Account Hijacking & Jagex� Item Return Policy

[lordkafei]

Hi everybody, You may be aware that a player with a considerable amount of in-game wealth was hijacked recently. We don't want to invade that player's privacy by naming names, but we understand that this topic is raising a lot of discussion among the community. As soon as we became aware of the situation we acted quickly banning the hijacker's accounts as well as removing any items & wealth stolen. Unauthorised access to online accounts whether it is your bank account or your RuneScape account is a criminal offence, it is illegal in the UK under the Computer Misuse Act 1990, and the USA's Computer Fraud and Abuse Act 1986 as well as equivalent legislation in many other countries around the world. Jagex have already successfully pursued a RuneScape hijacker in the UK using the above law. You can read about it on the BBC news website here. We want to send a clear message that hijacking is not clever and will not do you any favours, it is an illegal act and we regularly send information onto local law enforcement agencies. Currently we do not return lost/stolen items. This is why it is so important to make sure your account is as secure as possible. Make sure you do the following;

2. Set a Bank Pin. This will help protect your items if the worst happens and somebody accesses your account.
3. Set a Email Address to your account to help recover your account and secure it from others trying to gain access to it.
4. Choose tough Passwords that aren't easy to guess or very common.
5. Don't input your Username/Password into other websites! The only website you should use your RuneScape Username/Password for is the main RuneScape website.

Mod Mark H On behalf of the RuneScape Player Support Team

 

ref: RSOF QFC: 14-15-106-62560262

 

This is being alluded to on RSOF, and I found many hits to many fansites in Google also referring to this event. Without naming the player in question, I will only mention an accumulation of 1000-ish Santa Hats.

 

While I applaud Jagex going after the hijacker and stripping him of his ill-gotten gains, how in the name of Hades can you justify not returning the stolen e-items to their rightful owner?

 

If your house was broken into and the police recovered your items, yet refused to return them to you, all hell would break loose. Yet somehow, Jagex justifies their policy of never returning items in these cases.

 

How can you justify using the law as a pretense to seize those ill-gotten e-items and then not return them to the rightful accountholder? Please note that Mod Mark H cites US & UK code of law in his post.

 

I personally, am as disgusted with Jagex as I am with the teenaged punk who pulled this off.

 

Could a victim of e-crime not use those same codes of law to twist Jagex' arms in court and force the return of stolen e-property?

[K4ylan]

Because Terms of Agreement prevail over the law, considering that it is in fact a game, regardless of real-life value of these items.

[Jehosaphat]

This thread again. Really?

 

OT: It's policy. And I haven't seen them get sued for it yet, so it must be a legal policy somehow. Otherwise you'd have butthurt botting 12-year-olds having their parents sue Jagex's pants off.

[Afishinsea]

It's been Jagex's policy since the start, and if they change their position on it there is already a backlog of thousands upon thousands of players who have lost money from bugs, hacked accounts and so forth that would also need to have their items returned. They can't just change the policy because chessy is famous, nor would it be right to do so.

 

There are also a huge number of issues in returning items. If player B hacks player A, taking player A's blue partyhat and selling it anonymously on the ge to player C, how would you return the hat to player A without duping it?

[Stev]

Lol, why would they return her items? Simply because she's famous? If they do it for her, they'd better do it for me.

 

See my point?

[lordkafei]

It's been Jagex's policy since the start, and if they change their position on it there is already a backlog of thousands upon thousands of players who have lost money from bugs, hacked accounts and so forth that would also need to have their items returned. They can't just change the policy because chessy is famous, nor would it be right to do so.

 

There are also a huge number of issues in returning items. If player B hacks player A, taking player A's blue partyhat and selling it anonymously on the ge to player C, how would you return the hat to player A without duping it?

 

I acknowledge your points and I have no answer in those cases.

 

However, in this case - and I quote Mod Mark H - "As soon as we became aware of the situation we acted quickly banning the hijacker's accounts as well as removing any items & wealth stolen. " - which means they had the information they needed to return the items. There would be no duping in this case. But instead of returning them, they removed them forever.

