RuneScape Forum Archive | Site/Account Security

Reaha

Posts: 39 Bronze Posts by user Forum Profile RuneMetrics Profile

For a game that so proudly says "we're unable to return items if you were hijacked." on their support page, Why aren't there more optional security features implemented to prevent this?

If I want my authenticator to have a hard X day period before it can be disabled regardless of account access/e-mail access, and for there to be a big warning in-game message stating "A request has been placed to disable your authenticator", why isn't there an option?

If I want a bank PIN request before any wealth is transferred off my character in any way (trade, drop, ,entering dangerous PVP), why isn't there an option? (OSRS)
If I want to lock my poh, or its storages with a bank PIN, or an entirely separate PIN for the house, why isn't there an option? (OSRS?)

Sure, those who are sure that their account will never be compromised can turn them off, but why aren't there options for those who wish to take extra steps to absolutely secure their account?

Why aren't there options to patch the gaping hole that so many unfortunate victims have pointed out? If it's common knowledge that having access to one's e-mail completely neutralizes ANY form of account security (2fa, authenticator) you've activated on Runescape.com, why was there not a specific warning message about this when setting up your account security? If it's known that hackers often utilize the Account Recovery option to access accounts, why aren't there steps to make that process harder, or update those info?

Why are we STILL unable to change those recovery questions we've made since 2008 or whenever? If those questions can't be changed, why were there time-sensitive questions like "Who is your current teacher" in the recovery questions?

It's so easy to say "lol their fault", but why is it bad to have additional safety options for those that may not have been savvy enough to notice the holes in their security? Wouldn't it be better to see "someone's trying to get in, where am I vulnerable " rather than "HACKED"?

18-Aug-2021 01:03:47

333333333

Posts: 36,620 Sapphire Posts by user Forum Profile RuneMetrics Profile

Simply don't visit phishing websites! Current account protection is already very good!

18-Aug-2021 21:17:19

Dec

2011

Archaeox

Posts: 53,399 Emerald Posts by user Forum Profile RuneMetrics Profile

Reaha said :
why aren't there options for those who wish to take extra steps to absolutely secure their account?
Also, having to enter a PIN number for every single transaction is incredibly annoying, and would cause user backlash. And the whole need is negated by simply logging out when not actually playing.

Also, If one PIN number can be compromised, so can all the others. Your suggestion for multiple PIN numbers would basically make no difference to security at all.

Reaha said :
Why aren't there options to patch the gaping hole that so many unfortunate victims have pointed out?
Please explain how Jagex can monitor players' email arrangements without massive violations of privacy and security.

Further, it is not unreasonable, in this day and age, to expect people to take responsibility for their own protection online.

Reaha said :
If it's known that hackers often utilize the Account Recovery option to access accounts, why aren't there steps to make that process harder, or update those info?

Why are we STILL unable to change those recovery questions we've made since 2008 or whenever?
Because this would mean a hacker could change those questions as soon as they control the account.

