Stay Safe: A Guide to Account Security

[tripsis]

Hey Tip.It'ers :)

 

Especially with the re-release of free trade, the Tip.It Staff has noticed a significant increase in scamming attempts. As such, we'd like to give you all a few reminders and tips to keep your account safe!

 

Scam E-Mails

 

• There have been a few scam e-mails being sent out lately. These e-mails will say that they are from Jagex and the content typically reads something like:
   

Dear RuneScape player,
 
This is an automated email from Jagex Ltd., makers of RuneScape and FunOrb, sent because your account has been compromised by a third party hijacker.
 
To verify your account, please click on this URL: <URL HERE>
 
Many thanks,
Jagex Ltd.

 
E-mails such as this are a scam. If you hoover over the URL (which appears to be an official RuneScape URL) and look at the status bar on your browser, you will notice that the URL actually leads elsewhere. If you enter your account details on a website other than www.runescape.com, your account username and password will be stolen. That brings us to our next point...

RuneScape URLs

 

• Double - or even triple - check URLs that appear to lead to somewhere on RuneScape.com. It is very easy for people to disguise URLs to make them appear to lead to RuneScape.com, but actually lead elsewhere. To check a URL, put your cursor over it (do not click!!), and then look at the bottom of your browser at the Status Bar. The Status Bar will tell you where the URL truly leads.
   
  However, in order to stay 100% safe, do not use URLs provided by other users at all. If someone wants to direct you to a RuneScape Official Forum thread, do not click their link. Instead, manually go to the RuneScape Official Forum and input the Quick Find Code for the thread that you are attempting to view. If someone wants to direct you to a RuneScape News Post, manually go to RuneScape.com and view the news post rather than clicking a user link. It is always safest to do your own navigating rather than relying on URLs provided by other users!
   
  When logging into RuneScape.com via FireFox, look for the following:
   
  

Other RuneScape Account Precautions

 

• There are several other ways to protect your RuneScape account and prevent yourself from getting scammed. Here are a few tips:
   
  
  • Account Security
    
  • Choose a complicated password. Do not select a dictionary word or any personal information (name, birth date, etc.). Choose a password that contains both letters and numbers (ideally random ones). The longer the better!
    
  • Never give your password to anyone. Doing so is a violation of the RuneScape rules anyway (account sharing) ;)
    
  • Make sure your recovery questions are set and that the answers could not be guessed by anyone - not even friends.
    
  • If you have an e-mail address registered to your account, ensure that your e-mail account is well protected. Choose a complicated password, tough recoveries and use an e-mail that is not shared with anybody. Do not use this e-mail for any other websites (including fan sites).
    
  • Always set a bank PIN and deposit all of your valuables into your bank each time before logging out.
    
  • Do not visit any suspicious websites and run virus/malware scans regularly. An important part of keeping your RuneScape account safe is ensuring that your computer is safe and free of keyloggers and other viruses.
     
    Protect Against Item Scamming/Luring
    
  • Now that we have free trade, unbalanced trades are permitted. Ensure that you are always paying the correct value for an item. Check the trade window to see the price guides Jagex has put up. Ensure that you are buying an item for a similar amount of gold pieces than the recommended trade value. If you are paying outside of that range, ensure that you have used multiple reliable sources to confirm that the price you are paying is fair.
    
  • Know when you are entering the wilderness! Historically, people would lure other players into the wilderness in order to kill them and take their items. There is a wilderness wall that separates the wilderness from the normal world. When you cross this wall, other players will be able to attack you!
    
  • Armour trimming does not exist. Other users cannot trim your armour for you.

When In Doubt, Ask

 

• If you are ever unsure about whether something is legitimate or not, always ask. Be sure to ask someone that you trust, or best of all, a Tip.It Staff member or Jagex Moderator. The Tip.It Staff is here to help all of you and we care very much about your safety and account security. If you ever have any questions or doubts, you may send any of us a private message.

Click here to view the Tip.It Staff List.

 

Spread the Word

 

• Help your friends and peers by spreading the word! You can add one of these images to your forum signature:
   
  

 

[url=http://forum.tip.it/topic/286405-stay-safe-a-guide-to-account-security/][img=http://tip.it/runescape/images/crew/safety-forum.jpg][/url]

 

 

[url=http://forum.tip.it/topic/286405-stay-safe-a-guide-to-account-security/][img=http://tip.it/runescape/images/crew/safety-forum.jpg][/url]

 

 

[url=http://forum.tip.it/topic/286405-stay-safe-a-guide-to-account-security/][img=http://tip.it/runescape/images/crew/safety-forum.jpg][/url]

To find out more information on account security you can read Jagex's RuneScape Wiki article.

