• Breaking News

    Tuesday, March 2, 2021

    Home Unlabelled Clash of Clans [guide] safeguarding your village(s) / accounts

    Clash of Clans [guide] safeguarding your village(s) / accounts

    March 02, 2021

    Clash of Clans [guide] safeguarding your village(s) / accounts

    [guide] safeguarding your village(s) / accounts

    Posted: 01 Mar 2021 01:04 PM PST

    I have posted on this topic many times, and a lot of this info appears in bits and pieces across numerous posts and comments. Here's my refined and edited collection in one guide; a list of all the mitigations and protections that can help safeguard your villages/accounts and prevent account theft or loss.

    For Players

    Link your Village:

    It doesn't matter whether you use Apple Game Center, Google Play Store, or SuperCell ID linking, just make sure it is linked. You will get -slightly- more safety out of SuperCell ID than for other forms of linking for the following reason: both Apple Game Center and Google Play linked villages can be re-linked to SuperCell ID (and a new email address) in game, which means if someone gains access to your current email account or device or village they could re-link the village to SuperCell ID and assign a new email address at the same time from inside the game, but if it's already been linked to SuperCell ID there is no way a malicious person can re-link the base or email account without involving SuperCell support.

    Make at least 1 in-app purchase:

    For any account you own, make at least 1 early in-app purchase, save the receipt. Save a copy of the receipt somewhere other than in the the registered email address. If/when a prospective thief attempts to steal your account, if there was ever a previous in-app purchase, SuperCell will insist that the person claiming to be the owner produce that receipt and if they can't, they must validate the account by knowing and answering several other questions that only the rightful account owner should know. Keep in mind, SuperCell only cares about the very first in-app purchase; why - because if a thief got your account and made a 2nd in app purchase they should not be able to walk away with your account by producing the 2nd receipt. YOU need to be the one to make the first purchase. You want this security question coming up during account recovery because it complicates things for a prospective thief, and you force it to come up by making at least one in-app purchase on the account.

    Email Security:

    Regardless of which method you used to link your account, be sure the underlying email account you are using for it resides with a reputable email provider. SuperCell doesn't implement any security at all, it all relies on security of the underlying email account. The strength of the security is determined solely by the security of the email account you are using. This should not be a school or work account, or an account provided by your current internet or phone provider, or anything you might lose access to. I recommend using a gmail account and I recommend enabling 2-factor authentication on that account for the added safety if you are responsible enough to keep track of the 2-factor keys. Keep good track of the account credentials, especially if you enabled 2-factor authentication. For keeping track of 2-factor authentication, I recommend an app named "Authy" which stores your 2-factor keys encrypted in the cloud (you must keep track of the encryption key yourself) and allows you to replicate the database to additional devices for backup. Many other 2-factor trackers work great but become useless if you lose your primary device making it impossible to recover/access your 2-factor protected accounts.

    Personally Identifiable Info:

    Do not share any personally identifiable information online; especially not any of the following: email addresses that any of your accounts are linked to, current or past gem counts, the types/models of devices you've clashed on, the date you created your village, names of previous clans you were in, previous names of your village (if you changed your name), where (which city) you were in when you created your account. All of these things are questions known to be asked by SuperCell during the village recovery process. The more details a potential thief already knows about you, the less guessing and less bullshitting they have to do to try to steal your account, which means the less chance there is for them to get lucky.

    Other sources of public info:

    Go into clashofstats.com, create a login there, and claim your village. Once claimed, turn off all information sharing for the village including clan history. The goal here is to prevent others from being able to look up your clan history online (since previous clan memberships is a known SuperCell account recovery question). The less people can learn about you, the harder it is for them to impersonate you if they try to steal your village. Be cognizant of what other subreddits you are posting on. You might be leaking information you don't realize. For example, if you have been posting on r/Denver for the last year, it might be easy to guess that you live there (and were there when you created your village). Likewise if you are a frequent poster in r/GalaxyS10, someone might be able to figure out that this is one of the android devices you clash on. Creating multiple reddit accounts to post from can mitigate some of this. I'd also recommend intentionally lying if you over comment publicly about when you started playing, or what city you were in when you created your account to ensure no one has this exact info about you.

    Use your free name change:

    For added security, you should use the free village name change. Keep track of the original name and never share that with anyone. Reason: original/previous village names is one of the account recovery questions SuperCell is known to ask when verifying ownership of a village. If the village never used a name change, this question won't even come up. You want this question coming up because it complicates things for a would-be thief. Additionally: accounts that have not used their free name change yet are more valuable on the account resale black markets.

