The new home for the IMVU Community is help.imvu.com. For more information, check out this article.

Make sending credits more secure
Goto page Previous  1, 2, 3, 4, 5  Next
 
Post new topic   Reply to topic    IMVU Forum Index -> Suggestions and Feedback
View previous topic :: View next topic  
Author Message
MasterBitter

MasterBitter's page


Joined: 19 Jun 2011
Posts: 299
Location: USA

PostPosted: Thu Feb 26, 2015 2:59 pm    Post subject: Reply with quote

Cassi wrote:

I still don't know that it's needed, as nobody would be able to send you credits without your explicit approval in the three step process...

That said... I agree, notification in client (a tab in the messages section would be ideal) for any pending transfers, incoming, outgoing, and completed ... would be awesome


Your 3 step plan is fine, just also want a way to turn it off completely so those of us who don't want them at all can toggle it off and on at our convenience.
_________________
Back to top
View user's profile Send private message  
MasterBitter

MasterBitter's page


Joined: 19 Jun 2011
Posts: 299
Location: USA

PostPosted: Thu Feb 26, 2015 3:01 pm    Post subject: Reply with quote

Cassi wrote:
The other downside to a complete opt out is it would stop you getting messages for people who want to send you credits, if the same people keep trying to send you credits, you can always report for harrassment if you can prove you've asked them to stop...

But it stops you being able to get given gifts from friends without them having to ask you to turn your thing on...

I just think that the 3 step system would protect you enough, being able to see who wants to send and how much without having to put a brick wall up opting out of all transfers.


That's just it. I don't want friends gifting me credits......nor do I want random gifts from strangers. Just like in-client message settings you could toggle it off and on whenever. As it stands now you cannot stop someone sending you credits--period.
_________________
Back to top
View user's profile Send private message  
Cassi VIP Club Member 18+ Age Verified

Cassi <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 03 May 2010
Posts: 200
Location: Australia

PostPosted: Thu Feb 26, 2015 3:10 pm    Post subject: Reply with quote

MasterBitter wrote:

That's just it. I don't want friends gifting me credits......nor do I want random gifts from strangers. Just like in-client message settings you could toggle it off and on whenever. As it stands now you cannot stop someone sending you credits--period.
Well I guess if there are people who want that setting, there's no harm in it.
_________________
[img]http://i.imgur.com/u7aUPBS.gif[/img]
Back to top
View user's profile Send private message  
XxMissSnowyxX_disabled_49 18+ Age Verified

XxMissSnowyxX_disabled_49 <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 24 Mar 2010
Posts: 9140
Location: USA - ME

PostPosted: Thu Feb 26, 2015 3:18 pm    Post subject: Reply with quote

I know that I would have that on if it was a choice.

A friend sent me credits and I started panicking because I couldn't figure out where they came from >.<
_________________
Back to top
View user's profile Send private message  
Cassi VIP Club Member 18+ Age Verified

Cassi <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 03 May 2010
Posts: 200
Location: Australia

PostPosted: Thu Feb 26, 2015 3:25 pm    Post subject: Reply with quote

XxMissSnowyxX wrote:
I know that I would have that on if it was a choice.

A friend sent me credits and I started panicking because I couldn't figure out where they came from >.<
Thats another good point, there is a way to check your logs of credits sent to you, but its hidden away, and not easy for many users to find... and no option to get notifications - apart from email
_________________
[img]http://i.imgur.com/u7aUPBS.gif[/img]
Back to top
View user's profile Send private message  
Pixel VIP Club Member 18+ Age Verified

Pixel <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 09 Feb 2007
Posts: 115
Location: United Kingdom

PostPosted: Thu Feb 26, 2015 3:26 pm    Post subject: Reply with quote

I think it is definitely something that could be made more secure.
Back to top
View user's profile Send private message Send e-mail  
BESH0S 18+ Age Verified

BESH0S <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 20 Jun 2007
Posts: 40
Location: Mexico

PostPosted: Thu Feb 26, 2015 7:15 pm    Post subject: Re: Make sending credits more secure Reply with quote

Cassi wrote:
The system that is in place for sending credits is inadequate.

There is no structure in place to protect yourself from fraudulent credits going into your account, as there is no way to decline incoming credits from unknown or untrusted users.

Also, If you're the kind of person who often gives credits to friends, you get capped and can no longer send using direct transfer. I understand why this is done, but I don't think it's very successful in preventing foul play such as scamming, the only purpose it serves is to annoy.