 

Have fun and stay safe! :)

 

- Tip.It Staff

[foursideking]

A tip to all p2pers: turn accept aid off to prevent scammers 'accidentally' group tele'ing you to wildy....

[Sy_Accursed]

A tip to all p2pers: turn accept aid off to prevent scammers 'accidentally' group tele'ing you to wildy....

 

Last I checked you got a confrimation screen to accept or reject all group teles.

 

However it is a good ideam to have it turned off anyway as an older, but popular scam, that might return is spamming such teles on u at barrows etc. so that u die as u have to deal with the notification.

[TaylorSwift]

Passwords on Runescape aren't case sensitive. So don't bother mixing upper and lower case.

 

If you don't believe me, then try logging in with Caps Lock on ;)

[tripsis]

Passwords on Runescape aren't case sensitive. So don't bother mixing upper and lower case.

 

If you don't believe me, then try logging in with Caps Lock on ;)

Looks like you're right :lol: Thanks, I'll change that!

[Jaffy1]

A tip to all p2pers: turn accept aid off to prevent scammers 'accidentally' group tele'ing you to wildy....

I would not consider having it on as dangerous.

Always have mine on as I do group farm runs with friends a lot, and since you do get the confirmation screen before moving it really isn't like *POOF* now you're in the wilderness.

[Assume Nothing]

Golden rules of thumb:

 

EDIT - I thought this is particularly important, so I'd say it outside the hide tag.

 

Change your password NOW! This applies especially to anyone reading this has botted in the past, because malicious code was used in one of the more common bot sites, and they have only scammed 10% of their 'list' of players.

 

These 'hackers' are still going through a 'list' of 10 thousand players at random, thus it is important to change your password to keep your account secure.

 

Oh, and they tracked RuneScape bank pin's too, so if anyone reading this has botted before, change your bank pin, and delete any .ini files you have downloaded

 

[hide=Wall of text]If it sounds too good to be true, it probably is.

 

Never trade in the Wilderness.

 

Check your second screens; they are there for a reason. This goes especially true with staking, just a lack of 'No magic' could mean a loss of millions (or to a high risk staker, 100's of millions).

 

Be aware of bugs posted on forums.

 

If you're poisoned with low lifepoints, log the hell out, go on a different account and ask friends to help you out.

 

Don't fall for the free sharks 'scam'...

 

For staking: The more you play, the more you lose, and in the end, you lose it all. If you win 20m in a row then lose 2m, don't go on a high risk rampage to get it all back. This is one of the quickest ways to get cleaned.

 

Never click on anything in a 'JaGex' email. It doesn't matter if it's a free partyhat, or learning to merchant, or even a Pmod application. Real messages come through your RuneScape account, which you can view in the lobby. Even if a email is legitimate, go through the RuneScape homepage to be extra secure.

 

Hell; Even TipIt is untrustworthy. If you receive a private message that links you to anywhere, don't click it unless you know who you're talking to, and it doesn't look too good to be true. Even a 'RuneScape poll' can be malicious

[/hide]

[TaylorSwift]

The list of players only includes botting players though, so if you didn't bot, no need to change your password :)

And if you did bot, then you're going to get a big rollback or a ban, soooo.... gf :P

[Rainy_Day]

Just to say, a big thanks to people reporting the scam threads/warning others of the fake links. Some people are in too much of a rush to pay attention to the fake link, and as such, fall victim! We're updating our censors/banlists daily to keep up with the current influx.

[FallonDawn]

I've seen a few so called "players" outside RS who have posted links to RS Forum pages claiming that it was an important announcement. The green security bar that you see in the URL when you log into your account will be missing (the hackers conveniently recreate the complete page, plus the warning.) I've seen a few people who entered their account info, and got hacked as a consequence. I'm seriously starting to wonder if bringing back Free Trade was such a great idea. The number of botters have increased dramatically; before the change I might see one or two in a game session, but now its rare to see anything less than 6 to 8. Scam attempts have skyrocketed. Hacking attempts are also getting out of hand.

 

I know a lot of people wanted Free Trade back, but surely Jagex could have planned this better. There seems to be absolutely no checks in place to stop the onslaught.

[Rohanlord]

I just fell for the dumbest scam ever. Now my password is changed and I've applied for recovery. Thankfully there's a pin on my bank (what happens if it is continuously guessed wrong?) and it's not like they can reduce my skills...or CAN they :o

 

But seriously, always make sure your on the Runescape site when you type in your account details and not [site name removed]. I can't believe I actually though I was on the Runescape forums...

Edited February 17, 2011 by Gandorf61
Removed site name as all it does is advertises it ;)

[jrkerr]

I ran my own website and forum for a bit.

 

I know one of my primitive tools would give me a list of all IPs that visitied/used my site.

