Page 1 of 29 12311 ... LastLast
Results 1 to 10 of 289

  Click here to go to the first staff post in this thread.   Thread: How 'secure' is SCID?

  1. #1
    Forum Hero JusMe's Avatar
    Join Date
    Feb 2017
    Location
    amongst the stars
    Posts
    7,271

    How 'secure' is SCID?

    In the past month or so we've seen a number of posts about accounts being 'hacked', 'stolen' and so on, and yes, many thought and think 'ah, here we go again' when we see one of those....

    But by now, I must say I'm getting worried. There are more and more signs (also from clans in which we know some people on a more personal level) that there is either a flaw in the system that is not being addressed or something else is seriously wrong?

    One side:
    People who try to logon to their account and get a message that their 'SCID has expired', they try to get a new code, get a code and then their account again states that the 'SCID has expired' - their accounts are 'lost' and they can't play on their villages [and no, not just kids who go to free gem sites].

    Other side:
    People who have an issue with their account, and apparently others have tried it with inactive accounts they know of (I'm not that brave, I don't want to jeopardize any of my accounts when checking this) go to the ingame support options available and when they end up with the automated 'otto' or 'sparkybot' of customer support, all that apparently is needed is the player tag, village name, the clan the account was in last, TH level (not always) and maybe some other information that is easily found online to 'restore' an account.

    There have been several forumites who have also stated these types of things have happened to adults in their clans who are not eager to lose their accounts by sharing information or engaging in other activities that aren't allowed....

    Can we please get some kind of confirmation this is being worked on, or at least checked? This really isn't adding up to anything that 'gives a warm and fuzzy feeling' or anything like that.

    Can people who have seen this happen or who have had this happen, chime in with their experience? Maybe that can help with any investigation?

  2.   Click here to go to the next staff post in this thread.   #2
    Darian[Supercell]'s Avatar
    Join Date
    May 2017
    Location
    Gliese-832c
    Posts
    6,223
    The biggest reason people lose their accounts is due to social engineering. Accounts do not get hacked, but they do get phished or stolen when players fall for scams. One of the most common scams is when someone offers to "give away" their high level account to someone and ask for someone's email address to that account. That scammer will then bind that player's account to a Supercell ID because once your account is attached to a Supercell ID, it becomes very difficult to steal it.

    Supercell ID in itself is quite secure. But like any computer system, it is only as secure as the person maintaining that security. Scammers and phishers are very, very, very clever. Most people don't realize just how much information they publicly share. Do you think some random Clasher on Facebook creates a post saying "Who has the oldest account? Post your start date here!" is doing it just for fun? All those hundreds of people who reply to it with their account creation date just gave that person key pieces of information required to steal an account.

    No matter how secure Supercell ID is, we cannot prevent people from voluntarily giving away their account information. And that is the biggest weakness of any security system. This isn't just isolated to Supercell ID. It's ubiquitous throughout the gaming industry, tech industry, government, etc. Information security is one of the most lucrative jobs because the general population has no idea just how much information they share publicly.

    Whenever we hear stories about "loopholes" in our account recovery process or security system, all it does bring to light is just how willingly people are with sharing just enough information where a scammer can overtake an account.

    One big one is when multiple people in a Clan share a single account for purposes of doing each other's Clan War attacks. This is quite common in many social multiplayer games, and isn't isolated to Clash of Clans. Now, one of these players perhaps has been really lax in maintaining strict security over their device. Or perhaps they use an emulator and didn't realize they had a keylogger on their system. So now some third party is able to steal the account.

    We can only create a secure system that works as long as everyone protects their information. But there is no 100% way to protect against people's...carelessness.
    AKA Tank Puppy
    https://twitter.com/Devourlick

    If you have account-related questions like account bans or Supercell ID issues, please contact Player Support at this link. Please note that Community Managers and Forum Moderators are unable to assist or answer any account-related questions.


  3.   Click here to go to the next staff post in this thread.   #3
    Darian[Supercell]'s Avatar
    Join Date
    May 2017
    Location
    Gliese-832c
    Posts
    6,223
    I've reopened the thread for discussion as I wanted to make sure my reply was the first one before reopening it again. I'll be keeping a close eye on this discussion as it is quite an important topic that I think should be discussed in order to dispel myths and misinformation.
    AKA Tank Puppy
    https://twitter.com/Devourlick

    If you have account-related questions like account bans or Supercell ID issues, please contact Player Support at this link. Please note that Community Managers and Forum Moderators are unable to assist or answer any account-related questions.


