Jump to content

Recovery PINs


RU_Insane

Recommended Posts

recoverypin-1.png

 

Recover Your Account Without The Hassle

By: RU_Insane

 

Introduction

 

Often enough, if not every day, player accounts are recovered by the wrong people. They intend to use their ill-gotten goods for malicious purposes, or to personally profit. None of this is any news to the astute player. Indeed, if you've attempted to recover your own account, some of you would be surprised at how easy it is for one to retrieve a lost or forgotten password. Even then, at times, you had to wait a while before your appeal was accepted. I've waited for six days on one of my account recoveries.

 

This is all well and good for legitimate players, in terms of easy account recovery. But how do we keep the baddies at bay? Unfortunately, we can't prevent them all from gaining access to your account. We can try to educate players about how to better secure their accounts, though. I have an idea that will help with this. The solution is simple, but effective.

 

Recovery PINs. In a word, these PINs (Personal Identification Numbers) are unique 10-digit alphanumeric codes. On the surface, they are much like the redemption codes you can find on the back of a RuneScape game card. But in reality, they are much more. They are convenient security measures. When you register an account (existing accounts too), a unique PIN gets assigned to it. This PIN gets sent to your player inbox. You will be notified, and auto-directed to the new message.

 

How Recovery PINs Work

 

Upon being read, the message disclosing the PIN code will be deleted from the server, but the PIN itself remains intact. This is a great security feature because only you'll know what the PIN is. You will have a PIN on your account at any given time. The PIN can never be changed or removed, except by Jagex's password recovery system (see later). Players are instructed to write down the PIN code in a safe place. The steps taken so far in the process has an immediate advantage: no perpetrator looking for your personal info can find this PIN code, because it's deleted from Jagex's servers when the message is read.

 

But the Recovery PIN has a second advantage more central to its concept. The PIN, when entered into an account recovery form, overrides any other info supplied in the form. All you have to do is type it in the appropriate box, and a confirmation e-mail is sent to your e-mail address. Confirm the recovery, and you get your account back instantly. The Recovery PIN is the most valuable piece of information your account can ever possess.

 

It's more valuable than your first password and even more valuable than your subscription information. Why is the recovery PIN so valuable? Because it's predicated on the assumption that the only person who'd know this PIN is you. No one else can obtain this PIN because it's unique, it's flexible, and the message is deleted from Jagex's servers when you read it, so it's secure. Presumably, you're the only person who read that message, so who else could know?

 

You'll notice I said the PIN is flexible. This is a necessary fail-safe feature. In the worst-case scenario, someone obtains your password, and changes it after they're done with your account. Clearly, this isn't something you want. The best alternative is that your account is compromised, but you can recover it instantly thanks to your PIN.

 

Redeeming your PIN

 

Each time you attempt a recovery, a confirmation e-mail is sent to your e-mail address. If an intruder tries to recover your account with the PIN, they need to have access to your e-mail to confirm the recovery. If someone tries to change or remove the e-mail address on your account, an e-mail will be sent to your current address informing you of the e-mail change/removal request. In this case, ensure that your e-mail password is different from your RuneScape password, and that your computer has an up-to-date anti-virus and firewall.

 

When the recovery is confirmed, a new PIN is generated afterward for your account, and is sent to your inbox after you set your new password. If your account doesn't have an e-mail registered, the recovery attempt won't have to be confirmed. Take care to write down the PIN, as it will be deleted from the server afterwards. This whole process occurs over a secure, encrypted protocol, so no one can 'listen in' on the conversation between your computer and the server.

 

In case the computer drops the connection, the inbox will wait to reveal the new PIN until the secure protocol with the server is re-established by the same computer that first launched the recovery sequence, at which point you will be redirected to your inbox. It's highly recommended that you scan your computer for viruses before you initiate the recovery sequence, so malicious programs like key-loggers can't record your info.

 

Of course, always be careful with where you place your sensitive information, and ensure you have a computer with up-to-date virus protection software. If your account is broken into, Jagex can lock it, and you can supply the details you first registered with your account. Jagex will look at the address of the computer attempting the recovery in this case. It's very unlikely that your account will fall into someone else's hands.