That leaves us with a couple of options:

● Contacting Customer service by way of a help ticket or Live chat (if you're VIP) - There are a few issues in this system, you're provided with no notification of credits going into your account, and IF you're fortunate enough to have a staff member who isn't taking shortcuts, you could go into your credit balance events and MAYBE see the user ID number of who sent the credits to you in the notes section. Human error has been known to occur with this system, sending credits to the wrong user, or sending the wrong amount, both the person filing the ticket AND the staff member handling it can make mistakes. Also, its too easy for people to file another ticket, wrongfully claiming they sent credits to the wrong user, and staff will revoke those credits from you, no questions asked and no notifications of who or why took your credits. Also, this can take a long time to be processed if you aren't VIP.

● Buying credits for people using a registered reseller - Of course this isn't ideal, as if you want to send credits to another user from your own credit balance, then you're not going to be able to use this option. There are also issues that can occur with fraudulent credits being sent when the buyer makes a PayPal dispute against the reseller, and the reseller gets the recipient's imvu account disabled (not the buyer who's the one at fault)


---------

They should give us a more secure way to send credits.

I propose this:


1) Person A proposes the credit send. (With the space to leave a note explaining the purpose of the send)

2) Person B accepts or declines the send

3) Person A CONFIRMS the send, making sure usernames are correct and no errors were made the first time
(at this point, IMVU can make a note that they're not responsible for any errors made so check carefully)

4) if the transfer is for more than a certain amount (10k, maybe? Higher for users sending credits to approved resellers to sell back) Then CS confirms there is no foul play by running the same checks it does when facilitating Live chat or Help Ticket Transfers. If the transfer is less than that amount, then the transfer happens automatically

If this is done, then people shouldnt be able to claim that they sent to the wrong user via help ticket... therefore avoiding fraud, it'll also help prevent hacked accounts losing their credits.

They could also cap the number of unchecked credit transfers so that a scammer can't get around the check by sending small amounts to many different alt accounts.

A similar system is used on another social website (which I'm not sure if I'm allowed to name) for trading products and in-game currency, and has been a great system for many many years.


{Edited to remove the IP check from the suggestion, as I have been told, and now agree that it would not work the way I thought}



I agree wth this, theres got to be a way we can be able to send credits frm our own accnts, wth out havin a sendin limit, i think its stupid tht i spend rl money on my credits, and cant send the amounts I want

_________________
Back to top
View user's profile Send private message  
SpirInk

SpirInk's page


Joined: 05 Nov 2008
Posts: 1740
Location: USA

PostPosted: Fri Feb 27, 2015 1:46 am    Post subject: Reply with quote

(A/N: Sorry! Another long post from me, but this is in complete support of not just improving the security of credit transfers but also the security of account access.)

The three step plan sounds great and yeah, an option to turn off the ability to receive credits via direct transfer would be another idea I would get behind. Smile

In addition to completely turning off the ability to receive credits (unless through direct administration actions?), I would also like to suggest a related credit transaction safety feature I'm going to call 'Vacation Mode'.

As a safety feature, this 'Vacation Mode' can be toggled on by users who are - for example - going on vacation or will be generally busy with RL stuff for lengths of time and unable to check into their accounts on a regular basis.

What this 'Vacation Mode' will do is allow users to not accept any direct credit transactions into or out of their account for the 'vacation' time that they will be away from IMVU. Additionally, like log-in session logs, there would be a log of all the times that 'Vacation Mode' has been activated and deactivated. As an extra layer of security, a totally different password (read more to read about the Secret Word feature) can be used to initiate and lift this 'Vacation Mode'.

This will allow the prevention of unauthorized IMVU credit transactions while an IMVU user is away and knows that they will be away and it also puts this safety feature and control directly into their hands.

If I know I enabled my 'Vacation' mode for let's say two weeks and have proof that I did so, then if somehow - heaven forbid - bad credits passed through my account via direct transfer, then the onus of the bad transaction certainly isn't going to be on me because I at least did my part to prevent it from happening.

Obviously, you don't HAVE to really be on vacation or anything, but if people want or need a temporary direct transfer lock (for example, maybe you're traveling AND you still have access to IMVU but your access point isn't very safe like at an internet cafe and you want to help protect yourself)

I know that after a period of time users who have been absent will be prompted to log back into the client as a way to 'reactivate' their account so there kind of sort of is protection already for short term absences...

but this also doesn't seem to be consistent enough, either.

An alternative account of mine for HP project previews was prompted for logging into the client after an extended absence while this one was not even though both accounts had been inactive for almost the exact same amount of time.

