Anti-Hack Measures

[Distracted]

Being hacked. No one likes experiencing it. I speak from experience when I say that typing in your password and hearing it's wrong makes my heart skip a beat. Wether they're low-life crooks or smart-[wagon] nerds that like pissing you off, there are still hackers out there influencing some of us.

 

 

 

Ofcourse we can't ask Jagex to go and ban all hackers out there (which wouldn't fix the problem since they don't actually need their own account to play). But what we can do is improve our security. And Jagex did already take a lot of precautions to secure our accounts. Bank pins saved my [wagon] last time I got hacked, and recovs made it possible for me to get it back fast.

 

 

 

"Lolwut? Ur nub, i has recovs n pass wid nrs so i cant be haxxored". So do I. I still got hacked.

 

"You probably got keylogged" No, I didn't. I only used this computer for 3 days visiting only TIF and RuneScape.com. I have scanned my computer and nothing was found.

 

 

 

So there must be hackers that can acces your account in a different way. My methods aren't failproof and they can probably still be bypassed if a hacker really wanted to, but it's a start.

 

 

 

First of all: IP's. Now most users use IP's that are dynamic, which means they change everytime. But RS traces your main IP, which doesn't change. You can be traced all the way to your ISP with the main IP. It's the IP you see at the top of your welcome screen.

 

My suggestion with this is pretty simple. Whenever your main IP changes, you'll be prompted to answer some recovery questions to log in. This would function in nearly the same way a bank pin does: If you log in, you type in your bank pin (in this case recovery question answers.). Once you've typed them in once, you don't need to type them in again till you log out (or in this case move house or use a different main IP in any other way). You'll only need to answer 5 or 3 of your recovery questions correctly to get in. This way you won't get annoyed and the only way a hacker can get in is by knowing your recovery questions. I hardly know my recovery questions so I doubt a stranger would. Also proxies won't be able to pass this defense.

 

 

 

A second suggestion would be an appeal history page. It would mention all your previous password appeals. If someone got into your account using this option, you would know since it'd be written in your history. It'll also say what IP did this appeal, so you can report it to Jagex if the appeal wasn't by you. This is a pretty simple suggestion, IMHO.

 

 

 

Now the third idea I have is a way of knowing if someone is on your account. Imagine you try to log on to your account and notice the password is wrong. What I do then is go onto a secondary account and add my main. But ofcourse a hacker would turn private off to avoid questions from friends and such. So maybe there should be a way of knowing if your main is online at that moment. You won't be able to send messages or such, but the IP would be shown so you can report him to Jagex. Now this might be annoying for some who turn their private off so no one can know they're online. I suggest the only way to add a name to this feature is by typing in its recovery questions, like with the first example.

 

 

 

Now just one more last note. I remember this suggestion here that you'd have to type in your bank pin when logging in to avoid being keylogged. I like this suggestion too and so I'm mentioning it here. I say this should be an optional feature toggled on and off at your bank, so if you feel certain you won't get keylogged you can turn it off. Ofcourse you wouldn't need to type in your bank pin once you're logged in. Also pin-related, when you go over a number, it dissappears. They did this against keyloggers. The problem with this is that it's easy to check the other numbers and see which one is missing. So just make all numbers dissappear when you go over one of them.

 

 

 

Thanks for reading, any constructive criticism is welcome.

[compfreak847]

 

First of all: IP's. Now most users use IP's that are dynamic, which means they change everytime. But RS traces your main IP, which doesn't change. You can be traced all the way to your ISP with the main IP. It's the IP you see at the top of your welcome screen.

 

My suggestion with this is pretty simple. Whenever your main IP changes, you'll be prompted to answer some recovery questions to log in. This would function in nearly the same way a bank pin does: If you log in, you type in your bank pin (in this case recovery question answers.). Once you've typed them in once, you don't need to type them in again till you log out (or in this case move house or use a different main IP in any other way). You'll only need to answer 5 or 3 of your recovery questions correctly to get in. This way you won't get annoyed and the only way a hacker can get in is by knowing your recovery questions. I hardly know my recovery questions so I doubt a stranger would. Also proxies won't be able to pass this defense.

 

My IP changes every couple of hours. That would be unbelievably annoying, as well as switching every time I switch from work to home 4+ times per day. Terrible idea.

 

 

 

 

A second suggestion would be an appeal history page. It would mention all your previous password appeals. If someone got into your account using this option, you would know since it'd be written in your history. It'll also say what IP did this appeal, so you can report it to Jagex if the appeal wasn't by you. This is a pretty simple suggestion, IMHO.

