forums.rs

Forums

PS Blog - Account Security

Quick find code: 294-295-395-66107508

of 4
GliceEsther
Feb Member 2023

GliceEsther

Posts: 970 Gold Posts by user Forum Profile RuneMetrics Profile
Nice to see you posted a reaction topic!

What's the security verdict on bank pins? They don't require additional devices or logins to (email) accounts. Will they be used? In any case I hope that it stays. If multiple layers fail then the majority of my stuff will still be accessible to me/the damage will be low. My ideas dump thread

26-Jun-2019 14:31:36

Quantum Evil
Oct Member 2013

Quantum Evil

Posts: 4,689 Adamant Posts by user Forum Profile RuneMetrics Profile
Let's get something out of the way right now, Smart Phones should NEVER be used as a second factor in authentication. Smart phones are general use devices and as such have multiple vectors to be breached. In fact one attack vector for phones is called SIM jacking. SIM jacking is when an attacker basically convinces your phone company that they are you and they change out your SIM card for one that they own and control. The more 2FA relies on phones, the more phones will be targeted for attack.

Also, many of the same attack vectors exist on phones that exist on PC/MAC. If your users had insecure habits on their computers they will likely be wanting in the area of security on their phones.

A dedicated device for 2FA is advisable . It could be a FOB or USB drive with the necessary identification that must be inserted into the system playing RS and in situations where the device can not use a physical key another method could be used.

I advise very much so against relying on phones for security. It will come back to haunt you later.

26-Jun-2019 17:17:21

Orcrist9
Oct Member 2015

Orcrist9

Posts: 7,183 Rune Posts by user Forum Profile RuneMetrics Profile
One of the most secure things you likely own is a smart phone. Some have biometrics built in, most have additional password security and importantly people are generally very protective of them.


Okay, no, Jagex. Very bad line of thinking here. You should not be making any sort of assumptions like this when it comes to account security -- this kind of reasoning is what leads to security compromises in the first place. Smartphones are just as vulnerable as computers if not more-so.

You definitely shouldn't be building account security under the impression that everyone has a high-end smartphone or even one at all. You really need to consider all viable alternatives and make no assumptions, but rather prepare for a number of scenarios.

You also need to consider why the other 50% of your active players do not have 2FA enabled, and I can guarantee you that the reliance on smartphones factors into it for many players. Additionally, your desktop Authenticator process, and usage of Authy, is very off-putting. So you definitely need to look into alternatives for players that are not grueling tasks. Not to mention, I think a number of players can get frustrated with how quickly authenticator codes disappear. I'm not sure if that's what you mean by authenticator delay, but it's certainly something to consider.
Here, I'll give you this strawberry if you keep it a secret!

27-Jun-2019 02:13:28

Tagakhlo
Sep Member 2014

Tagakhlo

Posts: 1,119 Mithril Posts by user Forum Profile RuneMetrics Profile
I like authenticator checks on the website, as long as cookies mean one doesn't need to do it every time from one's own trusted computer.

A small change, even though it might not increase security very much, would be to require a security check question when turning off the Authenticator or changing one's E-mail address.

Two-factor authentication on one's E-mail account might risk losing access to one's E-mail account, so ideally if some substitute for that could be found that still increased security, that would be good.

27-Jun-2019 04:02:41

Petal 7
Sep Member 2018

Petal 7

Posts: 411 Silver Posts by user Forum Profile RuneMetrics Profile
Hi,

good that you are doing all you can to improve safety features.

I would like to suggest to add something for people that are using computers/laptops from different locations (example: moving house, business trips, holidays ...).

It would be nice to have the option to notifiy you ingame beforehand, so that the system does not automatically presume that you have been hacked each time you log in from a different location. By all means add an additional layer of security, but allow preparation beforehand (i.e. issue a one off code you could use to authenticate at the new location, which you could request beforehand.

27-Jun-2019 05:22:09 - Last edited on 27-Jun-2019 16:49:21 by Petal 7

Tea Vampire
Apr Member 2019

Tea Vampire

Posts: 158 Iron Posts by user Forum Profile RuneMetrics Profile
I understand the idea behind emailing, my concern is that it may create more of an issue than it solves. My account is well over a decade old and the number of emails i get in a week telling me my runescape account has been band/info changed etc is crazy. I don't click on anything in these emails, even if i was 100% positive it was from Jagex I still would not.

Rather than sending a link in an email can we have a code sent, with no option to click a link in an email. Its about the only way i can think that it would work and you'd be able to tell the difference.

Maybe this is already the plan maybe not.