    Play Daily:

    Be active on your village daily. How convincing will a thief be telling support they lost access to their village when you (the rightful owner) are still logging in and playing daily from the same device and location you've been at for years? Also, if someone does manage to compromise your account, by playing daily you will figure it out immediately and be able to take immediate action to secure it. The more time that goes by after an account theft, the harder it will be to recover and undo the damage.

    Never Share your Account or Device

    It feels stupid to have to say this, but lots of people make this mistake and lots of people pay the price. Account sharing is a violation of terms of service - if you engage in this and somehow lose access to your village, just start over because support wont help you if they figure out you were sharing the account, and they have access to plenty of data to figure it out. Likewise, don't be dumb and allow your friends, children, siblings, or anyone else to have access to your device. Use a PIN or security lock on your device to prevent unauthorized access in the event someone gains access to your device.

    Free/Cheap Gems Scams:

    Don't fall victim to the free/cheap gems scams. Those scam sites/services will require your account credentials to load your account up with gems - once they have your account credentials they can steal your account at any time (or months later) or sell those credentials to others. The other problem with these sites/services: it's almost always a front for credit card fraud: the scammers gain access to credit cards, charge you pennies on the dollar to gem-load your account, then weeks/months later when the fraud is detected and charged back, SuperCell either bans your account for participating in fraud or they deduct the gems value of the transaction putting you permanently into negative gems. Meanwhile, the thief you gave money to - they are long gone and you aren't getting a refund.

    Free Village Scam:

    Don't fall victim to the free village scam. It works like this...someone finds out you haven't connected your village to SuperCell ID yet. They target and spearphish you specifically by saying they are quitting and want to hand over (for free) a high level account they don't want to see go to waste. You, the greedy and naïve target of their phishing, eagerly try to take them up on this offer - they provide instructions on how you can connect to the SuperCell ID of this awesome free village but in your haste you fail to realize that the instructions you are following are actually activating a SuperCell ID linking between your current village and the thief's own email account. And as soon as you complete the linking, the thief walks away with your village. If something is too good to be true, it's probably a scam. This scam preys upon peoples' greed and stupidity. Don't be greedy and stupid.

    Keep Better Track Of Your Credentials:

    I'm not sure why I even have to post this, but this is the most common way people lose their accounts. Get yourself a password manager if you need to. There are lots that are cheap, there are lots that are free. I recommend getting one with the following features:

    • Encrypted storage where only user knows/has the decryption keys (this means that regardless of who gains access to the encrypted password store, no one but you can decode it, not even the app manufacturer).

    • Replication: ideally you can replicate your encrypted password store to other devices or back it up to the cloud so that if you lose your primary device you haven't lost access to all your passwords. The more automatic this feature is, the more likely you are to take advantage from it. Manual backups are nice, but too few people are diligent about manually backing their stuff up.

    Account recovery:

    Do not EVER use your main account (or any account you care about) to recover other lost villages. It's unfortunate that SuperCell support policies are so bad that I have to give this warning, but if you have multiple accounts, do not ever use an account you care about to attempt to recover a different lost account. You risk getting banned and losing access to the account you are on when you contact support if they think or suspect you might actually be a thief. SuperCell support are trigger-happy, don't make your precious main accounts a potential target. Would-be thieves always use fresh disposable accounts to do their dirty work - if they are caught and banned, they just move on and create another new account to try again. It's unfortunate that SuperCell is so blatantly ignorant of security best practices that my advice to the innocent people wanting to recover an account is to behave more like a thief would, but that is the result of the current user-abusive SuperCell support policies.

    For Players With Multiple Accounts

    For those of you with multiple accounts, I'd strongly encourage you to take one additional security precaution: for all the email accounts that your alts are linked to, go into your email provider's console and be sure you are forwarding any email from supercell.com to your main email account. That way, if those accounts ever receive email from supercell (such as the account linking email), your primary email account will receive a forwarded copy and you will see it immediately and be able to take necessary action. It also makes it super convenient for when you are legitimately linking your alt account to a new device and you don't have to go dig up the credentials and log in to all those accounts - they just forward mail straight to your primary email account.