 

Limitations

 

Of course, this feature won't stop all people who recover accounts for malicious purposes or profit, but it should stall a great majority of them, considering how unlikely it is for someone to obtain your Recovery PIN. In the end, only you can make your account the most secure it can be. This is why you need to educate yourself on how to best secure your account. Write down all your sensitive info on paper, or store it on a very secure computer. Keep that info in a safe place where people are least likely to look for it.

 

Pros and Cons of PIN Recovery

 

The benefits of the PIN can be summed up this way:

 

  • Quicker -- Instant account recovery and access when recovery e-mail is confirmed (if you have e-mail)
  • Flexible -- Your PIN is only changed when your account is compromised, after you recover your account.
  • Unique -- The PIN is a ten-digit alphanumeric code. Chances of someone else getting the same PIN are very small.
  • Secure -- No one else can obtain the PIN. The message disclosing it is deleted after you read it.
  • Careful -- Confirmation e-mail is sent to your address when recovery attempt is logged by the system (if you have e-mail).

The cons of the PIN are summed up here:

 

  • If someone obtains the PIN, account can be infinitely recovered (highly unlikely now, unless intruder redeems PIN).

Feedback

 

Do you have any questions, concerns, or comments you'd like to voice here? I thought about including a "Disable PIN" feature where the owner could disable the PIN, but then the intruder could disable the PIN too. I don't want the PIN to be removed because when the account is compromised, how else can the owner recover it as quickly and easily? Comments/suggestions don't have to be exactly about this issue, but they would be appreciated. Thank you to Dev for his suggestions. :thumbsup:

 

Thanks for reading. :D

 

Support List <3:

 

  • RU_Insane
  • Kaida23
  • D_V_Devnull
  • vivimancer
  • Nash

 

Log of Edits:

October 10, 2011: Added a paragraph below "Redeeming Your PIN". Updated "Pros & Cons" section of post.

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

Seeing as your idea isn't 100% fleshed out, I can't support just yet. However, here's an idea to patch to it... Read on.

 

 

Idea: "Upon the first usage of this Perma-PIN to recover the account, a new one is generated (changing the attached Perma-PIN) and shown to the player just after they set a new password. This would all happen while in Secure (https) Mode. This could potentially use the same style as the Original Perma-PIN, and would therefore be shown as a one-time-only message in the player's account's inbox, but only as long as the connection doesn't drop from Secure Mode. If it does drop from Secure Mode, the inbox will wait to reveal the message until Secure Mode is re-established with the same computer that first launched the recovery sequence."

 

 

Yes, this 'patch idea' would mean that the PIN could change, but that only Jagex's password recovery system could change it; and that a player must write down the newly changed PIN for their own account. However, if the player has some smarts, and cleans their PC before recovering their account, then the chance of anyone else getting this PIN basically drops to zero because everything would be happening in Secure (https) Mode! And even if a connection loss suddenly happens, the recovery system wouldn't show the message to anyone except the original user at the same computer where the recovery process began, blocking anyone else from getting the new Perma-PIN. :shades:

 

I'll leave it to you now to decide whether you wish to include this, and I'll check back later. ;)

 

~Mr. D. V. "Is that secure enough for you?!?!?" Devnull

tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Link to comment
Share on other sites

Seeing as your idea isn't 100% fleshed out, I can't support just yet. However, here's an idea to patch to it... Read on.

 

 

Idea: "Upon the first usage of this Perma-PIN to recover the account, a new one is generated (changing the attached Perma-PIN) and shown to the player just after they set a new password. This would all happen while in Secure (https) Mode. This could potentially use the same style as the Original Perma-PIN, and would therefore be shown as a one-time-only message in the player's account's inbox, but only as long as the connection doesn't drop from Secure Mode. If it does drop from Secure Mode, the inbox will wait to reveal the message until Secure Mode is re-established with the same computer that first launched the recovery sequence."

