10th July 2009 - The Jagex Anti-Hijack System and DevBlog

[jsboutin2]

Someone knows what happens if you lose it?

 

 

 

Because I can see many people losing it.

[brunokiller]

With the Jagex security key, we would be so confident that your account is secure that we could consider adding expanded bank space to those accounts that are protected by the Jagex security key.

 

 

 

So in a sense we are paying money for extra bank space?

[Omali]

I am disgusted by the thought of the anti hijack system jagex has planned. It is YOUR responsibility to make sure your computer is safe and that your account is secure. If you are un-able to do so its your fault if you get hacked.

 

 

 

Oh god, cry some more. Get with the times, this system is the next generation of account security, and even credit card companies are working on similar systems to protect against identity theft. The "if you lose your account, [bleep] you" ideal is why the only direction you'd run a company, would be into the ground.

 

 

 

As insane as it is, the idea of poetic justice for people who get their account stolen isn't good for business, which Jagex is, and should be, primarily focused on; keeping customers, paying or not. I'd like to see these people in real life.

 

 

 

"If your car gets stolen it's your fault for it being hot-wireable"

 

"If you get shot it's your fault for standing on front of the bullet. Why should the police have to protect your dumb [wagon]?"

 

 

 

It seems to me jagex is attempting to sell bankspace for 10 -20 dollars which is mind blowing. It seems soon they will be selling more upgrades in-game to get your money, I am very disapointed -.- .

 

 

 

Yea, because a couple extra spaces as their guarantee your account will never be hacked = Jadflax Reel Werld Treding. Did you see their post about back-end system upgrades? Clearly this is a sign that SAILING WILL BE THE NEXT SKILL. And BOUNTY HUNTER'S GETTING REMOVED. And some other half-baked lame, irrelevant conclusion I can come up with to complain some more!

[Veryhyper]

I thought this was a joke until I saw the results of the poll.

 

 

 

This is ridiculous.

 

 

 

If you get hacked, etc: it is most likely your own fault. The vast majority of people who got "hacked" entered their password on another site or gave it to a friend, or downloaded something suspicious on a RuneScape phishing site.

 

 

 

Think about this:

 

 

 

You want to log on for a good game of scape.

 

 

 

First you have to dig around in your purse/wallet/bag/desk for this odd-looking "dongle." Whoops, I think I lost it, going to have to wait a couple weeks to play RS again.

 

 

 

New one comes: you squint at it to see an 8-digit code and enter it.

 

 

 

Then you enter your password.

 

 

 

You find yourself in the world of RS, in a bank. You try to open the bank to see your new shiny bank space.

 

 

 

Please enter your PIN.

 

 

 

Ah, there's your new bank. You see that you have some essence that you want to craft at the ZMI altar, but you're not on the ZMI-themed world and wish to runecraft there. You log out.

 

 

 

And have to do it all again.

 

 

 

 

 

 

I believe you only input the key as a last resort sort of thing not every time you log in. Sort of like recovery questions.

[Omali]

 

I believe you only input the key as a last resort sort of thing not every time you log in. Sort of like recovery questions.

 

 

 

Nein. It generates a one-time password based on the player's account, that is only valid for a limited time (usually for a couple minutes, or until you log in, whichever comes first). This way, if someone tries to keylog you and use that password, by the time they try it, it'll be invalid.

 

 

 

It's foolproof, unless you get the USB key physically stolen or lose it.

[Racheya]

I personally wouldn't buy one - I'm confident in my security. But I can see why it'd be beneficial. I've heard many stories here about people with [developmentally delayed]ed parents that get viruses and stuff on their computer every day, I can see it being useful then.

 

 

 

The extra bank space would be cool too, though not entirely needed.

[Lunar_Drifter]

For the majority of people on this forum, I'd say it wouldn't be a problem- after all, our IQ is higher than most 'scapers. But for the endless amounts of 12 year olds that willy-nilly download stuff, or kids that have invasive siblings, or ones with careless parents, or ones who want to play at a different computer (and they don't know how secure it is)- this would be good.

 

 

 

How does it work, though? I'll have to look up the Enterprise two-factor authentication solution. Does the device wirelessly speak with the servers to update the password? If not, then I think these things could be cracked easily. If the "dongle" creates the passwords based on some complex algorithm, then that algorithm would probably be figured out eventually just like every other program for PC that has a keygen.

