flimsy

Quite frankly if it is possible to hack into government department computers or high level business computers then it will be possible to hack into Jagex.. but that isn't point at all. And as hockpeeps pointed out earlier... Zezima & Cursed You accounts will be the least likely to be attacked because they would have taken the most care with their account security... and they will have the most recorded histories in the game from which to get them back even if they were taken. How does this disprove my point? If anything it should tell you that a change indeed needs to be made! My recoveries were changed... and not by ME!! And because I followed the knowledgebase information which told me to use the 2nd option if someone changed my password & recoveries. And how did he change my recoveries?? In the same way as I had set them... either using my own password to change them before he changed it, or changing the password before he changed my recoveries! Either way account gone... My Q & A gone! Fine you made your point... but it is NOT the point of this thread. Then explain for me why many people who do lose their accounts can wait for weeks for their accounts to come back to them' date=' both f2p & p2p alike... granted more likely f2p?? and just as many (probably more) never get them back (or simply because they get tired of being denied)... and these are people who have played years longer than my family has. Now I feel the need to explain something to you. My account which was stolen is actually my second acc which I created on RS. I created her after my daughter made her character which bears her RL name. Wai bears my RL name and so was the only character I wanted to develop.. my other, well, basically she is a low lvl character that I got tired of watching die over & over & over again.. her lifespan was maybe a month. So when I created Wai I did so with a plan, which was to get her to level 10 without dying once =). Time went on our Mains continued to develop. When Bank-PINs were introduced... I installed one. Security stronghold came along... I set up Q & A on all our accounts (previously didn't set any, and I sooo wanted the boots). I was like you, and thought that was enough security to have, along with my AV & Firewall. Not so... no matter how my account password was stolen.. the fact remains that once my password was gone, my account was gone. The account protection measures [i']are[/i] insufficient. My recourse for recovering my account is insufficient. Not all of us have ever been involved in online gaming communities before... let alone years... and not all of us have ever encountered a situation where an online persona would literally require protection. Nor would I ever have considered that there were people actually willing to steal a game character?? A made up person?? PIXELS!! And for what??? A few more pixels?? This is not a dig at anyone, it just comes as a shock to me. I originally found out about RS through a site I regularly use, where a woman was talking about this free online RPG game that she has played with her kids. This is why I joined RS... To play alongside my kids... and being a big fan of old RPGs Now when I found that I couldn't login onto my stolen account, the first thing I did was updated AV & scanned... nothing. So I go to do a recovery request... instant denial... fine.. go back try again... with more info in little box... again instant denial... ok, send for tracker ID recovery request for more thorough comparison with playing history... denied. Started to panic a little bit... so went to change passwords on the kids accounts just to be safe... found we couldn't ("password server is down". Went to report-a-bug about "password server is down" found we couldn't do that either (white page with "Mod:Bugtracker_V4" written on it)... In fact many of the links which require ticketing were not working for us (white page with "Mod:Ticketing" written on it). Sent in 2nd recovery request... again denied. Went to send in 3rd recovery request only to discover that my Questions were no longer showing up!! Filled it in anyway and sent... again denied... and it has been like that ever since. They asked for subscription PINs, IP info, Account creation info... I gave all the info I could to the best of my recollection... I even gave them Account Bank-PIN, method of payment, subscription dates, character description, game Bank content, friends names on friendslist, quest info... and yet here I am, still not myself... and I'm not holding my breath to get her back... but I will continue to send in new recovery requests at every denial. Posts on official forums QF 29-30-325-27185935 & QF 25-26-736-28541286 illustrating the behaviour we are currently experiencing when we attempt to change the passwords on my kids existing accounts. "error processing request". We also get "error processing request" when attempting to "set new recoveries" on a new account I created to test the how/whys with. We also get "error processing request" when attempting to change the existing recoveries on my kids accounts via the "set new recoveries" link. Considering as how only a month ago we could access these pages properly definitely makes me think that something is going on somewhere... but... I'm not the only one experiencing them. Up until the time when I actually saw my stolen account login on RS, I thought it was a glitch associated with the others I have just mentioned, and because it followed closely on the heels of an update (4 were added after stronghold update)... already 2 account recovery denials & still I wasn't too worried... but then I saw my name light up briefly on my friendslist and my heart fell... confirmed account stolen. 