 

 

Yes, this 'patch idea' would mean that the PIN could change, but that only Jagex's password recovery system could change it; and that a player must write down the newly changed PIN for their own account. However, if the player has some smarts, and cleans their PC before recovering their account, then the chance of anyone else getting this PIN basically drops to zero because everything would be happening in Secure (https) Mode! And even if a connection loss suddenly happens, the recovery system wouldn't show the message to anyone except the original user at the same computer where the recovery process began, blocking anyone else from getting the new Perma-PIN. :shades:

 

I'll leave it to you now to decide whether you wish to include this, and I'll check back later. ;)

 

~Mr. D. V. "Is that secure enough for you?!?!?" Devnull

 

 

This sounds good :P I changed the bit about 'first time redemption' to 'each time you redeem your PIN' so as to prevent key-loggers from stealing this info the second time. For, if we only changed the PIN once, what's going to stop them from getting it the second time? Yes, virus scans are always important, I agree. But shuffling things up just to be safe. ^_^

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

I like this. It would be an excellent way to secure accounts. Full support. :thumbup:

 

f2punitedfcbanner_zpsf83da077.png

THE place for all free players to connect, hang out and talk about how awesome it is to be F2P.

So, Kaida is the real version of every fictional science-badass? That explains a lot, actually...

Link to comment
Share on other sites

Consider me on-board, now that you've got that small hole patched up. FULL SUPPORT, and I hope this gets through to Jagex's ears! :thumbsup:

 

Gonna be fun, though, once they do implement this and I have to go visit my Game Inbox to gather that useful security data. :P

 

~Mr. D. V. "Woot! I'm in!" Devnull

tifuserbar-dsavi_x4.jpg and normally with a cool mind.

(Warning: This user can be VERY confusing to some people... And talks in 3rd person for the timebeing due to how insane they are... Sometimes even to themself.)

Link to comment
Share on other sites

Consider me on-board, now that you've got that small hole patched up. FULL SUPPORT, and I hope this gets through to Jagex's ears! :thumbsup:

 

Gonna be fun, though, once they do implement this and I have to go visit my Game Inbox to gather that useful security data. :P

 

~Mr. D. V. "Woot! I'm in!" Devnull

 

Awesome <3: I'll add you to the list. ^_^

I added in a paragraph about e-mail confirmation for recovery attempts too, for extra security. :thumbsup:

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

Thinks it would be much easier to have a 4 digit pin like a bank pin that you could use instead of or as well as recovery questions, some times i can't even remeber what I had for breakfast let alone a 10 digit alpha-numeriric.

 

but support in theory

 

Yeah, but say if you entered that 4-digit PIN on the screen. If your computer were infected with screenshot malware, someone could take screenshots of the keys you pressed on the screen. It's not a bad idea, but how does it prevent people from stealing it? Plus, you'd write down the 10-digit PIN on a piece of paper, of course. Only if you had a very secure computer would I recommend you'd put your PIN there.

 

So if you 'support in theory', can I add you to the list? :P

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

  • 2 weeks later...

I support except what if the pin generated for the account is made by the hacker and not the real owner?

 

Then you're screwed, unless you can recover the account in time (with other details) and request a new PIN >_< :P

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

  • 2 months later...

I would have to disagree with this idea, for the time being. Although I can see the benefits of implementing this suggestion, there is also a negative that should be taken into consideration. Players consistently forget their passwords (obviously, otherwise this idea wouldn't be valid), despite being informed they should write them down in a safe place. Why would they care to right down their Recovery P.I.N?

Link to comment
Share on other sites

  • 2 weeks later...

I would have to disagree with this idea, for the time being. Although I can see the benefits of implementing this suggestion, there is also a negative that should be taken into consideration. Players consistently forget their passwords (obviously, otherwise this idea wouldn't be valid), despite being informed they should write them down in a safe place. Why would they care to right down their Recovery P.I.N?

 

That sounds like a minority of players you're referring to. Realistically, we can't expect everyone to follow procedure. Ideally, we'd like them to, in the interest of their security. I think it's reasonable to assume that a good portion of active players, if not almost all of them, would recognize this benefit and write down the PIN. I'd also point out that if the PIN is lost or forgotten, it's only lost to the account it was given to.

 

Players still have passwords and other relevant information to fall back on if they wish to recover their account, which is considerably easier to retrieve compared to a Recovery PIN. I would also imagine that if the PIN was easy to forget in the first place, the person would take care to write it down so he'd have something to refer to in case he forgot off-hand afterwards. Hope that answers your question :)

 

We can't take care of all the players, but we assume most have good sense when it comes to security. :)

RIP RU_Insane. August 3rd, 2005 - November 11th, 2012.
RU_Insane.png

 

My Stats on Old School RuneScape: 

RU_Insane.png
O4zgH.png
Reform Customer Support
Check Out My Threads UNRoA.gif
 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.