If you’re looking into educating users on off-site scams, you should add something regarding the .har file scam. There are two I’ve come across personally:
1- Person says they’ll give you Robux in exchange for your “avatar file”, they get you to upload a .har file to a “har to obj” converter, which in reality uploads it to a database somewhere. They usually attach a video of someone following this process, this video usually depicts a clip of someone rich/reputable doing this (which is usually just clips taken out of context, mashed together to create a surprisingly believable product) for the person being scammed to trust this person.
2- A person messaged me on discord with the same type of message (avatar to be used in-game), however instead of uploading the file to a .har to .obj “converter”, you upload the .har file directly to them on discord.
Just don’t upload any files to strangers on the internet, especially if these people message you randomly.
Due to the way that email is designed, it’s pretty easy to spoof emails that look like legitimate emails. The trick though, is origin, where the address to @roblox.com emails would point to an email server that originates from Roblox. Still, you can send a perfectly legit looking email using a @roblox.com email through spoofing. So, personally, this point only applies to very rudimentary phish attempts.
—
Otherwise, majority of these issues stem from Roblox’s young user base which are predominantly not actual developers where the visibility of this announcement/PSA will not reach the members who’re actively being targeted. In regards to that, the platform needs to do more in targeting these announcements to actual players instead of just developers.
This is an issue on the majority of platforms but, at some point a line needs to be drawn and the user who fell for said phish needs to take responsibility for their own actions. That is how the world works. I feel that Roblox is essentially trying to make up for the lack of online safety instruction that parents should’ve taught. Unfortunately, losing something is how you grow and hopefully, how you realize that certain actions you make can lead to serious consequences.
Regardless of how anyone tries to spin it, how a phish attempt is engineered or whatnot, this platform is specifically designed in such a way where you have to give your details to them. If they successfully get your details, it’s simply because you gave it to them. Whether you realize that or not, is completely up to you and unfortunately, probably too late.
The only way for this not to be the case is if your details are leaked either through you, a friend, etc, through a breach on Roblox’s end or if we really wanted to be radical, someone tapping your connection between your router / phone to an ISP / Tower.
I see a lot of people on this platform blame Roblox for having poor security and while, I agree in some aspects, this in particular is not their fault. Every company faces these issues and everyone is susceptible. However, most platform users take responsibility because the age deems it so. On this platform, it’s incredibly toxic and turns into “omg Roblox security sucks, give me my account back”.
Start solving this problem by getting younger users to understand / conceptualize responsibility and what it means to be responsible for your account. With the guides and such in place already regarding this topic, there’s really nothing else this platform should be doing.
The solution here is simple: If you really value your account, don’t trust anyone with it but you.
Edit: Free will on an open forum dictates expressional freedom. Take this how you want. This is my personal view on said topic. This is not aimed toward anyone. It does not mean to offend anyone. It’s simply, quite plainly, how I feel about this.
Har file (HTTP dump) contain captured data from your web browser. It’s typically used to debug, performance bottleneck review, etc but, people have been using it to grab cookies. Data, including all network information, is captured on a per-session basis. This means that any data sent from between the client (browser) and Roblox’s servers are captured on this file. This includes headers (where cookies are passed), urls, etc. If anyone asks you for a har file, they’re definitely malicious.
It’s a good security measure that IP changes invalidate the cookie but it seems a bit inconsistent? Personally, using a VPN hasn’t logged me out. Even if it did, I still wouldn’t want anyone having my cookie anyway, it’s also a good idea to advise people that these scams do exist anyway.
Ohhh okay that makes more sense. On the chance that the person attempting to gain access to my account is somewhere near me (country is somewhat likely, province isn’t), I would still refrain from giving the cookie lmao. Regardless, it still is a good and frankly much needed security measure.
One of the worst things that exists is bookmarklets.
Bookmarklets are the dumbest thing that exists security wise because its so easy to phis with them. Bookmarklets are one of the most common ways of beamin on Roblox (excluding HAR).
While that’s true, and people should be careful, Roblox has some policies that aren’t exactly user-friendly. Users that get their accounts compromised can only have one rollback done, per account, ever.
My account has existed for fourteen years, but if it gets compromised twice, the items on it are just gone, and the person who got into my stuff gets all of it.
The rollback policy could be updated to one per year, and I don’t think it would negatively affect the platform.
FUN FACT: If you don’t buy premium, nobody can TOUCH your limiteds. Unless they buy it for you, which would leak their payment info and that’s how you can lawsue.
Using text message based 2FA is generally a bad security practice. Not only does sim jacking exist, text message aren’t very secure either, and they don’t work if you dont have your phone connected mobile internet.