In regards to IP locking... it's a good idea and I have seen it work... but I have also seen it not work and I would like to add a little more discussion to this topic.

For those of you on rotating IPs because of your ISP, this wouldn't work because you would likely show up as having a moderate to very inconsistent IP address which may or may not correctly correlate to location.

For those of us who aren't, this -could- work. But even for me, though my IP address doesn't change, it gets translated by a variety of IP-to-Location 'translators' to any number of towns and cities within a 100 mile radius from me. Very infrequently am I tagged with my actual location.

For those of us who use smartphones, tablets, portable computing devices with cellular data plans attached, this REALLY might not work because cellular IPs oftentimes have NO real correlation to location.

As an example, I was visiting the nearby metropolitan city for an event and I was using my cellular data to access chat programs and emails to finish coordinating a meetup for the event.

Because my cellular IP tagged me as being halfway across the country, I was locked and blocked out of my accounts because my account providers saw the very irregular IP activity (halfway across the country!) and thought some hacker had cracked into my account.

Legit device, legit IP address... but no correlation between 'halfway across the country IP address' and 'someone is hacking into my account'.

That said, COMBINING something like IP analysis (what was just mentioned) with something like Device analysis (think of iTunes and how you have to authorize devices to access iTunes) and examining and applying the combined data together could very well yield more practical data that can be used to combat unauthorized access (which could help prevent unauthorized credit transfers).

Algorithms can determine if the rotating IPs make sense (someone with an ISP who is well known for rotating their IPs around to different customers should be less likely to be dinged for IP inconsistencies for example) or not and this IP/location information can be logged and analyzed.

At the same time, if these IPs aren't making sense but the device used checks out, the log-in COULD be an okay one... and if there is concern about the log-in attempt, the user could be prompted for some sort of security check just in case.

Of course, there's the question of, "Well, what if someone steals my device and then uses it to access IMVU?" and so of course, this option isn't a failsafe (nothing really truly is)... but it's still a possible measure.

Related to this, and I think in the past it has been suggested before, since this is a site and client where virtual currency (oftentimes paid for with real money) exchanges hands, a 'Secret Word' feature akin to a Verify Identity could be implemented.

If, in the example I provided earlier, a person should get prompted to Verify that they are in fact attempting to access their own account, they could be prompted for their 'Secret Word' - a word entirely separate from their password, username, or email address and possibly even stored on a separate database away from general account information and passwords.

A successful 'Secret Word' attempt allows the log-in and whatever transactions to follow happen and, if there is an IP and/or location and/or device discrepancy, it will count the attempted log in session with all of its inconsistencies as being okay.

In relation to the original three step solution as suggested, this 'Secret Word' feature could be a feature implemented during not just irregular-looking log-ins but also credit transfers.

If someone were to crack into someone else's account and attempt to transfer credits fraudulently, then they would have to also crack the 'Secret Word' as well.

And finally, to address more specifically the general safety of receiving credits (even though the credits are tagged with a username, etc, how do you ultimately know if it's good or not?), a user-initiated 'Pend and Wait' system could be used.

I know most people would like their credits immediately, but since people in the other thread have said that they actually LIKE the credit pend offered in the catalog, this is why I am suggesting this.

If a user is potentially suspicious about a transaction, then they can tag a transaction with 'Pend' which places the fund or funds into a 'Wait and See' state for a certain amount of time.

All that said, I really like the discussion going on here and really support giving IMVU users better self-initiated options to help keep both their accounts AND their credit transactions safe.
Back to top
View user's profile Send private message  
Serpantha 18+ Age Verified

Serpantha <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 15 May 2010
Posts: 6306
Location: Ireland

PostPosted: Fri Feb 27, 2015 1:55 am    Post subject: Reply with quote

Lets not make this more complicated than it needs to be. A simple accept/decline credit transfer would be a step in the right direction. The IP option has been discussed and it's not going to work for everyone: so don't try to force it on everyone or we will end up with a huge mess on our hands.
Back to top
View user's profile Send private message  
SpirInk

SpirInk's page


Joined: 05 Nov 2008
Posts: 1740
Location: USA

PostPosted: Fri Feb 27, 2015 2:15 am    Post subject: Reply with quote

That's exactly why I said that the IP option does and does not work because you're right - it oftentimes does not work... but despite that, it is oftentimes used anyways because the data that can be compiled from it can still be useful.

Also, yes, a simple Yes/No would definitely be a great step in the right direction!

