An addition to the current security features of a Roblox account
I recently had a friend who had his account compromised and it was a total loss. The two-step verification was activated on the account but that did not stop the attack from happening. All of the items were traded to some storage account of the attacker.
We currently have the ability to set an account PIN number for our settings page. This protects our settings from being altered in the event the account was compromised. This same feature should be a available for the trading system. If we had a PIN protected trade system which we could toggle on and off this may either slow down the attack or stop it completely and not have items lost in the attack.
Let me know what you all think! It was just a brainstorm I thought I’d share.
If one secret code like a password isn’t enough to entirely prevent access then I don’t see how a second code is going to be sufficient to achieve that. People have their accounts taken not through magic but through getting tricked into giving out their details/installing things that allow others to see these type of codes. I do not see this as an improvement for those that do get their accounts taken, and even less so for those that somehow never get theirs taken.
It really is not a means of stopping the attack but it may be just slowing the attack down. A secret four digit code of numbers may give the attacker a harder time to crack and figure out which does not allow them to trade the items immediately. That window of time may be valuable for someone to notice that someone is on their account and change their password to kick them off. It has its pros and its cons.
If having a PIN were such a useless point of security, then we wouldn’t have it for the settings page. Asking for a pin on the trade system is a reasonable request, and I see no reason to take it even further (option to lock purchases behind a PIN, for example).
You probably know this already, but a lot of accounts get stolen because the hijacker gets a hold of a certain ‘key’ to gain access into your account. This key doesn’t expire, because if it did it would make you log back into your account every time it expires. The key for PINs expires after 15 minutes, and Roblox could probably even auto expire it if a new IP tries to use it, making it so that the hijacker would need to know your PIN too.
Adding your PIN in more places could easily reduce stolen items, and I see no reason not to have the option available.
Nowhere did I consider a pin useless, all I’m saying is if one pin doesn’t cut it, adding a second one is not going to help for these cases. Adding more pins is definitely not a straight-forward task as many places will have some type of access to trades, it will require yet another unique cookie set if it’s supposed to remain active, it can be stolen in the exact same ways.
One PIN does cut it. The people who gain access to accounts don’t need the PIN or the access key from your PIN to steal items if your trades are on. The PIN access key would remain active for a small amount of time (if not, it may ask you every time you trade). This is way more secure than the regular access key you get when you log in.
If Roblox refreshed the regular access key every time a new IP accesses your account, it would be very annoying when visiting the site from mobile. However, as I said, the PIN one could lock itself if a new IP is detected trying to use it while a different IP inputted the PIN. This can be bypassed, but not quite as easily as getting into someone’s account.
This doesn’t happen for the vast majority of players to begin with.
Point being it’s an endless battle protecting people against themselves essentially, and it does make it a lot more inconvenient to use the trade system(when it’s active). It can indeed be optional, but that makes the whole thing a very niche feature altogether. It’s a feature for a very small group of people, it does not make the system a lot more secure, and it does take development time to implement that could be better spent on other features that a lot of people use.
Whether or not it’s worth the time is up to the engineers. I probably would only turn the feature on since I don’t trade. All I’m saying is the feature is a reasonable request. I also think there’s more important features we could get.
That is the transaction such as a sale of a limited. It was not suggested for the trading system. This suggestion is sort of an addition to that I suppose.
I think we should have an AI system that tracks suspicious activity. New sign-in locations, losing trades, etc should bring up a lot more than just “enter your pin.” Extreme situations need to be confirmed via emails, pins, password, etc. The least would be “are you sure,” “enter password,” or “solve captcha.” The AI system can’t be as trash as…say the chat filter, and generally needs a lot of time and effort put into its development.
I personally find that other areas require more attention, and that more prompts isn’t going to do much when there are “major leaks” of information that happen, or when people’s accounts just aren’t being protected enough. (I’m sure most people are losing their accounts to scam websites).