forums.rs

Forums

Are we really secure?

Quick find code: 74-75-263-66282501

of 2
Sinowarrior
Jun Member 2023

Sinowarrior

Posts: 10,196 Opal Posts by user Forum Profile RuneMetrics Profile
As someone who has been on the receiving end of multiple scams, lures, and account hijackings over the years, I have first hand experience of how deeply frustrating and distressing it can be to find oneself in such a situation, and how it completely ruins the game for the victim involved.

It is definitely encouraging to see the ever increasing amount of updates Jagex have rolled out over the years that address account security and keeping players safe, the most recent being the Jagex account upgrade.

However, just as I'm sure the Jagex team are continually improving the set of tools and systems available to protect players, the nefarious actors in the space are also improving upon ways around such systems, and historically speaking (I say this with no intent to criticize) Jagex have not been (in my opinion) ahead of the curve.

As someone who is passionate about keeping my account safe, after falling victim so many times. I have some thoughts/concerns and ideas, which I hope members of the community and team will take the time to read and discuss.

1. Account security

From my conversations about Jagex accounts, it seems there is a single point of failure, which is relying on the player keeping their email accounts secure. However my understanding is that with most account hijackings, it is likely the player's device was compromised or some sort of phishing occurred which likely means the player's email account is also compromised. Does this not mean that players are actually more likely to irrevocably lose their account with no recourse?

Suggestion: Allow players the option to add KYC or a hardware authenticator to their account which CANNOT be removed and which can be used to recover their account in the event they lose control or are unable to access their account.

25-Jun-2023 11:03:17

Sinowarrior
Jun Member 2023

Sinowarrior

Posts: 10,196 Opal Posts by user Forum Profile RuneMetrics Profile
2. Keepsake/Keepsafe?

I love the fact Jagex released the Keepsake box feature, it allowed players to wear their valuable items as cosmetics whilst reducing the risk of losing those items accidentally, be it from scams/lures.

However the issue again is if someone manages to gain unauthorised access, they can quickly do away with any keepsaked items (not only this, but the keys used are lost in the process)

Suggestion: I have two suggestions here, the first is give players the option to PERMANENTLY add an item to the keepsake box.

The second is the option for a longer time period before allowing a withdrawal (E.g. a one year time period)

25-Jun-2023 11:03:28 - Last edited on 25-Jun-2023 11:10:02 by Sinowarrior

Dilbert2001
Jun Member 2006

Dilbert2001

Posts: 30,176 Sapphire Posts by user Forum Profile RuneMetrics Profile
We are more secure than ever in RS3 with recent and impending updates of Jagex Account coming very soon.

Jagex Accounts use the modern security technology, which will stop a lot of bad actors according to the Jagex Engine Team.

Specifically on the RS3 side, we have seen over max cash handling without physical items like plats and spirit shards. This will eliminate all kinds of personal mistakes, scams and duplication exploits. We also see opt-in Wildy in RS3. Nobody can lure and scam our hard earned RS3 wealth.

If somebody gains access to your account, they will still need our bank pin to access everything not in our inventory.

03-Jul-2023 17:46:59

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,944 Sapphire Posts by user Forum Profile RuneMetrics Profile
Sinowarrior said :
1. Account security

From my conversations about Jagex accounts, it seems there is a single point of failure, which is relying on the player keeping their email accounts secure. However my understanding is that with most account hijackings, it is likely the player's device was compromised or some sort of phishing occurred which likely means the player's email account is also compromised. Does this not mean that players are actually more likely to irrevocably lose their account with no recourse?

Yes and no - In the default configuration of Jagex Accounts, yes - because recovery and verification is all done through email. Jagex wanted all logins to have 2FA enabled with Jagex Accounts, hence why verification codes are emailed by default.

However, the option for adding a time-based authenticator is present in the Jagex Account settings and is more secure. By enabling that, email is no longer a single point of failure (unless you opt to also leave email verification codes active). While someone could get hold of your email and reset your password, the authenticator app implementation cannot be bypassed like it could be on RuneScape accounts - a code from the authenticator app or a backup code will need to be entered to log into the account, preventing a hijacker from going any further regardless of them having access to the registered email account.

I'm pretty sure I remember reading somewhere that Jagex Accounts were designed that additional verification methods could be added down the road. Its therefore possible we could see FIDO2 compliant hardware key support in the future.

03-Jul-2023 18:08:43

Jeremy C
Jun Member 2008

Jeremy C

Posts: 15,524 Opal Posts by user Forum Profile RuneMetrics Profile
Sinowarrior said :
Suggestion: I have two suggestions here, the first is give players the option to PERMANENTLY add an item to the keepsake box.
I'm always hesitant about giving players the power to "permanently" do anything. There will always be players who change their mind, then Jagex will have to deal with the inquires requesting for them to circumvent the permanence of the feature.
Jeremy C

04-Jul-2023 00:45:50

BrunoNutto
Feb Member 2023

BrunoNutto

Posts: 3,328 Adamant Posts by user Forum Profile RuneMetrics Profile
Applejuiceaj said :
Sinowarrior said :
1. Account security

From my conversations about Jagex accounts, it seems there is a single point of failure, which is relying on the player keeping their email accounts secure. However my understanding is that with most account hijackings, it is likely the player's device was compromised or some sort of phishing occurred which likely means the player's email account is also compromised. Does this not mean that players are actually more likely to irrevocably lose their account with no recourse?

Yes and no - In the default configuration of Jagex Accounts, yes - because recovery and verification is all done through email. Jagex wanted all logins to have 2FA enabled with Jagex Accounts, hence why verification codes are emailed by default.

However, the option for adding a time-based authenticator is present in the Jagex Account settings and is more secure. By enabling that, email is no longer a single point of failure (unless you opt to also leave email verification codes active). While someone could get hold of your email and reset your password, the authenticator app implementation cannot be bypassed like it could be on RuneScape accounts - a code from the authenticator app or a backup code will need to be entered to log into the account, preventing a hijacker from going any further regardless of them having access to the registered email account.

I'm pretty sure I remember reading somewhere that Jagex Accounts were designed that additional verification methods could be added down the road. Its therefore possible we could see FIDO2 compliant hardware key support in the future.

If this thread is true 285-286-845-66282946 then the authenticator was also disabled by the hacker of the guy's email.

04-Jul-2023 11:19:10

Applejuiceaj
Nov
fmod Member
2011

Applejuiceaj

Forum Moderator Posts: 44,944 Sapphire Posts by user Forum Profile RuneMetrics Profile
BrunoNutto said :
If this thread is true 285-286-845-66282946 then the authenticator was also disabled by the hacker of the guy's email.

Authenticator on a RuneScape account can be disabled by email. Authenticator on a Jagex Account cannot. That's one of the flaws that was fixed with the new system.

From the way I read that thread, it sounds like the author didn't migrate to a Jagex Account until after the hijacking took place (they said they returned to the game to find their account cleaned). They would have otherwise also received login notifications as those too have been added with the new system.

04-Jul-2023 13:49:02

Quick find code: 74-75-263-66282501 Back to Top