 

Giving away other users IPs would be not only illegal but very dangerous. Someone makes a typo on the name, you could get their IP by creating an account with a similar name. They can already see the IP, they don't need to reveal it to you. Plus, that's illegal in most countries. Even worse idea.

 

 

 

 

Now just one more last note. I remember this suggestion here that you'd have to type in your bank pin when logging in to avoid being keylogged. I like this suggestion too and so I'm mentioning it here. I say this should be an optional feature toggled on and off at your bank, so if you feel certain you won't get keylogged you can turn it off. Ofcourse you wouldn't need to type in your bank pin once you're logged in. Also pin-related, when you go over a number, it dissappears. They did this against keyloggers. The problem with this is that it's easy to check the other numbers and see which one is missing. So just make all numbers dissappear when you go over one of them.

 

Ah. So to defeat the evil keyloggers, we type in our pins. Brilliant! Why didn't Jagex come up with these genius ideas?

 

 

 

That being said, even clicking to enter your pin would be a very bad idea. All the keylogger has to do is program it to capture the screen a fraction of a second before the mouse hovers over whatever color the keys are, and he has your number with no fuss and no muss. Not to mention it would be a huge hassle.

 

 

 

Don't make your recover questions obvious, and don't download stupid stuff on an unprotected computer. Follow those directions and you'll never get hacked. And your draconian 'ideas' would make it much more of a hassle while at most slightly inconveniencing the hacker.

[Distracted]

 

Don't make your recover questions obvious, and don't download stupid stuff on an unprotected computer. Follow those directions and you'll never get hacked.

 

 

 

Like I said, I didn't download anything or whatever else, and my recoveries aren't obvious at all (I hardly know the answers). I still got hacked, just tell me how the f anyone did that.

 

 

 

And the IP thing, I asked people and they said that there is some kind of main IP that doesn't normally change unless you move house. Now I can understand that for people like you who go from house to office a lot might get bothered by this, so the only solution I have for this is maybe a toggle feature. Now it could be that the info they gave me was wrong, in that case I apologize.

 

 

 

I never said to type in pins? Where did you get this from. And how can a keylogger predict a fraction of a second before you go over a certain colour?

[compfreak847]

Like I said, I didn't download anything or whatever else, and my recoveries aren't obvious at all (I hardly know the answers). I still got hacked, just tell me how the f anyone did that.

 

Then you entered it on an insecure computer, or your lying. Sorry, but Jagex servers are safe. It's 100% your fault if you get hacked.

 

 

 

 

 

 

And the IP thing, I asked people and they said that there is some kind of main IP that doesn't normally change unless you move house. Now I can understand that for people like you who go from house to office a lot might get bothered by this, so the only solution I have for this is maybe a toggle feature. Now it could be that the info they gave me was wrong, in that case I apologize.

 

A toggle feature that everyone turns off because it does nothing whatsoever to help security and is a huge pain in the tush. It might be a good idea to at least have an iota of a clue what your talking about before posting a suggestion.

 

 

 

 

I never said to type in pins? Where did you get this from. And how can a keylogger predict a fraction of a second before you go over a certain colour?

 

I remember this suggestion here that you'd have to type in your bank pin when logging in to avoid being keylogged.

 

Read your post reallll carefully.

 

 

 

Also, it's very simple. Have it watch in the back recording the area within a certain pixel distance of the mouse in a very low quality mode, simply buffering the past second or two into memory. Uses virtually no CPU cycles and is undetectable, upon mouseover of the specific color it would immediately dump the past second or two onto disk where it could be uploaded just like a regular screen cache. Hackers aren't idiots.

[Riptide Mage]

Some people really need to learn more about how the internet and computers work before they waste a page of text.

 

 

 

Being hacked. No one likes experiencing it. I speak from experience when I say that typing in your password and hearing it's wrong makes my heart skip a beat. Wether they're low-life crooks or smart-[wagon] nerds that like pissing you off, there are still hackers out there influencing some of us.

 

Nobody has EVER had their account hacked on runescape, that would require breaching Jagex's servers and if a person was able to do that I guarantee you they wouldn't target some joe-shmo account, they would go after the credit card and billing records. Having their password cracked via attempting to login using a list of common passwords is another thing entirely.

 

 

"Lolwut? Ur nub, i has recovs n pass wid nrs so i cant be haxxored". So do I. I still got hacked.

 

"You probably got keylogged" No, I didn't. I only used this computer for 3 days visiting only TIF and RuneScape.com. I have scanned my computer and nothing was found.

 

No anti-virus is perfect, especially Macafee and Norton, you're better off using nothing than either of those two.

