Jump to content

Mercifull

Members
  • Posts

    12949
  • Joined

  • Last visited

  • Days Won

    8

Posts posted by Mercifull

  1. Well my emails are a custom domain using Google Apps for business. I have 2-step verification enabled which means the only way to get access would be to submit an administrator request to google, a copy was sent to me. This COULD be someone attempting to gain access to my emails as one part of gaining access to an account. Who knows. Just seems a bit of a coincidence to get it so soon after activating JAG.

  2. It's supposedly an all new detection system so there isnt any point basing opinion on their current methods.

     

    Personally, it seem's like a good update I just don't understand how this will work in the long term. If the detection is as good as they claim then surely in future noone will bother botting and so it will become dead content?

  3. Not being able to come up with your own questions is baffling, considering that the current password recovery system allows this in the first place.

     

    Indeed and this is what Jagex had to say when I emailed them about it:

     

    Hey Matt,

     

    You should also bare in mind that JAG is just one tool and there are other security measures players can make use of such as the bank pin and email recovery questions.

     

    Ultimately we need the players to play their part too and keep their computers secure and their personal information secret. If a player chose easy to guess answers a hijacker would still need to obtain their password to log into their account. JAG isn’t meant to be a replacement for player’s using common sense.

     

    We’ve tried to choose a selection of questions so players can judge themselves which ones would be most difficult to answer. For example i know most people i play games with online wouldn’t be able to find out where my parents met!

     

    It’s also completely up to the player what answers they put, they don’t have to be true. As long as you remember the answers to each question you can put whatever you like.

     

    Although we hope most players will make use of JAG it is completely option and whether or not you use it is at your own discretion.

     

    Kind Regards,

     

    Mod Alena

  4. I suppose in theory its also possible for someone who has managed to install a RAT on a victims computer to control it remotely and transfer gold and items that way. I'm obviously being quite critical here and a lot of the scenarios I am proposing would be incredibly rare but my main point is that they are making similar mistakes as with the current recovery system and a proper 2-step verification system would prevent all of them.

  5. It gets worse. The things Jagex have chosen as security questions are things which can very easily be found out by using Facebook or other social networks or even through general conversation!

     

    I'm furious! I want to be able to ask my own questions, questions which noone can know the answer unless they were physically in my house for example. This is an outrage.

  6. Any by having it based on IP (which for many people might change fairly often) a phishing site could appear to be more legitimate as having to re-enter details fairly often would become the norm and not something to be alarmed about.

     

    As I said before I'm just disappinted really. Jagex missed a trick here by not providing something at full strength available. An authenticator device/app/sms/voicecode facility would mean that I could give you my RuneScape username & password, my email adddress username & password AND install a keylogger onto my computer and you still wouldn't be able to get into my account.

  7. What a real shame. Considering MMG comes from a security background I expected a lot more.

     

    The Jagex Account Guardian uses a combination of email addresses and unchangeable security questions to enable devices/computers which means that accounts are STILL suseptible to remote attacks. Because they cannot be changed once set its a massive security hole if someone manages to find them out.

     

    It's an interesting addition and no doubt WILL make people's accounts more secure but I'm very dissapointed they didn't go down the route I wanted them to. Expect phishing and keylogging to boom.

     

    The thing that makes a 2-step authenticator so secure is because the code used for access changes every 30 seconds and because you need physical access to the device or mobile phone of the account holder. The system Jagex has implemented does not protect against phishing (as they will just make pages that claim cookies have expired or something so you need to read your computer) nor against much more serious keylogging software which can also compromise your banking details.

     

    So on that note if anyone here wants to activate the JAG then make sure your email provider DOES have 2-step authentication such as Gmail and activate that as well!

  8. ive never had my account hacked so i dunno if id even bother with it.

     

    If you have the ability to opt into it then I would definitely recommend it. If the Botany bay bot nuke is as successful as Jagex believe it to be then the goldfarmers are going to turn to account thefts for their gold stocks.
  9. In the RuneScape livefeed last night (and again today on twitter) Mod Paul M said that they he will be filming a special Botany bay/bot nuke behind the scenes today which will be released on Friday (or earlier if someone manages to snag the hidden link from somewhere).

     

    Omali is right about the term "usb" being misleading. In 2008 jagex refered to the device looking "a bit like a USB dongle" but it's not actually anything to do with USB. Think only of the form factor and size of a usb stick for a potential RuneScape secure key but not actually something you put into your computer.

     

    A secure key, mobile app, sms, voicemessage prevents account thefts because even if someone has access to your password they will not be able to get hold of the number required for login. The only way to get around it is to also have physical access to the persons phone you want to "hack". You are reducing the potential number of victims to an incredibly small number.

×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.