    For Clan Leaders

    There are some other mitigations I recommend for clan leaders in addition to all of the above. When it comes to account theft, abandoned high level accounts are valuable, but so are leaders of desirable or high level clans. Here are some additional things that clan leaders can do to safeguard their clans (especially clans that are sitting dormant/parked with a holding account).

    TH4 or Lower Leader Account:

    SuperCell support won't assist in account recovery for any TH4 or lower account. Because of this, if you use a TH4 as the leader account for any clan, it will make that clan much much harder to steal. If you have dormant clans where you use holding accounts to maintain leader - having them be TH4 or lower will make them much safer. It also means you need to be extra diligent about not losing your credentials or you risk losing the clan and never recovering it.

    Edit: I've been advised the above info may no longer be valid (about SuperCell not doing account recovery on very low level accounts). This advice may no longer be valid, I'll perform some new testing to confirm but it might take a while.

    No Other Promoted Players In Dormant Clans

    If you are holding on to a dormant clan, make sure you've demoted everyone else in the clan to member so that the natural progression of leadership succession doesn't happen after 90 days.

    Notes For SuperCell:

    If you are reading this, and I hope you are, it is your lack of adopting industry standard security best practices that necessitates a post like this. Here are some things that any company even minimally interested in the security of their customers' accounts would be / should be doing better:

    • Quit requiring all players to contact support in-game only for account recovery. This is a player-abusive policy that results in many innocent players losing access to yet another of their legitimate accounts just because they are trying to recover a lost or forgotten account and fail to remember all of the details. Thieves are already smart enough to game the system to create new disposable accounts form which to contact you, so all this policy does is harm legitimate players. Create a mechanism (at least for account recovery process) that takes place out of game. No one should have to create a new account or risk losing an existing account just to connect with support to recover a lost account.

    • Be more proactive in communicating security best practices to your players. I shouldn't have to be posting a guide like this. You should be doing it.

    • It is a common industry-standard security best practice to send email to the registered email account when account changes are being made and to give the recipient a means of contacting support if necessary. YOU DON'T DO THIS. YOU NEED TO DO THIS. IT'S BARE MINIMUM BEST PRACTICE. If someone tries to change the underlying email associated with a village, you MUST send email to the original email address as notification and provide that user a chance to intervene. A thief should not be able to socially engineer a SuperCell support agent into handing over an account and changing the underlying email address without giving the authorized email owner an opportunity to intervene.

    • Give users the ability to lock down their accounts and prevent recovery process. For players who know they want to prevent any future account recovery from ever happening (because they are responsible enough to keep track of their credentials) let them. On activating this protection, another SuperCell ID token is generated and sent to the registered email address, the user receives that code and re-types it in game as authentication, and this would make the account locked down and not qualified for any future account recovery/transfer.

    • Alternate recovery email - let players connect an alternate recovery email to their SuperCell ID accounts. Every security conscious service/system on the internet today implements this. Why don't you?

    submitted by /u/ByWillAlone
    [link] [comments]

    [VIDEO] Talking about details, the sea on the builder base reflects the night sky

    Posted: 02 Mar 2021 04:01 AM PST

    [GOAL] FINALY ��

    Posted: 02 Mar 2021 06:46 AM PST

    [GOAL]Just started my last cannon, finally maxed after 8 years

    Posted: 01 Mar 2021 05:29 PM PST

    [GOAL] I got the 6th builder at town hall 10!

    Posted: 02 Mar 2021 08:39 AM PST

    [VIDEO] Boosted hero altars emit little +5 particles- I love the small details Supercell puts into Clash

    Posted: 01 Mar 2021 03:52 PM PST

    [GOAL] 1st time maxed after like 8 years.. keeping baby cannon for ever.

    Posted: 02 Mar 2021 04:57 AM PST

    Super Archers exploit a corner TH! Think creatively about all your attacks. Know the hit points of buildings, DPS of troops and range of defenses to plan attacks. [strategy]

    Posted: 02 Mar 2021 12:55 PM PST

    [BUILDER] finally got th sixth builder. Never going back to the builder base though.

    Posted: 02 Mar 2021 10:54 AM PST

    [League] When CWL start but you’re the only gold passer ��

    Posted: 02 Mar 2021 10:11 AM PST

    [MISC] I like how I can do nothing but watch people take away my season loot :/

    Posted: 02 Mar 2021 05:29 AM PST

    [VIDEO] for those who didn't know; healers can even heal miners while they are underground.