 

 

 

I think the back-end stuff could lead to a more advanced hi-scores page. Such as having experience trackers and whatnot built in. Also, more features for the forums and GE page. Wasn't MMG just at a Java Event and said the servers hadn't been rebooted in 5 years? I guess that inspired him. ;)

[x_bow80]

So with the Back-end improvements, does that mean that we can hop from server to server faster? Cus that would be awesome.

[Riptide Mage]

If its an RSA SecurID token it would be nice if Jagex would allow users that already have one for other reasons to use their existing one instead of having two to keep track of.

 

 

 

http://www.rsa.com/node.aspx?id=1156

 

 

 

For the majority of people on this forum, I'd say it wouldn't be a problem- after all, our IQ is higher than most 'scapers. But for the endless amounts of 12 year olds that willy-nilly download stuff, or kids that have invasive siblings, or ones with careless parents, or ones who want to play at a different computer (and they don't know how secure it is)- this would be good.

 

 

 

How does it work, though? I'll have to look up the Enterprise two-factor authentication solution. Does the device wirelessly speak with the servers to update the password? If not, then I think these things could be cracked easily. If the "dongle" creates the passwords based on some complex algorithm, then that algorithm would probably be figured out eventually just like every other program for PC that has a keygen.

 

 

 

I think the back-end stuff could lead to a more advanced hi-scores page. Such as having experience trackers and whatnot built in. Also, more features for the forums and GE page. Wasn't MMG just at a Java Event and said the servers hadn't been rebooted in 5 years? I guess that inspired him. ;)

 

 

 

The devices use an algorithm with a unique seed for each device to generate the next number. It may be possible to attempt to predict the next value using a program such as Cain, but it would require knowing a large number of sequentially generated values. Even if the algorithm is fully known it will be nearly impossible to know what account is using what seed or what itteration the device is currently on. Most large companies use similar devices to control remote access to their LAN networks via a VPN, if there was a risk of the system being broken Runescape would be the last of the crackers thoughts.

[Lunar_Drifter]

Thanks for the insight. I really didn't know much about it, but I see now. If I cracked the system, I'd be hitting up some big companies too. :D

[Utopianflame]

So with the Back-end improvements, does that mean that we can hop from server to server faster? Cus that would be awesome.

 

 

 

 

 

The 30 second delay between worldhops is not a technical limitation, it is a now redundant method of stopping people from constantly buying out all the runes in shops (among other things, but that was the main one at the time) using custom browsers that had auto-login features (RHQ's Xplorer in particular at the time). As shops no longer sell runes vastly below market price and have an infinite stock this is not exactly much use anymore.

[swordb88]

I am disgusted by the thought of the anti hijack system jagex has planned. It is YOUR responsibility to make sure your computer is safe and that your account is secure. If you are un-able to do so its your fault if you get hacked.

 

 

 

Oh god, cry some more. Get with the times, this system is the next generation of account security, and even credit card companies are working on similar systems to protect against identity theft. The "if you lose your account, [bleep] you" ideal is why the only direction you'd run a company, would be into the ground.

 

 

 

As insane as it is, the idea of poetic justice for people who get their account stolen isn't good for business, which Jagex is, and should be, primarily focused on; keeping customers, paying or not. I'd like to see these people in real life.

 

 

 

"If your car gets stolen it's your fault for it being hot-wireable"

 

"If you get shot it's your fault for standing on front of the bullet. Why should the police have to protect your dumb [wagon]?"

 

 

 

It seems to me jagex is attempting to sell bankspace for 10 -20 dollars which is mind blowing. It seems soon they will be selling more upgrades in-game to get your money, I am very disapointed -.- .

 

 

 

Yea, because a couple extra spaces as their guarantee your account will never be hacked = Jadflax Reel Werld Treding. Did you see their post about back-end system upgrades? Clearly this is a sign that SAILING WILL BE THE NEXT SKILL. And BOUNTY HUNTER'S GETTING REMOVED. And some other half-baked lame, irrelevant conclusion I can come up with to complain some more!

 

 

 

big man trying to start a fight on forums? g4u

[Skull]

I'm lol-ing at all these negative reactions. It's optional, which means YOU don't need to buy it. I personally won't be since it seems way overboard to me. But to some people who have put thousands of hours into getting the best account and items they can, it's understandable why they'd want to buy one. And it's a good system of keeping things secure, lots of top companies, companies with defense contracts, government branches, etc use them to keep their information secure. However this is the first time I've heard of this system being used in a game. I'm interested in seeing how this turns out.