3rd account recovery... questions which had previously shown up were gone. I am annoyed at how easily my account was gone, and I'm obviously disappointed that I still haven't been able to reclaim my account. But all of this is irrelevant to the purpose of this topic. Thanks for at least thinking that the Bank-PIN screen on with recovery is a good idea.. no they don't already have this... The PINs which they currently request on the recovery screen are for RL cc, pay-by-phone & pay-by-sms transactions. It is the actual Bank-PIN keypad I would like to see as part of the recover account page... It is to me the best form of protection that Jagex has on our accounts (mouse control vs keyboard). And unless someone saw you mouse in your Bank-PIN whilst you played RS, or you told someone... then this in my view, will aid in protecting your account more, and of course swiften account recovery. And we all know it is up to the user to make sure their accounts are protected... But if Jagex truly felt that way, they wouldn't have felt the need to install the Bank-PIN or have Recovery Q & A protections in the first place... and don't get me wrong... I am glad that they do have them... but it could be more effective. And hehe SNAP!! I just found a post on official forums in which they want to see the Bank-PIN used to aid in account protection/recovery too QF 24-25-793-28549925 This idea I like in particular. And another topic of interest QF 24-25-208-28660704 An Update: A week too late but I at least I got my account back! Woohoo

Unlike you I am not part of any underground autoing community, nor am I an advocate of cheating in any way shape or form. Runescape to me is just a game that I play not a way of life. I have Nortons Internet Security & AV which constantly gets updated. Files I download buddy are not RS related, and for the most part aren't programs.. I do have other interests than this!!.. The simple fact that you or anyone else has the audacity to come in here and claim that I would readily download a hack for Runescape is just stupid. You don't know me!. As for your "cancel recovery questions" you so readily pointed out to me... it WILL NOT WORK if you don't know what the slimeball has changed your password to!! And whether my security is up to scratch is not the point of this thread... next time I suggest you do read before you post! And again if you are happy the way things are then... Good On Ya. While what you say is probably true.. how swiftly Jagex currently deals with account recovery with f2p/p2p is really not the point. It still doesn't negate the purpose of this topic which is twofold: 1. it highlights how easily a hacker can take complete control of your account with just your password. 2. proposal of ways to make your accounts more secure, whether it is f2p/p2p... and as a result more likely for them to be returned to their rightful owners with most of their items intact. I have been thinking more about the bank-pin feature of the game.. there is a minor problem with that aspect of security... and yet at the same time it is currently the best security measure we have for our accounts... albeit still flawed. A hacker can claim that he has forgotten your Bank-Pin in order to get a new one installed. Now imagine that you have had your Bank-PIN on your account for the past 9 months (Bank PINs introduced Sept-2005)... you are a regular player... on everyday if even for a short while... constantly using your Bank-PIN to access your Banked items. Now imagine that your account has been stolen... and the thief doesn't know your Bank-PIN (unless you've been really careless, and in that case he only needs to "change Bank-PIN"), he goes to the bank accesses your bank and at the PIN screen clicks "I don't know it".. he then has to wait 3 - 7 days (depends on your settings) before he is able to set a new one, and once he gets the new Bank-PIN he then has access to your items. The problem is.. that there seems to be no check in place to protect users who have had their Bank-PINs for a long time.. and then along comes a slimeball who clicks "I don't know it". Their also is no way for you to stop a Bank-PIN change without having access to your account. Now seeing as I personally feel that this Bank-PIN feature is the best part of RS security, I would like to see it used as part of the recovery process itself.. eg: on account recovery page have a button which will bring up the Bank-PIN screen overlay (without ability to access items of course), or even on the page itself a mini version of the Bank keypad where the real user (who knows the Bank-PIN) can input the numbers.. if the PIN is correct it will stop any current changes being applied to the Bank-PIN, an IP is recorded to compare to account history and the account locked until true ownership of account can be established, especially in the case of an "I don't know it" claim, this could perhaps make the process of account recovey quicker?. This will also aid if you have been careless with your Bank-PIN in that it will stop any attempt to change your Bank-PIN. I would like to see more ideas for improving account security submitted please. Also post if you have constructive statements regarding improving RS account security... Or if you just wanna post saying YES to a safer account. I don't want any posts which state the obvious "Keep your password safe at all times" or "Use a decent AV & Firewall"... or posts which assume that I have done something in order to bring my current predicament upon myself.. it is irrelevant. If you feel that Jagex's security is fine then say so, without condemning this topic.. but do read the first post and keep to the topic at hand. This is not a thread about recovering your RS account. It is about finding ways of improving the protection for your RS account in the event your account gets stolen.