    Posted: 02 Mar 2021 01:27 AM PST

    [MISC] Found this relic while farming.

    Posted: 02 Mar 2021 12:44 PM PST

    [BUG] Where my Queen went ?

    Posted: 02 Mar 2021 06:11 AM PST

    [ASK] When Primal queen for gems? King was available form 1st february i think.

    Posted: 02 Mar 2021 01:53 AM PST

    [MISC] I'm from Turkey. I just started the game and my account reached here in 10 days. I will write my tag if anyone wants to add friends. By the way, could you give me an attack strategy? I am attacking players of Th5 and above.

    Posted: 02 Mar 2021 01:31 PM PST

    [Glitch] What wall?

    Posted: 02 Mar 2021 08:20 AM PST

    [ART] Rogue King just don’t want to be himself ����

    Posted: 02 Mar 2021 12:20 PM PST

    [STRATEGY] Flexible Zapquake Calculator (info in comments)

    Posted: 02 Mar 2021 08:30 AM PST

    [MISC] That time of the month again

    Posted: 01 Mar 2021 08:00 PM PST

    [RANT] Just No Luck

    Posted: 02 Mar 2021 08:24 AM PST

    This may not be the place for this, so sorry if it's not.

    Man, I've been playing this game since forever and I don't think I've ever been this frustrated. Am I frustrated over upgrade times, strategies, game updates, or base building... No. I'm frustrated with the community side of things.

    I was in a clan for years that consisted of people I worked with, people I knew in real life, and virtual friends. For years, it was an awesome experience. Then of course, things happen like they always do in clans, internal fighting, strong personalities, and personal beef ruins the dynamic. But I stuck with what was left of the clan because I knew them and it made the game more enjoyable, but when it got to the point that I was waiting three days or more for donations due to clan inactivity, I bailed. I stayed away from the game for almost a year.

    Now I'm back with my fresh TH11, rusty as an old nail, and trying to start over. I thought finding a clan would be easy, boy was I wrong. There are so many struggling clans with a really bad active to inactive ratio, clans that weren't friendly, clans that don't care about being imbalanced, and beyond. I joined many I was invited to, but it just didn't pan out. But then it happened, I found one. It even consists of people from my own state. I joined and was excited, was up front that I've been away for a year, used to be a good player, but am now pretty rusty. I told them I'm looking to max out my town hall at 11, and play as that maxed for some time.

    Here's the thing, there's a lot of perks to this clan, great donations, they war frequently, their clan level is high, but they don't speak to me. The chat is very active, but any time I message it goes unanswered. I've tried to be polite, tried to start conversations, tried to comment on stuff people say, and nothing. And they're having conversations all of the time. The most I've gotten is a, "ty," when donating to someone. Is this a thing now? Do new people get the cold shoulder? I'm not used to this.

    I play Orna as well, only other phone game I play, and my clan is super welcoming, nice, talkative, but nobody plays clash. They would never ignore a new addition to the guild. I kind of want to leave this clan, but am on the fence because the perks are good. It's just not fun to me without a little joking, banter, and conversation. I'm not trying to sound like a whiny baby about this, but it's just frustrating. I just want a clan that I can have fun in, sharpen my knives, lose the rust, and call home. I don't want to stop playing again, but games are supposed to be fun, ya know?

    Note: I laughed really hard proofreading what I had originally written because I use swipe texting and all of my "clans" were written as "clams."

    submitted by /u/Six_Demon_Bag_81
    [link] [comments]

    [HWYA] Most of my troops are maxed for th11, my heros are 20/50/20 and I have 260 army camp space.

    Posted: 02 Mar 2021 02:06 PM PST

    Will i finish th11 before August? [ask]

    Posted: 02 Mar 2021 01:54 PM PST

    Im a new th11 (2 weeks th11) and want to know if i will finish th11 before august. I always get the gold pass and play a lot.

    I dont mean max because i dont see a reason to upgrade the stuff i dont use such as valks, skeleton spells, or clone spells. I use sneaky goblins/miners for farming, and hybrid for wars.

    submitted by /u/xXNickTheBestXx
    [link] [comments]

    [HWYA] High TH11 with strong troops across the board need a stray for this hit. Been away for a while and definitely out of practice

    Posted: 02 Mar 2021 01:45 PM PST

    [GLITCH] My walls are having fun

    Posted: 02 Mar 2021 11:33 AM PST
    Read more
    at

    No comments:

    Post a Comment