[jimv]

Well gotta say that RWt by Jagex is very hypocritical. :shame: I am against RWT by anyone by the way. But the fact that they have to offer something like this does kind of say something about the intelligence level of the average runescape player. #-o It also speaks to how pathetic some people have gotten that they would actually hack a game account. :wall:

 

 

 

The back-end update sounds good, but they need to get rid of the Dell servers. They can't even build a good or reliable computer. :roll:

 

 

 

Hopefully the back-end update will make the game somewhat faster and some new things possible, but you still have to figure that it is Jagex that will be trying to implement these new things. :wall:

 

 

 

Would like to see an official stat tracker system set-up, just for S&Gs.

[Tesset]

I like the idea. This is what I wrote on the RSOF:

 

 

 

A few things I thought of:

 

 

 

How would the system work? Would it be a last resort, like recovery passwords, or would it work the same as a password?

 

 

 

Would we be able to set this up for multiple accounts for 1 system. I.E. could someone set up their main as well as a noob on one system?

 

 

 

If so, and if bankspace was decided upon, would both characters get the bankspace? Or just one?

 

 

 

Could this be used in a system to lock our accounts should we decide to move on from Runescape? If we quit, could we lock our accounts then use this to come back?

[Omali]

big man trying to start a fight on forums? g4u

 

 

 

Recipe for Internet Success: Don't respond to any points, just make personal attacks. It won't reinforce the fact that you're crying for the sake of crying. Also, a fight implies some sort of reaction. Any battle of logic and wits between us would be akin to Bruce Campbell fighting a toddler.

 

 

 

It's optional, which means YOU don't need to buy it.

 

 

 

+1

 

 

 

It also speaks to how pathetic some people have gotten that they would actually hack a game account.

 

 

 

Not any more pathetic than usual. WoW implemented a similar service just in the past year or so, and from what I hear it works flawlessly.

[jimv]

Not any more pathetic than usual. WoW implemented a similar service just in the past year or so, and from what I hear it works flawlessly.

 

 

 

True in regards to seems to be the usual. Still doesn't make it any less pathetic.

 

 

 

As for the doing every time to switch worlds discussed earlier in the thread, this is in the aticle; "The key will reveal a six to eight-digit code that changes every few seconds and is completely unique to you." So figure in the timer to switch and yes you would have to re-enter the code everytime you change worlds. As every time you cahnge you are re-logging into your account. Can't see many rune miners wanting this.

[XxTearGodxX]

You have got to he kidding me, anyone with half a god damn brain knows how to keep their account safe.

[jettrider]

I'm lol-ing at all these negative reactions. It's optional, which means YOU don't need to buy it. I personally won't be since it seems way overboard to me. But to some people who have put thousands of hours into getting the best account and items they can, it's understandable why they'd want to buy one. And it's a good system of keeping things secure, lots of top companies, companies with defense contracts, government branches, etc use them to keep their information secure. However this is the first time I've heard of this system being used in a game. I'm interested in seeing how this turns out.

 

 

 

I'm aware of that. It's a complete waste of Jagex's time and energy, and I was stunned to see how many people stupidly went along with the flow and voted they would pay $10-20 to slow themselves down because they really are that concerned. (This is not to throw a blanket statement out there, I understand that some people really are concerned and would like one.)

 

 

 

Again: it's a game. You have a password which can be stolen, hacked, or given out. That's why they made PIN numbers, so that the concerned could slow themselves down a little bit to prevent financial damage should their password get stolen. There is that line between accessibility and security. But this goes so far over that line that my initial reaction can't help but be negative and somewhat inflammatory.

[DUELMASTER30]

Even if this does come out, I wont buy one. I've had my account for about four years and 9-10 months and I've never gotten hacked. I just hope they give the bank space to everyone, or else they really are selling bank space for money, with a little add-on.

[Omali]

You have got to he kidding me, anyone with half a god damn brain knows how to keep their account safe.

 

 

 

You're referring to a small minority of the Internet. The rest are the reason why Drain-o has a warning saying "Do not drink".

 

 

 

But this goes so far over that line that my initial reaction can't help but be negative and somewhat inflammatory.

 

 

 

This isn't "so far over the line". If you haven't noticed, credit card companies are taking the same approach, and it's already been tested and works flawlessly.

