How 'secure' is SCID?

[Kaledonian]

i can understand that..
But is it coincidence that the upsurge in stolen accounts we have seen are all linked to SCID, and none from google play or apple store?

I think a smarter, more devious scam is more likely than a system flaw TBH.

It's often the case that the most plausible answer is the truth. Much as the people who've been scammed would have you believe otherwise, it's still more likely that they, themselves were careless; upsurge or not.

Part of the wider issue here, for me anyway, is the message: "your SCID has expired". It's ambiguous to say the least; it doesn't convey to me that the email address linked to the account has been changed. If it was obvious that the account had been compromised, some people wouldn't go looking for alternative answers to fit their narrative.

[Unobservr]

Whoa... this is deep.

Is this something that only happens to those who uses SCID or not? If yes, then not using SCID is surely safer, right?

[darpan2704coc]

There is, I agree..
But what about all of those that say they never divulged any information, nor did anything that would jeapardise their security?

Without evidence to the contrary, one needs to assume they are telling the truth surely?

Not in favor of them, not against them. But I've experienced that players do share information without actually realising that they revealed it. So their claim is right, but only to the fact that it's not in their knowledge that they've shared it.

[fozage]

Whoa... this is deep.

Is this something that only happens to those who uses SCID or not? If yes, then not using SCID is surely safer, right?

not really a scammer could connect a scid to your account without you realising, and then you can't do much about it

[Kaledonian]

There is, I agree..
But what about all of those that say they never divulged any information, nor did anything that would jeapardise their security?

Without evidence to the contrary, one needs to assume they are telling the truth surely?

It doesn't take you or me to literally post our emails & passwords. You can let slip plenty of snippets that can be pieced together to provide key elements here & there.

[Thesuperbeast]

not really a scammer could connect a scid to your account without you realising, and then you can't do much about it

Right... So broadcast you don't have SC ID.. because you think of big tech stealing your pointless life (not you, I'm talking generalities) and boom I can connect that base to any of my SC IDs?

Surely the logical step is.

SC ID is mandatory.. everyone will get over it, XBL AND PSN is mandatory as we as these games now all require it, like COD, Battlelog, Zenimax etc as well. Not an issue.

One SC ID per base.. anyone attempting to log it, a notification is sent to the owner much like logging into your gmail a new computers, my phone asks me to type a key into my master device (phone) to verify its me before I can have access.

Phishing now becomes a lot harder, to anyone that fails to comply with the instructions and or gives out information.. you're in charge of your own destiny and this is the fallout from it.

I call custard on those claims that they were robbed blind though, if you didn't have SC ID it's your own fault, you even get 50 gems for linking it up, you don't get spammed or marketed at all. There are no downsides.

[Kaptain Kat]

i can understand that..
But is it coincidence that the upsurge in stolen accounts we have seen are all linked to SCID, and none from google play or apple store?

Is there an upsurge ?
Anywho, stolen accounts is definitely not a new thing and we’ve seen plenty of other situations through the year and yes the scam changes slightly to what works best at the time. Just like email scammers and SMS fraudulent accounts currently use covid as a cover story to make you give your bank account information.

There was a time people who hadn't yet connected to SCID were targeted to connect the game to an email not belonging to them with a scam thinking they were getting a free account. And it wasn’t even that long ago.

Nevertheless, it’s certainly very hard to understand that people are so very dismissive about not having shared sensitive information ever. Of course it’s not like they asked you the key to the house and you just handed it to them. As has been said already these people doing the stealing are extremely clever at piecing information together even when a player thinks a certain piece by itself seems harmless enough.

Its not about accusing them being careless on purpose and hang their house key on the outside of their door. In a lot of cases they don’t even realize they’re doing it especially in this day and age where quite a few people are used to posting their whole life on FB or Instagram and alike.

Just think of this situation... how easy is it to get into a “how did you start playing the game” conversation in clan chat. Quite often a time frame of when that person started is casually mentioned or can be easily reconstructed. I’m sure a whole lot have been in such conversations or have seen them...

[2222]

You can look at some of the 3rd party account selling sites, same user listing multiple th13 accounts, well developed, near max or maxed hero's. These people have 10-15 accounts listed on a ongoing basis. I find it hard to belive that the same person just happens to be the one person that multiple people are sloppy with and giving out sensitive information.
I personally belive there is a security flaw somewhere in the system, what it is I have no idea, but I do belive it is there.

That could be lots of things, though. It definitely could be what you suspect. It could also be he is the sales person for multiple people all working to scam players out of their accounts, which includes contacting support to take an account by using information they obtained from the player with the player not even realizing they provided it, such as on social media. They could also be accounts that were farmed up with bots, not ever stolen.

I think both sides here are probably correct. The people saying the most likely reason someone loses their account is their own fault are correct. That is usually the case. That is probably the case in the vast majority of situations. On the other hand, SC support probably gets scammed sometimes too. There also could be a security flaw somewhere like Warios suggests that accounts for some of these stolen accounts. It probably is a combination of all of those.

A question I would have for SC support if I could ask is when you have a situation where they can literally see in the chat the person talking about how they stole the clan and will sell it back, why is that not corrected? I know chat can be photoshopped, so I'm not suggesting relying on screen shots, but can't they look into the game files and find out if it is true?

[JusMe]

Is there an upsurge ?

Yes, there seems to be, and for me one of the reasons to start this post was the fact that several people closer to home have experienced both ends of this situation (as described in the OP). Adults who have spent money on the game and had not shared information (which didn't seem to matter anyhow).
[snip]

Just think of this situation... how easy is it to get into a “how did you start playing the game” conversation in clan chat. Quite often a time frame of when that person started is casually mentioned or can be easily reconstructed. I’m sure a whole lot have been in such conversations or have seen them...

Just think of the situation as described in the OP, where NONE of that information is requested by SC and accounts are seemingly handed over to scammers with no verification besides information that's readily available in the API, and the rightful owner of the account is left with the message their SCID has expired without any recourse, however much proof of ownership they provide (because support apparently won't even look at the case anymore).

[APURV77]

If With a backup we can get access to id on new device ? Is it okay? That also without security code