28-Jun-2019 08:35:00

Dreamweaver
Aug Member 2003

Dreamweaver

Posts: 3,790 Adamant Posts by user Forum Profile RuneMetrics Profile
Security works in layers: "defense-in-depth" is the industry buzz phrase.

I agree that cell phones can be hacked, but current statistics suggest email account takeover is much more likely than cell phone compromise to the point than an attacker can control a two-factor authentication (2FA) app. That tells us that a 2FA app is more secure than 2FA via a PIN in an email address. Quantum Evil is correct that a hardware fob or USB key is even better, but that adds cost and potential inconvenience that many players may not be able to deal with. Quantum Evil also hits the nail on the head with the comment, "...and in situations where the device can not use a physical key another method could be used." Unfortunately we're back to either 2FA via phone app or email/text again.

Here's the challenge: no matter what Jagex uses on the back end with fraud detection, risk scoring and behavioral analytics, there must be an authentication system that allows end users to protect themselves in ways that are effective, but also easy to set up, convenient to use, cost-effective, and not impossible to recover from; all while stopping malicious actors from taking over the account.

Currently the best approach is defense-in-depth: a strong password plus 2FA on a separate device. The two factors are something the user knows (the password) plus something the user has (the device where the code shows up). Apps are significantly better than text messages or email, but may lag behind hardware tokens to an extent. That doesn't make phones a bad idea though!

Personally I use 2FA on my email accounts too. I think people are crazy not to these days. A reputable password manager goes a VERY long way (no repeated passwords, all long and random), and printed offline one-use codes for recovery give me peace of mind if my phone is ever lost or stolen.

Do that, keep your systems up-to-date, and unless you're a seriously high-value target you'll probably be just fine!

Stay safe!

Dreamweaver

29-Jun-2019 05:36:28

Kels
Feb Member 2023

Kels

Posts: 1,278 Mithril Posts by user Forum Profile RuneMetrics Profile
Good to see that changes are on the way. Profiled to read more in depth later.

Ok so, why are case-sensitive passwords are not a thing?! This is basic knowledge of having "case-sens." passwords and has been around for years! It needs to be implemented immediately , along with perhaps symbols. I'm happily hoping this is in the process - as you've said - to having "Better Passwords"

Although I dont use one, I've heard password managers are good, so thats cool you're looking into that. Having something to check if the password you make/use have been breached is also great. I would personally benefit from that update to check passwords, however we need to strengthen our first line of defence with having a complex password.

Only 50% of players use 2FAuthentication??!! Jagex, something is seriously wrong here. 2FA has been around for a while yet half of us have it active?! This would be the next thing to look into being the 2nd line of defence, along with 2FA and a different password to your email account account. How high of a number of players are going to have 2FA on their email, if they dont even have it on their Runescape acc?

Anyway, I cant stress enough on how important it is, so I'm glad things are changing. (Oh and thanks for posting on the forums too)
Kels
:) |
Comprehensive Account Security
guide, and means for
kicking that hijacker
. ^_^

01-Jul-2019 09:58:25 - Last edited on 02-Jul-2019 09:35:33 by Kels

Rabpyre
Oct Member 2007

Rabpyre

Posts: 2,401 Mithril Posts by user Forum Profile RuneMetrics Profile
Using phones as a component in two-factor authentication is a bit of a fallacy. They are too complex not to have serious security issues, in fact many are well known. Furthermore, this type of security does not protect against man-in-the-middle attacks. Also, many players would be excluded. I, for example, do not use a mobile phone for privacy reasons (although we keep one in each of our cars only to be switched on if the driver is required to make an emergency call).

I would prefer using, e.g., a standard RSA SecureID token. It is cheap, small and reasonably secure although not necessarily offering protection against mitm attacks. Some new models can even be plugged into devices and contain security certificates. I assume account hijacks mainly occur in two ways: through social engineering/fishing and malware attacks. In both cases the attacker ends up with user ID and password, in the second also the opportunity to insert a mitm attack vector. The type of two-factor authentication considered does not mitigate against this attack type but only provides a false sense of security. A fast turnaround temporary password system like SecureID is better because the full-knowledge attack time window is (normally) significantly reduced compared to a server-generated and transmitted SMS message. This window can be reduced further by the user transmitting a current p/w just before it times out and changes (there is a count-down indicator on the SecureID token).

In whichever way the system is configured it needs to be a lot better than the current (e.g. at the moment I receive no messages at all from Jagex to any of the mailboxes associated with my accounts, so I assume that due to some error in internal fraud detection logic the whole domain hosting my email address has been cut off).

As a modern internet company actually charging money for services Jagex also needs to move with the times and install humans to provide proper customer service. (No RSA association).

01-Jul-2019 15:14:20

Quick find code: 294-295-395-66107508 Back to Top