 

 

 

I once had my credit card stolen because a company I did business with had a security breach, and lost a few million credit card numbers. That company was Sears. If my card had this system in place, I wouldn't have had to even bother going through the process of locking my card and making sure that no transactions were being made on it.

 

 

 

I've had my account on Runescape for 6 years, and for my entire time on the internet I have NEVER had an account stolen. But it's like they say, it only takes one time.

[Omali]

If you'd like a link to the credit card system I've been talking about, I found an article from 08 here:

 

http://www.trustedreviews.com/periphera ... it-Card/p1

[Dark_Lord]

It's rather disgusting to see Jagex come out with something like this, mainly for the fact that they want to charge people for it. We already pay to play their game, and giving the possibility to buy something to keep our account more safe seems over the top. They should be doing that in the first place. It's clear they are only doing it for the money, and it isn't truly for the customers.

 

 

 

What's even worse is that they're trying to make it more 'sellable' by adding more bank space with it. What does bank space and account security have to do with each other? It's just another ploy to get more money, with little concern for the customers. They're just trying to pretend they care.

[Makoto_the_Phoenix]

I'll be honest - when I read the news article, I thought it was an April Fools' joke, 3 or so months late. But then I thought about it, and I think that such a system would be rather helpful, for those of us that are technically paranoid. To begin with, it would be possible to play at public terminals which are very insecure, and it would also guarantee that Player X really belonged to Patrik.

 

 

 

However, I don't like the idea in principle. It's definitely a step in the right direction, but you have to stop and think about this - have we really come to the point where we have to secure data with 2/3 of the Security Triangle* in RuneScape?

 

 

 

Again: it's a game. You have a password which can be stolen, hacked, or given out. That's why they made PIN numbers, so that the concerned could slow themselves down a little bit to prevent financial damage should their password get stolen. There is that line between accessibility and security. But this goes so far over that line that my initial reaction can't help but be negative and somewhat inflammatory.

 

 

 

Remember - it's optional. I know you mentioned that. But, for the technically inclined/hyper paranoid, slower access to data to ensure its security is often times a healthy trade-off. This would also help if some higher level, well known player's account was compromised somehow.

 

 

 

To be honest, I might give this system a look; if I don't like it, I should be able to turn it off. It'd be an exercise in cryptography to see how well it works, too.

 

 

 

*[This refers to three things about you to keep information secure - something you have, something you know, and something you are. In English, this means a security dongle (USB device or something else), a password/PIN number, and biometrics information, be it fingerprints or retina scans.]

 

 

 

 

 

[EDIT]

 

It's rather disgusting to see Jagex come out with something like this, mainly for the fact that they want to charge people for it. We already pay to play their game, and giving the possibility to buy something to keep our account more safe seems over the top. They should be doing that in the first place. It's clear they are only doing it for the money, and it isn't truly for the customers.

 

 

 

What's even worse is that they're trying to make it more 'sellable' by adding more bank space with it. What does bank space and account security have to do with each other? It's just another ploy to get more money, with little concern for the customers. They're just trying to pretend they care.

 

 

 

1) How is it disgusting to see that Jagex cares enough about their customers' data to offer this service?

 

2) Did you honestly believe that it would be free?

 

3) It's an idea they're tossing around - if you wanted to use the dongle, you get a boost in bank space. If you don't, you're fine. But I don't know anyone that has used all 496 spaces of bank space anyway.

 

 

 

Dark_Lord, perhaps you should look more into security practices before flying off the handle about stuff you just don't understand.

[Utopianflame]

It's rather disgusting to see Jagex come out with something like this, mainly for the fact that they want to charge people for it. We already pay to play their game, and giving the possibility to buy something to keep our account more safe seems over the top. They should be doing that in the first place. It's clear they are only doing it for the money, and it isn't truly for the customers.

 

 

 

What's even worse is that they're trying to make it more 'sellable' by adding more bank space with it. What does bank space and account security have to do with each other? It's just another ploy to get more money, with little concern for the customers. They're just trying to pretend they care.

 

 

 

Certainly for the lower of the two prices in the poll profit wouldnt really be an issue (ie there wont really be any to speak of), the bankspace 'offer' is therefore likely to try an encourage a higher usage percentage. Possibly to save on customer support time so the time spent on account recovery can be reduced and re-allocated (or just removed).