First @ Tetsuya.. thankyou.. and you are right I'm not here to moan about my account simply to highlight a fault that I believe to exist with the current security measures... and I am a she not a he. @ sligo.. I like that idea... actually I like any idea which goes to further protecting our RS accounts. @ xKhAoZx.. No-one would purposely download a keylogger, and the only things we do download are not in anyway RS related. I regularly update & scan, check system process at all times... and whenever my AV sends up a warning I hunt out the culprit & kill it, but then I am not the only user here. And besides... how is not really the point of this topic. Prior to setting up my recovery questions we had detected some sort of trojan but that was removed immediately... and although this is most likely how my password was taken, it certainly isn't the only way. Prior to me actually seeing my account login I thought it was a glitch with the system, as we found several of the links on the mainsite weren't working properly. I go to login and find that I can't "Invalid username or password". Just to be safe we went to secure the kids accounts by changing their passwords. As I mentioned in my first post the change password link wasn't working properly "password server is down" and I wasn't prepared to sit there clicking on the link in order to change them, as someone on the official forum had been advised to do. We attempt to post a bug-report about this and found we couldn't.. we ended up at a blank page with "Mod:Bugtracker V4" written on it. We attempt to go through other links which involve ticketing (including billing) and end up at a blank page with "Mod:ticketing" on it. And as this had followed closely on the heels of an update I simply thought it was just a glitch and Jagex will sort it... although I'm surprised there weren't more reports in these or the official forums about website problems. I updated my AV & manually scanned.. found nothing. I used my daughters account to notify about the problem with report-a-bug on the website feedback forum (as she was still on member account) only to get the topic closed and told to post it in tech support... which we do... then it quickly get's buried by all the other topics. But after seeing how quickly our topic got buried on the official forums, I'm not at all suprised that I couldn't find any topics regarding problems with the website. Prior to actually seeing my account log in without me... I thought/hoped my changed password was related to all the problems I was experiencing with the main site, and not the actions of a slimeball. @ Prismaric I lay the blame at the hackers feet, not at Jagex, NO I didn't tell anyone my password, & NO I didn't do anything in order for my password to get stolen... let alone my recovery answers. The only people who would even have an inkling as to what they are, are my kids.. and they certainly don't want to lose their RS gravy-train. I didn't say they give the password away on recovery questions.. I said NO.. I didn't give my password out.. NO.. no-one knows my recoveries. I know the feature is there to help us... but it IS flawed. When I began the account recovery process for my own account, the processing of my 2nd request was delayed by it still being the weekend in England (track recovery remained pending for more than 24h)... When my account recovery request was declined I went to submit again only to find.... MY RECOVERY QUESTIONS WERE REMOVED!! and no-one except myself knows the answers to the questions I had written myself. Far be it for me to want to post something as inflammatory as this without some form of proof. But this was the only conclusion I could come to, when testing how/why theories. When I attempted to change the recoveries on my daughters account... I was not faced with the questions that she used where I had to answer them... NO... instead I was faced with this I suggest you go try it yourself as well.. The process is go to Account Management>Set new recovery questions link login with password input password in current password box, change recovery questions, change recovery answers submit. After that I don't know what happens... but I assume it will do exactly the same thing which occurs when you first set up recovery questions on an account via this link. same reply.. except for #2 you I don't believe to be a spammer. To date I have sent in 11 requests.. 8 of which have been declined despite giving them info like, Bank-PIN, subscription PINs, account creation time, IP info, subscription dates, method of payment etc... at last some understanding.. By the time my 2nd recovery request had been declined, my recovery questions had been removed. And I know there is not much else I can do except continue to send in requests or wait to see if my account will log in again, and unfortunately the slimeball (pun intended) wasn't on long enough (when I saw my account log in) for me to beg for my account back (simply enough time for him to turn off friendslist) and that has been the last instance I saw of me.. and rather than calling the account thief a slimeball what should I call him??... I know what I would like to call him and it isn't anywhere near as tame as "slimeball". The account itself I don't care about... the content of my bank I don't care about... my name though... my name... I just want my name... he can keep the account and the levels she has.. I just want my name... and seeing as I can't have my name back... then I want my account back so I can keep my name. Well my questions & answers were unique as well, questions were ones I wrote myself, not the pre-selected ones available. Answers were only known by me, and up until last weekend I would've agreed with you... I thought my account was safe too. Unfortunately for me this has not proven to be the case. From my understanding (what I've read on the forums) when you change your recoveries you already have to wait for new recoveries to take effect. And also if you read the scenario you would see why waiting is beneficial If you think my ideas for improving the security of our RS accounts are silly and if you are satisfied with your current account protection then Good On Ya. I however am not. My stolen account was my most levelled account but she certainly isn't the only account we have, and I would like to see our other accounts better protected. Well he's not having fun or my stats would've moved by now. He certainly struck gold though and would've had a good laugh as I was holding 880k in my inventory when I logged out last. It was late when I last played and I had inadvertantly pulled out all my cash... and because of this I was going to put her back on subscription the following morning because I couldn't put the cash back in!! #-o But that is irrelevant to the topic at hand.