So you are saying you want to make the Recovery option more secure, but then go on to suggest something that would make it far less secure.

~~~~ Just another victim of the ambient morality ~~~~

~~ Founder of the Caped Carousers quest cape clan ~~

!! Slava Ukraini - heroyam slava !!

19-Aug-2021 09:52:40 - Last edited on 19-Aug-2021 09:58:24 by Archaeox

Reaha

Posts: 39 Bronze Posts by user Forum Profile RuneMetrics Profile

Archaeox said :

Also, having to enter a PIN number for every single transaction is incredibly annoying, and would cause user backlash. And the whole need is negated by simply logging out when not actually playing.
Also, If one PIN number can be compromised, so can all the others. Your suggestion for multiple PIN numbers would basically make no difference to security at all.

Optional means those who find it "incredibly annoying" can turn it off, but good try. PINs are also rarely the weak point, and are only really compromised with a shady third-party client, which is why they are often used in security suggestions

Archaeox said :

Please explain how Jagex can monitor players' email arrangements without massive violations of privacy and security.

Further, it is not unreasonable, in this day and age, to expect people to take responsibility for their own protection online.
I didn't request Jagex to monitor emails, but if the entire security of your account hinges on e-mail access, mentioning having a secure e-mail is imperative to keeping account safe anywhere would be a good start. How difficult is a "Anyone with access to your e-mail can compromise your account!" message on login, or account creation?

Game has been around for 20 years. Sure, in this modern day and age, you may have expectations, but plenty of accounts were around prior to these days. I mean, I'd expect case sensitive passwords "in this day and age", too. It's also a pretty big assumption to expect everyone to be as savvy. The world is big and you add functions to assist the lowest common denominator, not assume everyone is at the top.

Archaeox said :

Because this would mean a hacker could change those questions as soon as they control the account.
Ah so you are aware that account security is awful, you're just against adding additional precautions.

20-Aug-2021 15:30:55

Mrs Ana

Posts: 8,998 Rune Posts by user Forum Profile RuneMetrics Profile

Reaha said :
Why are we STILL unable to change those recovery questions we've made since 2008 or whenever? If those questions can't be changed, why were there time-sensitive questions like "Who is your current teacher" in the recovery questions? The reason why you are unable to change or update these security questions is because the specific procedure to do so has been retired and is no longer accessible to the player base; however, if certain players still have access to the questions and answers, they are more than welcome to utilize them when trying to recover an account as Jagex is still able to see and use them from their end to your advantage.

The Recovery Questions system was replaced in favor of the The Jagex Account Guardian (JAG) on September 11th, 2012. Considering that this didn't work as initially intended, the JAG system was subsequently abandoned on June 23rd, 2014 and players were encouraged to enable the RuneScape Authenticator instead. The JAG feature was then fully discontinued on May 15th, 2017 per this news post: ACCOUNT SECURITY WEEK .

I think that some of the reasons why some of these ideas didn't work was because some of the questions couldn't be changed and as you said, some of the pre-set questions were not ideal.

More information on this may be found on the RuneScape Wiki articles below:

https://oldschool.runescape.wiki/w/Jagex_Account_Guardian

https://oldschool.runescape.wiki/w/RuneScape_Authenticator

20-Aug-2021 19:53:31

Mar

2007

XSlay4DeathX

Posts: 2,634 Adamant Posts by user Forum Profile RuneMetrics Profile

^JAG was better until jagex nerfed it.

I did the answer to the question plus some numbers, even if you knew me in real life, you can't hack me as those question answers would display 4 extra chars remaining if you knew them.

But in honestly, recovery questions on all sites are flawed, "name of your first pet?".....without lying/adding chars it's a security risk.

The best account security system is "gamming/online id cards linked to your family members" when the world decides they really want to combat hackers, online criminals dead in their tracks.

----

User - Player99
pass, think he said it was afterburner....

correct, boom, your ip doesn't match your last sign in, please confirm via your phone.

i can guess his questions......"clicks account has been hijacked"

options for recovery; verify via phone/in person with the ASC (Account Security Center) <-- a new job created.

-------

Could design single layer security to requiring multi person id's, and safety for those online.

I am a firm believer what is designed currently is weak.

-----

My decoding of todays internet accounts;

Given all the MTX etc, all your purchases online in games, should be linked to you, even on a muli level guest account via a in real life card.

Privacy laws will also be safe still, but say your runescape was hacked and the ip address was from Japan but your normal sign in are from USA. not a red flag to be prompted for verification?

How far are you willing to go to safe guard someone's account? -account signs in using hacked details, goes to trade items....blocked, wildy blocked, tele to wildy, blocked untill further next step verification. I'll just drop his bank....."blocked"

Maybe it's possible, maybe it's not, i'm not a programmer.

30-Aug-2021 00:15:40

Forums

Site/Account Security

Reaha

333333333

Archaeox

Reaha

Mrs Ana

XSlay4DeathX