Suspicious Activity Trigger Too Sensitive, and Lockouts Too Aggressive
Quickly sending too many DMs triggers a flag that locks you out of your account and demands mobile phone verification. This isn't a 1 time verification for your account, but a requirement for a mobile number to be registered to your account, permanently.
If you remove that number, your account will instantly be locked out again.
Why? Well the only logical reason would be to stop compromised accounts and bots. That means it's a matter of verifying the authenticity of the user. Hilariously, providing a mobile phone number doesn't do ANYTHING to verify the account hasn't been compromised, any abuser can simply use their phone number to continue to use the account.
Now obviously there are some merits to associating a phone number to the account, such as relating malicious activity to the number, and therefore being able to track the abuser. But this doesn't help the original account holder in any way.
Moreover it just isn't necessary, there are multiple levels of elevation you can make to prevent abuse without immediately resorting to personal information. Given the prevalence of captcha, I assume it's fairly effective at dealing with bots, so that should be your first step.
Given the response-time of the support I received, they're apparently decently prepped to review your account activity, so having the account flagged and possibly temporarily locked out until review is another step you can take.
If you're logged in to multiple devices, 1 device can be locked out while the others can be used to "recover" the account given an abuser likely doesn't have physical access to any/all of them. In conjunction with IP address history/verification this can further authenticate the connections.
A password reset will log out all sessions of the account and prevent anyone without access to the e-mail entry.
There are so many steps that can be taken without a lockout requiring phone verification, and it's easy to see if an account make a repeated abuse if it gets flagged a second time for similar behaviour.
But most importantly, the system needs to be more lenient with flags.
I was flagged because I was cleaning out a server I manage, one with hundreds of users.
I wanted to notify users I was kicking that they had been kicked. There is no Discord feature for such a function, few bots support DMing and none I have seen so far can automated sending a message before kicking a user.
So I was manually going to the DM page, sending a message, navigating back to my server, scrolling down to the next user I wanted to kick and doing the same thing, 1 user at a time.
I get it, it was a copy-paste message being sent to many people in a relatively short time span, but anyone with half a brain could have taken 5 seconds to see my recent actions and what the messages said and would have seen what was going on was completely normal.
So not only does the measures taken need to be re-evaluated, so too does the trigger system.
Please and thank you.
-
I concur wholeheartedly
1 -
It was quite irritating to be locked out of my account, twice in succession. I was forced to change my password and then had to do it again. Whatever checks you have in place seem to be overly aggressive. Please scale back. This is not making me feel more secure, it's certainly feels like Discord is being inconsiderate towards its users.
2 -
I just had this same issue where I was kicked out of my own discord twice and had to change my password due to suspicious activity with in an hour of each other. I do have two step enabled. Any other suggestions, is there anything else I can do...
1 -
i hope discord reads this, its so true! im locked out of my account and it must have been for quick dms with a friend. i cant verify. thank you for posting i hope they fix it
1 -
This is the one aarticle that discord needs to read like
1 -
I'm shockingly not locked out yet, I thought I was earlier. But, I have to verify with hCaptcha every time that I log in now.
0 -
I sent 5 messages and that's all it took to lock me out, and I'm an admin of a server too, doing similar stuff that OP stated. It seems to not care about what phone number you use to verify as well if you've never registered a phone number with your account, as long as you stick with that number after. But like OP says it's stupid as an attacker can just put in their own phone number, and I've seen another post about people not having phone numbers so they have to borrow someone's, potentially creating more problems down the road if this person tries to remove the number or worse, forget to remove the number and gets lockded out again. A simple captcha click or something would be so much easier to prove that I am not a bot. I hope discord finds a better approach to this.
1 -
I can agree with this, just for looking at people's profiles and DMs i got kicked out of my account for number verification and got banned automatically from the server where the people was.
I didn't even send a message to them, just opening DMs and looking at profiles are enough to be banned automatically from a server (and the administrators can't unban me so i have to come back in a alt account) and be locked out for "suspicious activity".
I hope Discord gets a better way for detecting real suspicious activity.1 -
If developers and support will not solve this issue even 3 years later then find a better Discord alternative.
1 -
I agree, even a 500 dollar offer (of which no scammer would ever rationally send) isn't enough to get this taken away. I've been contemplating weather or not to head to the HQ and speak to them in person as all previous attempts to get this stupid restriction removed from my account have failed. I've done almost everything, excluding doing all bellow at once
A: changing IP
B: changing os
C: having no accounts of reference that they can use
D: transferring server data and user interactions via txt and a usb and
E: recovering everything over the course of a month
note that I've done all of these things separately except D and E before this message, just to show you how big a pile of crap this is.
Even worse, All responces say that it's, and I quote: "both non-negotiable and permanent." which is completely stupid and is even harmful to the userbase.
Lastly, there's 1 level of flag, I don't care how many times they say there's different levels, it can only be all 1. I've gone through every single possible option of retrieving my 2 accounts and no method leaves both accounts usable and accessible simultaneously. even worse, the times I've used the verification are also used as a method to make every subsequent verification more and more difficult to the point of suspending me from the platform, all because of the possible options I can list bellow:
A: same as OP's situation, letting people know why they've been kicked
B: using a vpn to get passed the schools blocking system ONCE
C: one singular instance of mass dming in order to spread propaganda about a control freak on a server of which has happened 1-2 years ago now (The mad man banned everyone that made the server popular and will ban anyone for even the slightest off interaction (not even bad, just off))
D: sending these issues to discord staff on and off for ages, making me an angry customer who barely uses their platform these days (again, the 500 is just to have 2 perfectly usable accounts on one device, which shouldn't be impossible, and yet, seems to truly be the case)
All information on how the system itself works is left to ambiguity, this is to avoid tos violation but also to avoid exploitation when specified. Of course though, this leaves the kind/good hearted users to deal with the crap that makes this beyond difficult to manage.2 -
does this by any chance have to do with being hacked or smth?
0
請登入寫評論。
評論
11 條評論