 

If Mod Mark H had hidden behind "terms of service" then that would be different. But he didn't - he wrapped himself in the code of law. The victim in question should have recourse to recover those items from Jagex if Jagex is going to use that same law to seize them from the hijacker.

 

Items taken as a result of hacking can't be stolen when it is convenient for Jagex and not stolen when it isn't.

[Alphanos]

It's been Jagex's policy since the start, and if they change their position on it there is already a backlog of thousands upon thousands of players who have lost money from bugs, hacked accounts and so forth that would also need to have their items returned. They can't just change the policy because chessy is famous, nor would it be right to do so.

 

There are also a huge number of issues in returning items. If player B hacks player A, taking player A's blue partyhat and selling it anonymously on the ge to player C, how would you return the hat to player A without duping it?

 

I acknowledge your points and I have no answer in those cases.

 

However, in this case - and I quote Mod Mark H - "As soon as we became aware of the situation we acted quickly banning the hijacker's accounts as well as removing any items & wealth stolen. " - which means they had the information they needed to return the items. There would be no duping in this case. But instead of returning them, they removed them forever.

 

If Mod Mark H had hidden behind "terms of service" then that would be different. But he didn't - he wrapped himself in the code of law. The victim in question should have recourse to recover those items from Jagex if Jagex is going to use that same law to seize them from the hijacker.

 

Items taken as a result of hacking can't be stolen when it is convenient for Jagex and not stolen when it isn't.

 

I agree completely. If Jagex doesn't reconsider, I think that Chessy018 should sue Jagex over this. Early discussions on the matter estimated her bank to be worth well over $100,000 in real life cash. Although I agree with Jagex's policy against RWT, I think the prevailing black market rates give at least a minimum figure of those items' value to her.

 

It's true that Jagex doesn't have the manpower to investigate all claimed cases of item loss, and though unfair even in general, in aggregate their existing policy provides the most benefit to the most players. This is considering how many fewer updates, etc, we'd get if they were expending so much manpower on lost item claims. However that general situation doesn't hold true for this specific case, as stated, because they already used the manpower to resolve a high-profile case, so no additional resource expenditure is needed to return Chessy's items.

 

This is like the police having a policy where they can't reimburse everyone for stolen property, since in many cases the property can't be found or the perpetrators can't be tracked down. However, in this specific case, they caught the thieves, have the goods in a pile at the police station, and when Chessy shows up asking for the items, they instead set them on fire while informing her they can't be bothered to return stolen property.

 

The magnitude of the unfairness here is unbelievable.

[Afishinsea]

What you ignore is that ingame items are not property. They are values stored in a database that is sitting on Jagex-owned hardware, and Jagex can do whatever they want with them.

[Alphanos]

What you ignore is that ingame items are not property. They are values stored in a database that is sitting on Jagex-owned hardware, and Jagex can do whatever they want with them.

 

This is semantics. Property doesn't need to be physical things, and can certainly be values in a database. Corporations often have millions, or even billions of dollars in intangible property, such as patents, copyrights, trademarks, etc.

 

As for Jagex's right to do whatever they want with the intangible property, I agree 100% that this is stated in the EULA that we all must agree to in order to play the game. However, I'm sure that when this agreement was written, nobody expected that players' virtual wealth could be valued at hundreds of thousands of dollars in real life cash. Again, this is not in support of RWTing, but merely pointing out that capitalism has supplied formulae by which virtual items can have real-life value estimated and assigned to them. In light of this, I would hope that the courts would rule that the player had some legitimate claim to their virtual possessions.

[Star_Fox]

Lol, why would they return her items? Simply because she's famous? If they do it for her, they'd better do it for me.

 

See my point?

 

I never really liked "her" but I do kind of feel bad since the terrible loss she suffered could of given "her" a fortune.

 

I wonder how she feels though. :twss:

[MightyMuddy]

Lol, why would they return her items? Simply because she's famous? If they do it for her, they'd better do it for me.

 

See my point?

 

This. Unfortunately for her, she's broke now. Not to mention 1000s of rares being deleted. (please correct me if I'm wrong).