 

Tip it does not seem heavily vested in triumvirate, clan, or whatever pursuits... and I am given comfort to have seen that the first few editorials on wildy/free trade said they voted no, but...

 

what measures are there to dump IP logs from offsite clans trying nuke, hash, steal, or w/e the IP log for this site?

wouldn't they get a list of IPs to ping storm to knock a whole bunch of players off a world if tip it tried a nex event or clan wars challenge?

 

I have some faith in you guys, but please tell me you shred some of that conspicuous data after a month or so... or./.. y'know... don't tell me....

and then just like do what it is you do for security anyway without informing malicious stalkers.

 

cheers.

[Sy_Accursed]

I ran my own website and forum for a bit.

 

I know one of my primitive tools would give me a list of all IPs that visitied/used my site.

 

Tip it does not seem heavily vested in triumvirate, clan, or whatever pursuits... and I am given comfort to have seen that the first few editorials on wildy/free trade said they voted no, but...

 

what measures are there to dump IP logs from offsite clans trying nuke, hash, steal, or w/e the IP log for this site?

wouldn't they get a list of IPs to ping storm to knock a whole bunch of players off a world if tip it tried a nex event or clan wars challenge?

 

I have some faith in you guys, but please tell me you shred some of that conspicuous data after a month or so... or./.. y'know... don't tell me....

and then just like do what it is you do for security anyway without informing malicious stalkers.

 

cheers.

 

 

Tip.it is secure enough to not let people get that data so dumping it isn't an issue.

 

Besides if someone really wants to to ddos attack you they can easily do so without forum ip logs.

Images can easily log ips that have viewed them, especially stat signatures that are a form of script anyway.

Prime example being runetracks does it (though they don't let you see the full ip obv); from just leaving a rune track sig on my tip.it sig for a few hours to get the 10 unique ip hits required for runetrack to track you I got 231 unique ip hits.

[tripsis]

Just so you guys know, I have confirmed with Jagex that they never send e-mails about bans/mutes/offenses. They only send e-mails in relation to account recovery requests and the occasional RuneScape newsletter. If they ever decide to start sending e-mails in the future for bans/mutes/offenses, they will never include any links. So if you receive any e-mails in regards to bans/mutes/offenses, you can know right off the bat that it is a scam and should be deleted immediately. Jagex will always contact you via your message center.

[Speedyshel]

And just for what it's worth, it's minor but might make a difference to someone in the future.

Like the old scam of trimming armour, the idea of players doubling money is a scam. Players want you to give them some cash then accept the trade, then they'll return a second trade offer with the doubled amount. Don't fall for it!

Like I said, small but may be a big deal to someone.

[the_korny]

MEGA Props for posting this! Hope it helps people!

[dartagnan]

This is pretty interesting you post this, as I just "JUST" received an e-mail from someone claiming to be Jagex. I knew it was fake immediately because they sent it to my tip.it e-mail i registered here with. .. I run my own domain so i use random e-mail address on every site i visit .. easy way to track where the e-mail was stolen from if i ever start getting spammed.

 

So ... for those that have their e-mail address registered here and on your rune account .. triple check someone is obviously obtaining their new e-mail list from here.

 

 

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

[tripsis]

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

None of our staff members are trying to steal/recover accounts. However, our database was compromised in October and that's likely how this person received your e-mail. You can read this news post for more information.

[Den]

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

None of our staff members are trying to steal/recover accounts. However, our database was compromised in October and that's likely how this person received your e-mail. You can read this news post for more information.

 

It's possible to have your e-mail visible in your tip.it profile as well iirc.

[tripsis]

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

None of our staff members are trying to steal/recover accounts. However, our database was compromised in October and that's likely how this person received your e-mail. You can read this news post for more information.

 

It's possible to have your e-mail visible in your tip.it profile as well iirc.

Yes it is :) dartagnan said his was private though so it couldn't have been gotten off his profile.

[Den]

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

None of our staff members are trying to steal/recover accounts. However, our database was compromised in October and that's likely how this person received your e-mail. You can read this news post for more information.

 

It's possible to have your e-mail visible in your tip.it profile as well iirc.

Yes it is :) dartagnan said his was private though so it couldn't have been gotten off his profile.

 

Ah, ok then. :P

[Kimberly]

oh and ... My contact info is set to "Private" Soooooo forum owners .. Any idea's on which one of your staff is trying to steal accounts ?

None of our staff members are trying to steal/recover accounts. However, our database was compromised in October and that's likely how this person received your e-mail. You can read this news post for more information.

 

It's possible to have your e-mail visible in your tip.it profile as well iirc.

Yes it is :) dartagnan said his was private though so it couldn't have been gotten off his profile.

 

Unless he set his email as his MSN contact information. Many advertisers scrape what info they can and just phish whatever they can.