell, uses those specific headers (i.e. you can favorite something from internal email address that wasn’t meant to be a link, oops instead of just @roblox.com)

(also it supports any IMAP or POP3 email address)

3 Likes

One recent scheme going on involves “wanting to use your avatar for a render.” This was attempted on me twice within the last week. I knew not to use the Chrome extension thing or whatever it was they wanted me to use and got a .obj file of my character safely. I got no response from them after sending it during the first attempt. The second time, I shut it down fast and moved on.

Remember not to use any special downloads anyone may suggest! If you can’t use Roblox itself to do something, it’s best not to do it at all.

3 Likes

I already signed up for 2FA, but it keeps on telling me I should sign up for it. Is that a bug or does it mean I have to re-set it up?

1 Like

I’d also like to point out that attacks that can successfully fake an @roblox.com email address are rare, since Google has implemented so many security controls on SMTP headers that it’s almost (but not) impossible to pass all the checks successfully. Even then, you’d still basically be blind-firing since you’d have to give up useful things like read receipts and Reply-To (meaning you won’t receive replies)

1 Like

When will Roblox remove the 14 days wait period for groups and instead require 2 factor authentication check to be completed before Roblox completes the payout transaction?

Also when will trading and purchasing high value items require 2 factor authentication check?

9 Likes

I feel like it is worth noting that blox.com / ro.blox.com is an official Roblox domain. These links are used for share links generated on mobile.

Post going more in-depth: Replace the ro.blox.com share link with the normal Roblox domain

5 Likes

Please add mobile 2FA support for Windows 10. It’s ridiculous that I have to turn it off, log in, and turn it back on again, just to use the Win10 client.

Also, some sort of automated system for detecting PM scams would be great. There was a point where I was receiving this type of message daily, with little variation. It seems to have stopped now, but I have no doubt that these PM bots will become a thing again in the future.

There’s also the classic scam where someone tells you your account got flagged for “unauthorized purchases”, and that they’re a special power user within Roblox and you must contact them to get things taken care of. I was getting those daily too, and they were through Roblox PMs. The user would buy an old account to send these PMs to try and seem more legitimate, which would end up getting locked or terminated.

11 Likes

Maybe it could be implemented like the pin so you can pay out for 5 minutes or lock it early.
It might be annoying but needed. It could also be opt in as long as people know about it.
Same for purchases in my opinion.

2 Likes

I would recommend using the website version it supports vip links and also recording.
And at least in my experience it’s also way less laggy.
But I agree with you such basic feature should work properly.

Some people prefer the Windows 10 client you know. Plus, I find Roblox recording quite depressing (idk why) so I would choose Nvidia Experience or whatever AMD and Windows offer

And yes, they should really implement 2FA for the client

1 Like

Maybe they could even implement physical security keys. But I’m not sure if many people have such keys.

3 Likes

I rather be annoyed to put my 2 factor authentication code than wait 14 days which doesn’t provide any real protection. I am glad that you agree.

Also I think security keys should be a login option as well because Google Chrome supports it.

2 Likes

I think that’s quite unnecessary and unreliable

1 Like

Its ironic to see a couple people saying that the post is bad when DevRel is literally going out of there way to remind us to keep our account secure.

1 Like

Really? I have never heard that something like this is unreliable.

1 Like

Good thread to help people.

For anyone wondering, here are the only official Roblox links:

3 Likes

Maybe there should be an option for users to privatize the limiteds they have if they turn trading off or something like that. It’ll deincentive scammers from targeting specific accounts.

When you’re logging onto your Personal Computer sure, a physical key is useful as your door, but remember not everyone understands how a physical key works (nor everyone could plug a USB on your iPad), and as you know, people tend to lose stuff

You’re logging into Roblox, not your PC.

1 Like

I would also like to add that you can check the domain owner and see if it’s roblox. For example just insert the domain in the search bar of https://domains.google.com then click “find domain owner” and see the “Registrant organization” field, it should be “Roblox corporation”

2 Likes

As someone who has had my account accessed without my authorization 2ce due to the value of items on it over the years (and in part due to lack of security features which caused me to lose tons of items and get a small portion of the Robux as compensation) accoutn security on Roblox still has a long way to go.

The inclusion of PINs for changing settings was a great step, but I don’t see why I can’t have a 2FA required before trades or item listings… These are THEE most common ways users are robbed if their account is accessed. Limited items are sold in bulk for dirt cheap and trades are sent off for other items.

Requiring 2FA for listings AS WELL AS simple common sense limiters (such as items being sold very rapidly, dirt cheap, or BOTH) are easy to automatically block. If an item is attempted to be listed very cheap 2FA should be asked REGUARDLESS OF ACCOUNT SETTINGS if it has not recently been asked for the exact reason. All listings should have a small pending period (even if only a minute) so as mass listings can easily be stopped and 2FA asked for.

I still have a spreadsheet full of items I lost and what I was given to get them back… which was 75% of their value then… and not even 20% now. Hurts my heart to know that it happens to anyone, especially when Roblox can limit the impact with common sense security checks.

On that note, I do want to thank the teams at Roblox who have added additional security settings since I joined way back when. Huge shout-out as well to work on internal tools to recover users items when they have had their accounts compromised because the second time my account got accessed I thought it was going to be the point I gave up on the site but instead new tools allowed you to get everything back to me. More work to be done, but please don’t take it as thinking you haven’t worked hard!

8 Likes