forums.rs

Forums

Security Liability Mobile App

Quick find code: 429-430-836-66175010

of 2
ThomHolliday
Feb Member 2024

ThomHolliday

Posts: 9 Bronze Posts by user Forum Profile RuneMetrics Profile
2 days ago I discovered the OSRS mobile app, and promptly made an account. A day later I was loving it, and decided to buy a membership + 5 bonds. The NEXT day, my account was hijacked by someone I assume in germany (the lang was changed to german). I had sold all 5 bonds on the GE, and bought myself weapons and armor good to level 70, plus other grind resources. I joined a clan, and was trying to get up to speed and endgame content ASAP. This plan was now ruined. Is there anything I can do? This is absolutely a trash experience for a returning player (OSRS vet, and rs3 vet). Needless to say, I am crushed.

No 3rd party programs were used. Only the app. I just dropped ~$50 and lost all but 10.

14-Aug-2020 00:35:19

Malua
May Member 2006

Malua

Posts: 43,113 Sapphire Posts by user Forum Profile RuneMetrics Profile
Hi there
ThomHolliday


What state did you find your Authenticator in after the hijack?
Was it disabled or was it still active?
Knowing the answer to this gives a good clue as to how the hijacker found out your login information.

If your Authenticator has been disabled and your password changed, it means your email is insecure and the hijacker has used access to your email to gain access to your RS account.

If your Authenticator is still active and your password unchanged, it means you have been deceived into clicking on a dodgy link and have ended up giving permission to the hijacker to directly access your device and account.

Jagex recommend a three layer approach to security:
* your email protected by 2-step verification
* your RS account protected by Authenticator
* a Bank PIN inside your account protecting your items and gp
It is a shame the hijack happened so soon and your Bank PIN was not active but, did you have the other two layers?

Review the security of your mobile: Securing your device
Review the security of your account: Securing your account
Read up about dodgy links and fake websites: Fake websites
Forum Community Helper -
Information about Moderators and Community Helpers

14-Aug-2020 02:34:17

ThomHolliday
Feb Member 2024

ThomHolliday

Posts: 9 Bronze Posts by user Forum Profile RuneMetrics Profile
What state did you find your Authenticator in after the hijack?

As this was within <48 hrs of acct creation I hadn't setup multi factor authentication. I setup a bank pin but that takes 7 days to become active.
Wasn't set, as this was <48 hrs after account creation.

If your Authenticator is still active and your password unchanged, it means you have been deceived into clicking on a dodgy link and have ended up giving permission to the hijacker to directly access your device and account.

I had not used ANY website including the official OSRS or the RuneLite that I have since heard about.
At the time this happened I had ONLY used the OSRS mobile app
. And my gmail/google play has 2 factor authentication so the security infraction wasnt from that end.

Jagex recommend a three layer approach to security:
* your email protected by 2-step verification

DONE for years now*

Account protected by Authenticator

Done now, but it was hours late...

It is a shame the hijack happened so soon and your Bank PIN was not active but, did you have the other two layers?

I had the email 2 factor, but had not gotten to the account one yet. I wasn't really aware of it until AFTER the hack and I read the account security FAQ.


Review the security of your mobile: Securing your device

Done with 3 authentication methods, 2-step+email approval.

Review the security of your account: Securing your account

I did this AFTER the hack. As this happened within <48hrs of account creation I was unaware.

Read up about dodgy links and fake websites: Fake websites

As of the time of the hack I had only used the mobile app. Since then I've used the OSRS official site and RuneLite (currently avoiding).

-edited for formatting

14-Aug-2020 04:26:19 - Last edited on 14-Aug-2020 04:36:42 by ThomHolliday

ThomHolliday
Feb Member 2024

ThomHolliday

Posts: 9 Bronze Posts by user Forum Profile RuneMetrics Profile
I feel justified saying that I had done everything and more then should be expected of an account of less than 48hrs. Expecting a new player to setup 2-factor within 48 hours is rather much, especially since there isn't an in game way to setup the 2-step authentication. Add to this the fact that it takes 7,
SEVEN
, days for a bank pin to become active, these are glaring security issues for new accounts.