If the things I suggested seem to be too much, what about something like a secondary password to go along with the Yes/No Accept/Decline to authorize credit transfers that is separate from the account password?

The reason I made the suggestions that I did is that to me, making credit transfers safer also involves making our IMVU accounts safer in general - especially access to our accounts.

As an example, though a lot of bad transfers come from bad credits from say, credit card fraud which is wholly on IMVU's shoulders to manage, there are the transfers that also happen because of unauthorized access to accounts, too, and that is perhaps something that could be improved on.

Just some thoughts.
Back to top
View user's profile Send private message  
Cassi VIP Club Member 18+ Age Verified

Cassi <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 03 May 2010
Posts: 200
Location: Australia

PostPosted: Fri Feb 27, 2015 4:43 am    Post subject: Reply with quote

I'm not sure I'm understanding this "vacation mode" suggestion - If you are going away, the three step transaction process would block all attempted transfers from going into your account anyway.

You would come back from vacation to see transactions pending your approval, or transactions cancelled by the one offering the credits due to your lack of response.

I don't know that the vacation mode is needed, I think it complicates a deliberately simple process.
_________________
[img]http://i.imgur.com/u7aUPBS.gif[/img]
Back to top
View user's profile Send private message  
SilkySweet

SilkySweet's page


Joined: 16 Jun 2010
Posts: 898
Location: USA

PostPosted: Fri Feb 27, 2015 11:53 am    Post subject: Reply with quote

SpirInk wrote:

If I know I enabled my 'Vacation' mode for let's say two weeks and have proof that I did so, then if somehow - heaven forbid - bad credits passed through my account via direct transfer, then the onus of the bad transaction certainly isn't going to be on me because I at least did my part to prevent it from happening.



Wouldn't toggling on/off be approximately the same as vacation mode? I would hope they could keep track of this as well.
We've asked for a settings feature for credit transfers for a long time. Perhaps in light of the recent proposal to cap stickers to prevent fraud (which has been placed on hold) maybe they will now address this issue. Seems to me this would greatly reduce the number of fraudulent credits being sent to unknowing users.
PS. I enjoy your long posts!
_________________
Back to top
View user's profile Send private message  
Corsets_123079564_retired 18+ Age Verified

Corsets_123079564_retired <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 30 Oct 2013
Posts: 14
Location: USA

PostPosted: Fri Feb 27, 2015 1:37 pm    Post subject: Reply with quote

I agree on the steps to sending credits idea!
Back to top
View user's profile Send private message  
Cassi VIP Club Member 18+ Age Verified

Cassi <a href='/vip_club/'><img src='/catalog/web_images/vip_35x18.gif' width='35' height='18' alt='VIP Club Member' /></a><!-- VIP Club Member Icon --> <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 03 May 2010
Posts: 200
Location: Australia

PostPosted: Fri Feb 27, 2015 4:07 pm    Post subject: Reply with quote

Oh, and as far as a secret word is concerned, I think there's a risk that people could forget that, perhaps a place to add a security question is a better idea? "What was the name of your first teacher in school" or "What was the name of your first pet" for example - That prompts your memory much better than a box to type your secret word into could...

You'd be much less likely to forget.

And being able to type your own security question is far better than having a drop-down menu of basic questions

I also like the option of having a security code sent to your designated mobile phone as an sms message.
_________________
[img]http://i.imgur.com/u7aUPBS.gif[/img]
Back to top
View user's profile Send private message  
Antithesis 18+ Age Verified

Antithesis <a href='/age_verify/index/'><img src='/common/img/icons/age_verified_35x18.gif' width='35' height='18' alt='18+ Age Verified'/></a> 's page


Joined: 15 Dec 2007
Posts: 9425
Location: Seychelles

PostPosted: Fri Feb 27, 2015 7:36 pm    Post subject: Reply with quote

Would just like to point out for those without a mobile phone - they do make texting apps you can use on your computer, and presumably you could have a verification code sent to one of those.
_________________
Pardon Edward Snowden and Julian Assange!
Back to top
View user's profile Send private message  
Display posts from previous:   
Don't want to see these ads? Join the VIP Program!

Don't want to see these ads? Join the VIP Program!

Hide ads? Get VIP!
Post new topic   Reply to topic    IMVU Forum Index -> Suggestions and Feedback All times are GMT - 8 Hours
Goto page Previous  1, 2, 3, 4, 5  Next
Page 3 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


 FAQFAQ   UsergroupsUsergroups   RegisterRegister  ProfileProfile   Log in for private messagesLog in for private messages 

Search the forums:


Powered by phpBB