 

 

 

 

First of all: IP's. Now most users use IP's that are dynamic, which means they change everytime. But RS traces your main IP, which doesn't change. You can be traced all the way to your ISP with the main IP. It's the IP you see at the top of your welcome screen.

 

My suggestion with this is pretty simple. Whenever your main IP changes, you'll be prompted to answer some recovery questions to log in. This would function in nearly the same way a bank pin does: If you log in, you type in your bank pin (in this case recovery question answers.). Once you've typed them in once, you don't need to type them in again till you log out (or in this case move house or use a different main IP in any other way). You'll only need to answer 5 or 3 of your recovery questions correctly to get in. This way you won't get annoyed and the only way a hacker can get in is by knowing your recovery questions. I hardly know my recovery questions so I doubt a stranger would. Also proxies won't be able to pass this defense.

 

 

You obviously have no concept of what a router or modem does. If a person is behind a router their computer has a localized LAN IP address (usually in the form of 192.168.0.100 or similar), their modem however has an external WAN address that is seen by websites and other people and services online. While you're LAN IP might rarely change, you're WAN IP can change quite frequently depending on your ISP and whether or not you pay for a static IP address.

 

 

A second suggestion would be an appeal history page. It would mention all your previous password appeals. If someone got into your account using this option, you would know since it'd be written in your history. It'll also say what IP did this appeal, so you can report it to Jagex if the appeal wasn't by you. This is a pretty simple suggestion, IMHO.

 

 

 

 

 

Now just one more last note. I remember this suggestion here that you'd have to type in your bank pin when logging in to avoid being keylogged. I like this suggestion too and so I'm mentioning it here. I say this should be an optional feature toggled on and off at your bank, so if you feel certain you won't get keylogged you can turn it off. Ofcourse you wouldn't need to type in your bank pin once you're logged in. Also pin-related, when you go over a number, it dissappears. They did this against keyloggers. The problem with this is that it's easy to check the other numbers and see which one is missing. So just make all numbers dissappear when you go over one of them.

 

LOL, doesn't that defeat the point?

 

 

Thanks for reading, any constructive criticism is welcome.

 

There is going to be no constructive criticism since you have no idea what you are talking about.

[Riptide Mage]

 

I never said to type in pins? Where did you get this from. And how can a keylogger predict a fraction of a second before you go over a certain colour?

 

For the most part people don't bother propagating simple keyloggers anymore, simply because with the popularity of broadband internet its possible to stream alot more information than just keys, most trojans now have a VNC client as well allowing the controller to view the victim's screen in real time, negating any sort of keylogger protection.

[JoeDaStudd]

The best anti hack method would be have each player take an IQ test before you allow anyone to register.

 

But then Jagex would loss out on a lot of money.

 

There are pins, passwords, recovery questions and appeals for a reason.

 

 

 

The main reasons people get "hacked" are;

 

Simple passwords

 

Common or easy to guess recovery questions

 

Using the same password and username on a different site

 

Answering your own recovery questions

 

Falling for old tricks (eg if you type your password backwards Jagex block it)

 

False runescape pages

 

 

 

None of them are things Jagex can help you with.

 

Commonsense is needed more online then anywhere else (a mp3 isn't going to be 34kb, you aren't going to get $10 million for free, you won't get super special powers from something which costs $5, etc)

[Kaida23]

Sorry, but Jagex servers are safe. It's 100% your fault if you get hacked.

 

That's a bit harsh. No server is entirely hack-proof.

 

There are plenty of things you can do to minimize the danger of being hacked, but the only way it's "100% your fault" is if you went around in-game yelling out "my password is "". Hack me"

[compfreak847]

Sorry, but Jagex servers are safe. It's 100% your fault if you get hacked.

 

That's a bit harsh. No server is entirely hack-proof.

 

There are plenty of things you can do to minimize the danger of being hacked, but the only way it's "100% your fault" is if you went around in-game yelling out "my password is "<whatever>". Hack me"

 

Ever heard of a Jagex server breach? Yeah, neither have I. For the very few skilled enough to break into them, there's two options: Break into Jagex servers and get a high level RS account, risking long jail times if caught, or break into a bank's servers and get a few dozen credit card numbers then retire, risking long jail times if they get caught. Jagex servers have never been, and will never be hacked.

[The_Gabe]

Sorry, but Jagex servers are safe. It's 100% your fault if you get hacked.

 

That's a bit harsh. No server is entirely hack-proof.

 

There are plenty of things you can do to minimize the danger of being hacked, but the only way it's "100% your fault" is if you went around in-game yelling out "my password is "<whatever>". Hack me"

 

Ever heard of a Jagex server breach? Yeah, neither have I. For the very few skilled enough to break into them, there's two options: Break into Jagex servers and get a high level RS account, risking long jail times if caught, or break into a bank's servers and get a few dozen credit card numbers then retire, risking long jail times if they get caught. Jagex servers have never been, and will never be hacked.