I can provide screenshots and emails proving the security of my google/googleplay account. This coupled with my having ONLY used the OSRS mobile app means the security infraction is on the Jagex end.

This is
not how new players should be welcomed
to the game. Especially
PAYING
new members.

I don't think it's unreasonable to expect reimbursement of some kind.

Jagex has created a great game, hopefully their customer service matches the quality of their game.

- Edited for formatting again. I'll get a hang of the forum syntax eventually..

14-Aug-2020 04:34:35 - Last edited on 14-Aug-2020 04:41:34 by ThomHolliday

Malua
May Member 2006

Malua

Posts: 43,113 Sapphire Posts by user Forum Profile RuneMetrics Profile
One other question to ask is, did you view any unofficial Runescape content on a social media website e.g. Twitch, Youtube, Facebook?
This is where all the dodgy links get posted.

If you want to read about and apply for a refund, go to the Refunds support page.
If the purchases you made were through Google Play, you would need to apply to them.
Forum Community Helper -
Information about Moderators and Community Helpers

14-Aug-2020 08:53:44

ThomHolliday
Feb Member 2024

ThomHolliday

Posts: 9 Bronze Posts by user Forum Profile RuneMetrics Profile
As I said, this is CLEARLY an security infringment on the Jagex end of things. I'm in an email conversation with Mod Krax, who has admitted that there was an early 3rd party intrusion within the first 48 hrs of my account creation. In short I was told they were sorry this happened, and although there is a 7 day waiting period and no ingame option to setup 2-step verification they refuse to take responsibility for security risk in thier products. Apparently, Im supposed to just deal with it.

Again, I contacted Jagex support and their official response is "just deal with it. Jagex is happy to take my money, but not happy to take responsibility for thier application security.

I've had items go missing in other games, such as WoW or Warframe. In each case the items were either quickly restored or I was provided the items equivalent worth in in game currency. Never before in my long history of online gaming have I been so disgusted with customer support. I wasn't offered any form of reimbursement, no discount on future bond purchase, no replacement bonds, nothing. This is unacceptable. This is customer un-support.

14-Aug-2020 20:16:01

Malua
May Member 2006

Malua

Posts: 43,113 Sapphire Posts by user Forum Profile RuneMetrics Profile
As you have been in contact with Jagex and received a reply, your next step is to read the Terms & Conditions, in particular Clause 20. T&C are linked at the bottom of this page.

You allege that the security leak has come from the Jagex end.
I just want to say that JMods can create and load their own JMod accounts with as much as they want. They can create a max level account with every possible weapon and multiple max cash stacks. There is no need to dip into a players account, particularly one that is a new account with very limited wealth.
Jagex take allegations of JMod corruption very, VERY seriously and will most certainly investigate if you submit a complaint.

edit: If it wasn't a JMod, maybe there was a technical glitch or outside hack that allowed your information to be leaked.
I know this wasn't the case as the forums (and reddit and Twitter) would be overwhelmed with similar reports from others.
Forum Community Helper -
Information about Moderators and Community Helpers

15-Aug-2020 01:50:57 - Last edited on 15-Aug-2020 01:56:57 by Malua

ThomHolliday
Feb Member 2024

ThomHolliday

Posts: 9 Bronze Posts by user Forum Profile RuneMetrics Profile
I don't believe this was JMOD. I'm just saying, as a customer why am I punished for security liabilities in Jagex software. Furthermore these are KNOWN liabilities. Its a 0 accountability max profit business model. No risk all reward. I had hoped for better. My only option at this point seems to be give Jagex more money... Weird how that is the solution to my problem.

15-Aug-2020 02:23:40

Quick find code: 429-430-836-66175010 Back to Top