Nowhere in the first post did I say it was Jagex's fault. The fault lies squarely the hacker's feet. However as you can see it is very simple for a hacker to get full control of someone's rs account once they have the account password... and unfortunately that is where Jagex's security measures fall flat... very flat. Hence the suggestions I made for improvement of their current security measures. Oh really... and this coming from the king of 1 liners?? I signed up in December 2005, it's now August 2006... including this reply I have made a total of 3 posts. If I wanted to spam the boards I would be... YOU. My topic I feel is a valid one, and it is up to the forum mods whether it is spam. Thankyou for your concern.. I am still sending in recovery requests... but alas I feel it may already be too late to get back my account, too late at least to save my bank items... and in that case I don't think I would want to have her back... unless the thief has a heart and at the very least leaves me with my picks, ores and natures... I can start again if I had at least those... but I highly, highly doubt it. Anyway back to the topic at hand... what do you guys actually think about the proposed security ideas... using the scenario I gave as a guide??

No-one thinks that these are good ideas?? or have I just repeated what someone else has already said?

Hi first I'd like to introduce myself.. (see sig) I've been playing runescape now for around about a year... and I have had quite a lot of fun, made some good friends *waves to potato, mut & lulu* both young & old, and a few enemies.. especially when I was mining :XD: Anyway recently (very) my account was stolen... and no this topic is not going to be a MOAN-MY ACCOUNT WAS HACKED topic.. ok maybe a tiny bit (I need to vent), but on the whole it will be suggestions on how Jagex could perhaps improve things security wise. I know how easily the slimeball stole my account. Now first don't get me wrong, my computer is locked up tighter than a drum, uptodate AV, firewall, regular scans.. and yet somehow the slimeball managed to get my password... that is all he needed to get my rs account, despite the fact that I had recovery questions set. All the slimeball needed to do was log in with my password to change the Q & A for Account Recovery and set a new password and voila.. my account was now his. He didn't even need to give any of my previous answers to change them, that is how simple it is... and makes it more difficult for me to get my account back... Why?? simple because my answers don't match the new ones that the slimeball set!! Yup.. it's true, that is all they need in order to gain complete control of your Runescape account... and all the precious items you have collected. Even if you have recoveries set and a Bank-PIN.. they only need your password to be able to change them. This is what I discovered during the process of trying to recover my own account... First lets change your recoveries, the hacker just can go to the "set recovery questions" link on the main page, login using your password which he has somehow managed to get a hold of, and change/delete the Q & A's right there and then... there is no safeguard except another input box for the existing password (y'know the same one he logged in with). Second lets change your password, well.. I don't know about you guys, but I have found that the "change your password" link on the main page wasn't working properly the last couple of days, after I login (in order to change my password) I end up at a nice runescape page telling me that the password server is down (it's working properly now though... scratch that.. "error processing" comes up now for us)... so how would the hacker be able to change your password?? Well one way is for him to continually bombard the password server using the "change your password" link until it finally gives in, and lets him continue on to change the password, changing the password from this link is the swiftest way for them to get your account. Another way is to go through the "Recover a lost password" link on the main page. Well seeing as how they have already changed/deleted your recoveries all they have to do is use whatever they had put in as answers, use your stolen password as a previous password, input their chosen password... and boom... bye-bye goes your baby... Well now the hacker has your account, well and truly in his hands... but what about the content of your bank... it'll be safe right? You have a Bank-PIN... there's no way he can get into your bank right?... WRONG!! Now you're wondering What?! But how? how can he get his grimy hands on your precious *insert most valuable item here*?? Easy he only needs to claim he has forgotten your Bank-PIN and then wait up to 7 days and then he can get at all your gear... and this depends on whether you set a 3 or 7 day waiting period for changing Bank-PINs. Basically guys we only get 3 days within which to reclaim our accounts with most of our items back safely... anything we are wearing/holding will be gone even