 

 

 

Wasn't there a while ago a server breach? #-o

[Bauke]

I do think the RS servers were hacked a while back. I remember that some people made the members version of the game get stuck in a loop or something, and then some bad stuff happened (yeah, vague, I know). Jagex immediately took the game down and tried to fix it, which took quite some time.

 

 

 

Does anyone know what I'm talking about?

 

 

 

Oh, and if you're account gets "hacked", then yes, it's your own fault.

[compfreak847]

I do think the RS servers were hacked a while back. I remember that some people made the members version of the game get stuck in a loop or something, and then some bad stuff happened (yeah, vague, I know). Jagex immediately took the game down and tried to fix it, which took quite some time.

 

 

 

Does anyone know what I'm talking about?

 

 

 

Oh, and if you're account gets "hacked", then yes, it's your own fault.

 

Don't remember anything about that, but that's completely separate from the account files...

[NuckingFuts]

Also pin-related, when you go over a number, it dissappears. They did this against keyloggers. The problem with this is that it's easy to check the other numbers and see which one is missing. So just make all numbers dissappear when you go over one of them.

 

 

 

 

This is the only slightly decent suggestion in your thread. Simply because it would prevent those few keyloggers out there that a programmed to take a screenshot on every click.

 

The rest well... is either based upon lack-of/false knowledge, or just wouldn't be ideal to apply considering the many different playing habits of the Runescape community.

 

 

 

compfreak847 has already covered all of your points with accurate arguments against your suggestion... I'll leave it at that.

[Sir_Kurity]

Keylogger is the only real way to be hacked if you got good pass.

 

 

 

I'm thinking an onscreen keyboard to type passwords, i don't think keyloggers can log that, and pin upon login would be good as well.

 

 

 

Double security =D.

[Riptide Mage]

Keylogger is the only real way to be hacked if you got good pass.

 

 

 

I'm thinking an onscreen keyboard to type passwords, i don't think keyloggers can log that, and pin upon login would be good as well.

 

 

 

Double security =D.

 

 

 

The onscreen keyboard raises the VK_KeyEvent delegates the same way a keyboard does, so it provides no protection.

[compfreak847]

Keylogger is the only real way to be hacked if you got good pass.

 

 

 

I'm thinking an onscreen keyboard to type passwords, i don't think keyloggers can log that, and pin upon login would be good as well.

 

 

 

Double security =D.

 

 

 

The onscreen keyboard raises the VK_KeyEvent delegates the same way a keyboard does, so it provides no protection.

 

He is correct. The OSK uses the same event as an actual keystroke for maximum compatibility with programs, and in doing so leaves it wide open to keyloggers. Plus, they could still do the same thing they do for pins with a sceenshot. Plus, that would be a huge pain. Just use an ounce of common sense and you'll never get hacked.

[pureprayer]

For my password, I used to pick the person 20 places under me in the hi-scores. Then a sequence of numbers.

 

 

 

Why not just have everyone fingerprint scan into their accounts?

[Deathmath]

Keylogger is the only real way to be hacked if you got good pass.

 

 

 

I'm thinking an onscreen keyboard to type passwords, i don't think keyloggers can log that, and pin upon login would be good as well.

 

 

 

Double security =D.

 

 

 

The onscreen keyboard raises the VK_KeyEvent delegates the same way a keyboard does, so it provides no protection.

 

He is correct. The OSK uses the same event as an actual keystroke for maximum compatibility with programs, and in doing so leaves it wide open to keyloggers. Plus, they could still do the same thing they do for pins with a sceenshot. Plus, that would be a huge pain. Just use an ounce of common sense and you'll never get hacked.

 

 

 

I totally agree. I've played for a long time on a secure PC. Well my brother got a keylogger but it got found by antivirus so I changed my pass...

 

I've never got hacked and have played since RSC.

[RSBDavid]

A good tIp is to never play Runescape on a shared computer. You don't know what sites your siblings (or stupid dad) go to.

[Jenove]

i have done it I am a prof. Hacker. Its simple. Even an amateur can steal a pass. As a matter of fact. it only takes 5 mins to get into Microsoft servers. face reality bro

[Skeptical]

Some good ideas, but a few people have already blasted some pretty big holes in them...

[Karvinen]

And how can a keylogger predict a fraction of a second before you go over a certain colour?

 

 

 

pseudocode:

 

if MouseDown and ColourUnderMouse == PinButtonColour{

SaveScreenshot(path);}