  4. #4
    Forum Elder Ullaspn's Avatar
    Join Date
    Dec 2019
    Location
    Forest of main village
    Posts
    2,055
    Quote Originally Posted by Darian[Supercell] View Post
    I've reopened the thread for discussion as I wanted to make sure my reply was the first one before reopening it again. I'll be keeping a close eye on this discussion as it is quite an important topic that I think should be discussed in order to dispel myths and misinformation.
    Can I share this on clash reddit.
    Last edited by Ullaspn; January 18th, 2021 at 09:27 AM.

  5.   Click here to go to the next staff post in this thread.   #5
    Darian[Supercell]'s Avatar
    Join Date
    May 2017
    Location
    Gliese-832c
    Posts
    6,223
    Quote Originally Posted by Ullaspn View Post
    Can I share this on reddit.
    I can't really stop you, can I? :-P
    AKA Tank Puppy
    https://twitter.com/Devourlick

    If you have account-related questions like account bans or Supercell ID issues, please contact Player Support at this link. Please note that Community Managers and Forum Moderators are unable to assist or answer any account-related questions.


  6. #6
    Does SC ID really expire? If not then why are players getting these emails?

  7.   Click here to go to the next staff post in this thread.   #7
    Darian[Supercell]'s Avatar
    Join Date
    May 2017
    Location
    Gliese-832c
    Posts
    6,223
    Quote Originally Posted by Kannukanhashubhang View Post
    Does SC ID really expire? If not then why are players getting these emails?
    Again, this comes down to how secure someone is keeping their information. A Supercell ID will display the "Expired" message when the email address assigned to a Supercell ID has been removed and another email address has been attached to that Supercell ID. The most common situation this happens is when someone has gained access to enough of a person's account information and have provided it to a player support agent during the account verification process.

    Support generally allows a one-time exception to allow an email address assigned to a Supercell ID to be changed. This scam usually happens due to the above situation I mentioned when someone is "giving away" a high level account and provides an email address to the scammer, along with any relevant account information the scammer can use to steal the account.

    As I said before, this boils down to how willing people are to give away account information to scammers.
    AKA Tank Puppy
    https://twitter.com/Devourlick

    If you have account-related questions like account bans or Supercell ID issues, please contact Player Support at this link. Please note that Community Managers and Forum Moderators are unable to assist or answer any account-related questions.


  8. #8
    The ability to change the email associated to an account worries me. Also, using only knowledge factors for the matter is also, in my opinion, too short. What do you think to add some possession factor?
    Last edited by Terminator1986; January 18th, 2021 at 10:04 AM.

  9.   Click here to go to the next staff post in this thread.   #9
    Darian[Supercell]'s Avatar
    Join Date
    May 2017
    Location
    Gliese-832c
    Posts
    6,223
    Quote Originally Posted by Terminator1986 View Post
    The ability to change the email associated to an account worries me. Also, using only knowledge factors for the matter is also, in my opinion, too short. What do you think to add some ownership factor?

    The reason there is a one-time exception to change email addresses is simply because, well, real life happens. Sometimes people use their work email address and then change jobs. Or perhaps they share an email address with a significant other and that relationship ends. There are numerous reasons why a person would need to change the address, so allowing it to be changed one time is understandable. But the account holder does need to provide enough information to verify the account in order to change it. If a malicious party is able to change the email address, it's because they were able to obtain enough information about the account holder in order to verify ownership. That can only happen if the account holder has been careless either with their personal information or their account security.

    We can put as many restrictive policies and systems in place, but we can't stand over every single person's shoulder to prevent them from giving out personal information. Just why do you think there are so many people who fall for the Nigerian Prince money scam or vitamin/supplement scams?

    Why do you think there are so many spam posts for CBD, love connections, etc. on these forums that we delete? People click on them and fall for those scams. Heck, the general individual has no idea just how much malicious software is out there on various websites that gets installed on their PC that logs their personal information.

    People are unconsciously careless with their information and scammers are very good at picking up those pieces and taking advantage of it.

    What do you mean by "ownership factor"?
    AKA Tank Puppy
    https://twitter.com/Devourlick

    If you have account-related questions like account bans or Supercell ID issues, please contact Player Support at this link. Please note that Community Managers and Forum Moderators are unable to assist or answer any account-related questions.


  10. #10
    Super Member
    Join Date
    Aug 2020
    Posts
    907
    Can't we get "remove login from other devices" option for Scid through an email otp? I know the need for it could have been resulted because of account sharing but still..

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •