Forums
Jagex Accounts
Quick find code: 317-318-300-66279278
Lelouch Vi B
said
:
The problem with this conclusion is that hijackers are already getting authenticator codes. Also I was always under the assumption that disabling the authenticator required a 7 day wait, and logging in successfully with the authenticator canceled the process entirely. If not, then that's a major flaw in the system that I am amazed has been allowed to persist.
Jagex addressed why there is not an 'authenticator delay' back in 2019 when they discussed the concept of backup codes , which is what they added to Jagex Accounts.
For what its worth, implementers of TOTP authenicator codes (think Google, Discord, and similar) also follow the same model - there is no delay to making changes to the authenticator, however you must be able to successfully authenticate.
The flow you are thinking of applies to bank pins, which are the last line of defense against theft of items.
Lelouch Vi B said :
These hijackers have been doing so through convincing phishing clones of the RS page. The only way most victims were able to tell the difference was that they found it odd that the RS home page was asking for their authenticator. Now, that's gone, as the homepage does require it. Jagex Account's mandatory 2FA on homepage login actually manages to make phishing scams MORE convincing. I personally have always been on the opinion of "if you get phished, it's your own fault."
Yes, I'm aware of how phishing scams work. At the same time, in falling for one, you are giving someone all of your information - there is only so much that can be protected against if a player hands a hijacker their information.
To best protect against phishing, players need to be aware of the scams and remember if something sounds too good to be true, it likely is.
The problem with this conclusion is that hijackers are already getting authenticator codes. Also I was always under the assumption that disabling the authenticator required a 7 day wait, and logging in successfully with the authenticator canceled the process entirely. If not, then that's a major flaw in the system that I am amazed has been allowed to persist.
Jagex addressed why there is not an 'authenticator delay' back in 2019 when they discussed the concept of backup codes , which is what they added to Jagex Accounts.
For what its worth, implementers of TOTP authenicator codes (think Google, Discord, and similar) also follow the same model - there is no delay to making changes to the authenticator, however you must be able to successfully authenticate.
The flow you are thinking of applies to bank pins, which are the last line of defense against theft of items.
Lelouch Vi B said :
These hijackers have been doing so through convincing phishing clones of the RS page. The only way most victims were able to tell the difference was that they found it odd that the RS home page was asking for their authenticator. Now, that's gone, as the homepage does require it. Jagex Account's mandatory 2FA on homepage login actually manages to make phishing scams MORE convincing. I personally have always been on the opinion of "if you get phished, it's your own fault."
Yes, I'm aware of how phishing scams work. At the same time, in falling for one, you are giving someone all of your information - there is only so much that can be protected against if a player hands a hijacker their information.
To best protect against phishing, players need to be aware of the scams and remember if something sounds too good to be true, it likely is.
30-Apr-2023 02:59:13
Applejuiceaj
said
:
Jagex addressed why there is not an 'authenticator delay' back in 2019 when they discussed the concept of backup codes , which is what they added to Jagex Accounts.
For what its worth, implementers of TOTP authenicator codes (think Google, Discord, and similar) also follow the same model - there is no delay to making changes to the authenticator, however you must be able to successfully authenticate.
The flow you are thinking of applies to bank pins, which are the last line of defense against theft of items.
That's so odd to me. This seems like an inherent flaw in the system. I see the points they make, but the idea of "it might not work all the time, so we won't bother" is odd to me. At that rate, passwords might as well not exist because they won't always work. Many of the points also assume a complicated and inconvenient process to end a false Authenticator Removal, when in reality, it should end after a single successful authentication.
Applejuiceaj said :
To best protect against phishing, players need to be aware of the scams
Agreed. I'm just the kind of person who is always paranoid something will go wrong. My biggest fear in Uni was that I'd somehow manage to write a paper that just happened, by some astronomical odds, to match an existing work and get flagged as plagiarism and that no one would believe something so unlikely happened and I'd get expelled. Now with added
Archaeology Elite Skill Suggestion
Jagex addressed why there is not an 'authenticator delay' back in 2019 when they discussed the concept of backup codes , which is what they added to Jagex Accounts.
For what its worth, implementers of TOTP authenicator codes (think Google, Discord, and similar) also follow the same model - there is no delay to making changes to the authenticator, however you must be able to successfully authenticate.
The flow you are thinking of applies to bank pins, which are the last line of defense against theft of items.
That's so odd to me. This seems like an inherent flaw in the system. I see the points they make, but the idea of "it might not work all the time, so we won't bother" is odd to me. At that rate, passwords might as well not exist because they won't always work. Many of the points also assume a complicated and inconvenient process to end a false Authenticator Removal, when in reality, it should end after a single successful authentication.
Applejuiceaj said :
To best protect against phishing, players need to be aware of the scams
Agreed. I'm just the kind of person who is always paranoid something will go wrong. My biggest fear in Uni was that I'd somehow manage to write a paper that just happened, by some astronomical odds, to match an existing work and get flagged as plagiarism and that no one would believe something so unlikely happened and I'd get expelled. Now with added
[SARCASM]
Warnings for those less astute!
Archaeology Elite Skill Suggestion
30-Apr-2023 03:28:04 - Last edited on 30-Apr-2023 03:34:55 by Lelouch Vi B
Quick find code: 317-318-300-66279278 Back to Top