if we do manage to get our accounts back within 3 days, but at least in all likelihood your banked items will be safe... unfortunately if you set it to 3 day change over, or didn't set a Bank-PIN and aren't able to recover your account within those 3 days... then wave bye-bye to your gear as well. After losing all your gear... would you feel it would be worth it to get your account bank? So what can we do to combat this seemingly simple method of account theft?? A simple remedy: At the set recovery questions page, where an account already has set questions, have the user answer all of the previously set questions correctly (perhaps in random order) before permitting a change, with a waiting period before the new answers took effect... This would benefit all users because, first it will make things more difficult for the slimeball in that he would have to obtain the correct answers in the first place... Second once the account owner discovers his password has changed he will invariably attempt an account recovery and with the waiting period on the recovery change he will be more likely to submit the correct answers... Third it will alert the account owner for sure of a keylogger on their system if they try to log in & find their password has changed, then go to account recovery to find their recoveries have changed. At this point perhaps recording the ips of any users trying to initiate an account recovery request and comparing them to the account's ip history would be of value to the account owner. Of course if there aren't any questions set then... :ohnoes: Additional queries like how many *random item* do you have in your bank? wouldn't go astray either (on change recoveries page). In fact I would think it essential as the slimeball will have to be able to access the accounts bank first in order to know how many of that *random item* are in there... and that's the only good thing I have to say about the security for Runescape is: at least the bank pin security is good... that is until the slimeball decides to change your bank-pin.. to him it's only a couple of days waiting. What about the account recovery process itself... that needs improvement for sure.. Well firstly I think that if account recovery is being processed then it should cause the account in question to get locked, I would think that, using account recovery should alert somebody that something is being taken back???! Ok.. so I can see this won't work, not right off the bat, afterall can you imagine 10,000 users submitting account recovery requests to gain zezima's account?? or misuse from a person instigating an account recovery just to lock an account for spite... hmm... But surely an account which is being contested should be locked in some form at the soonest? Perhaps instead of a complete account lock... a bank lock which comes into effect at the first account recovery request... one which will prevent the slimeball from attempting to change the bank-pin until the account has been claimed properly.. that sounds a lot better, although personally I would prefer the complete lockdown... With the safeguards I'm suggesting in mind, imagine this scenario... the slimeball has changed the account password, he has to wait for the bank pin to change in order to be able to change the recoveries we had set... and then he will still have to wait further before his new recoveries take effect... in that time an account recovery is initiated which will freeze all pending recovery changes and PIN changes, allowing time for the owner to prove their account is theirs, without fear of losing all their bank items. So what else could be done?... I don't want to see my account being used when I'm not the one using it (I saw my account log in briefly today on another world... I know she's being used... possibly abused... needless to say I'm not happy).... Well... that obviously didn't happen with my account... I wouldn't be able to see her log on if it was locked. How about as an aid to reclaiming a stolen account having an "I saw my friends stolen account being used by someone other than my friend" button. I mean after all who are the first ppl you tell that your account is gone?? your friends on your friendslist of course!! And because they are located all over the world and are on at all times of the day or night, the more likely it is to find your missing account... and report what world they saw them on.. and thus an ip is recorded. I also think that it may be beneficial if Jagex have a rethink about their email policy, Maybe just sending out the first (and only) email & Message box memo (after creating an account) contain the account creation details which are pertinent.. you know in a similar way to how many website hosts send an email so you know your details for accessing ftp etc... except a Jagex email be a one-off, and contain the name, password, server you logged into, date created, and an all important first ip... along with a friendly note to tell the user to keep all this info in a nice safe place just in case they need it.