Handling Account Security

[OldRod]

My son has been playing Roblox a lot lately and I've told him to watch out for scammers, but kids being kids... he fell for a scam this week that allowed someone to take control of his account away from him. First notice we had was that I got an email saying the email address on the account had been changed to an email I didn't recognize. The email contained a link to click in case we did not authorize the change, but that link went to a broken URL We tried to log in to his account, but his password didn't work, etc. etc.. Long story short, we contacted support and ended up getting the account back, with only a few items missing, but it was enough to get me thinking about handling security in the game I'm working on.

The real problem is this: how do we secure their account so the player feels safe playing our game (and possibly spending money on our site), yet also allow them the ability to retrieve lost usernames, change email addresses, etc?

In my game I had already decided that I was not going to require an email address to create an account. I am making it voluntary, but I am letting the player know that providing an email address (and validating it) allows the retrieval of lost usernames, and for the mailing of temporary passwords, etc. But then, in light of what happened this week, I got to wondering whether this would work or not.

This scammer was able to change email addresses since he had the username/password. I'm trying to figure a way to prevent unwanted changing of passwords and email addresses and I'm having a tough time coming up with a solution that I like.

So the account has a verified email address on file... so what? If the user has the ability to change that email address at any time (and he really needs that ability I think), then what good does it do to validate it? If a scammer changes it to his own email address and validates that email, then the control is circumvented, so what use is it?

I thought about sending an email to the old email address, asking to approve the change of email addresses, but if the user is changing because he lost access to the old email address (for whatever reason) then that is useless as well.

If a password change requires an email-validated account, that would be stronger, but if the scammer has already changed the email address, then this is not really helpful after all.

Knowing what my son went through when he envisioned the last few months of building his character, and facing the possibility of that being gone, I really feel that I need to address account security in a serious manner. I'm just not sure how to do it without totally locking out normal changes that have to happen (email changes, password changes, etc.)

Anyone have any thoughts? Anyone seen a good system in a game they played?

[Liquid Shock Games]

There may be a couple of non intrusive ways to handle something like this.

You could have a code sent to their old email address that is time sensitive if they want to change either email or password that they have to enter on the change page. This only works if they still have access to their old email.

or if they don't have access to the old email:

You could add 2 security questions that you let them make up the question and answer, store it in their account db info and randomly ask one or both to change email or password without access to their old email. Just make that optional information if they want the added ability to recover their account easier.

Lastly you could have them answer a couple of questions about their account. Randomly pull a couple multiple choice questions from their account db that they should know as account owner. This could be character's name, home realm/planet/city/etc, last transaction amount (if you have a store for transactions, they can look at their bank/cc statement for that), specific important items they have in their inventory, specific abilities their character might have, etc.

These may not stop all the dirt bag scamers because they will always try, but it should cut down on them considerably.

Just a thought on some ideas I have seen in games and online in general.

[OldRod]

Good ideas!

I thought about doing security questions. I like the idea about asking questions about the account.

Thanks

[Jackolantern]

There are a couple of changes in the web landscape that have actually made things less secure. First and foremost, many sites have done away with usernames and simply use the user's email address. This is bad. An email should be hidden at all costs on any service, and should not be a login. If someone gains control of your email account, they now know your login name, and can simply request a password change with your email address, and they now have full control of your account. Instead, the login should be a hidden username, made up just for the site. Once registered, the player then chooses another name to display (an easy way to help users with this process is give them the option to make a swap where they can swap their username for their visible name if they thought that was going to be their visible name). At that point you basically have another password for the player that needs to be cracked to get access to their account. Getting control of their email address is not enough.

Also, I have always liked the idea of allowing users to create "pass phrases" if they like instead of a single password. For example, someone could set their pass phrase as "On December 20th, I got my dog, Oslo". Password crackers are highly affected by the number of characters in a password, and adding punctuation (which comes naturally from sentences) makes things much harder. Something like this would be extremely difficult to crack.

As far as ways to prevent unauthorized changing of emails, that is a tough one. Most of the really hard to break methods are a bit more than an indie developer has access to, such as mobile text verification. It may be worth checking out if any 3rd-party company has created a service to handle this for you. If not, wow, someone should get on that! They could send your servers a message when the user has succeeded in responding to the text message (although that is a bit off-topic lol).

This is kind of a nuclear option, but you could create syncing authorization apps for mobile devices, like the ones many MMOs use now. They are not that hard to create, since the randomness is simple fed off of a hash created from the user's account that the user enters when first starting to app to link it to their account. But of course, it is still non-trivial to make them.

[OldRod]

I'll add the "mobile sync verification" to the list to add after I get my first million players

I like the secret question/answer method for now. Of course it's a moot point as long as nobody sees the game but me