 

I never really liked "her" but I do kind of feel bad since the terrible loss she suffered could of given "her" a fortune.

 

I wonder how she feels though. :twss:

I really hope they aren't gone, what a waste of 1000s of rares :(

[dirk4slayer]

Correct me if I'm wrong, but if you'd have decent security measures on your account you would never get into this kind of trouble, and it is still very much my opinion that if you do get hacked it is your own fault for not sufficiently protecting your account against it, and thus it should be you responsible for any items stolen/lost. After all, if Jagex would start to give items back now simply because the person in question lost a 1000 Santa Hats, what would stop me from asking Jagex to return the 500K I lost when I got hacked?

[glasscube]

Correct me if I'm wrong, but if you'd have decent security measures on your account you would never get into this kind of trouble, and it is still very much my opinion that if you do get hacked it is your own fault for not sufficiently protecting your account against it, and thus it should be you responsible for any items stolen/lost. After all, if Jagex would start to give items back now simply because the person in question lost a 1000 Santa Hats, what would stop me from asking Jagex to return the 500K I lost when I got hacked?

Well statistically never, yes. It wouldn't be impossible though. Even RSA Security had someone infiltrate their systems, and they know a little more about computer security than the vast majority of runescapers.(Kinda reminds me of the old saying 'the only safe computer is one that isn't connected to a network' or something along the lines of)

 

And then you think about the fact that her items were worth over $100k and suddenly you got a lot of incentive.

[strilmus]

Well, it was their choice to destroy all those rares forever

 

let's just say for the sake of hypothetical situations, that even if we were to follow all these tips

 

and our stuff still gets jacked

 

we still wouldn't get them back

 

because apparently it is our fault

 

this is the impression that I get from Jagex

[Randox]

First off, there would be a [cabbage] storm of craptacular proportions if Jagex went back on that policy now. Nothing short of a retroactive reimbursement going back to '01 would be able to prevent that, and for good reason. It would be amazingly unfair to everyone who didn't get their compensation.

 

Secondly, Jagex puts monumental efforts into account security. If there is one thing I will stand by them on, its that they have done or tried to do everything humanly possible to ensure accounts don't get hacked, including an offer to subsidize isolated random key generator devices that would have made accounts 100% secure to everything short of stealing the generator itself, and the community spat in Jagex face for it. I believe the account in question was compromised when enough information was gathered to crack its recovery questions, something that shouldn't be possible to do (the best recoveries are strong passwords unrelated to the questions). Players really do have a pretty big part to play in keeping their account secure, and it goes way beyond a good anti virus program and avoiding sketchy RS related sites. Everything that stands between people and access to your account needs to be strong. Things like passwords, recoveries, email security if that's tied in, not using public computers, not using unsecured or, for the extra paranoid, WEP encrypted wireless (WEP can be cracked without resorting to pass guessing). You have to make sure no one ever sees you type in your pass, make sure that you never tell it to anyone or share your account. Don't log into runescape with a mobile device, its security is probably no where near up to par with your PC.

 

I would much rather Jagex put their time into banning things like macros than working on returning all the lost stuff resulting from hijacking, and I applaud their efforts to try and take real world action against people who do this sort of thing.

[RU_Insane]

Correct me if I'm wrong, but if you'd have decent security measures on your account you would never get into this kind of trouble, and it is still very much my opinion that if you do get hacked it is your own fault for not sufficiently protecting your account against it, and thus it should be you responsible for any items stolen/lost. After all, if Jagex would start to give items back now simply because the person in question lost a 1000 Santa Hats, what would stop me from asking Jagex to return the 500K I lost when I got hacked?

 

I'll correct you. The issue only takes a few minutes to research. First of all, her account was not hacked, it was recovered. There were several people from Final Ownage Elite, at least three of them I have heard of now but will not name, who had worked together to recover her account. They did this by collecting her personal information and abusing a flaw in the recovery system. The person's account had been inactive for several months as far as I am aware, so the 'crackers' as they were just waited for the bank PIN on the account to expire. The person in control of the account at that time chooses three days or seven days for the PIN to expire, and logically here the choice would be three days if the hackers were looking for the biggest haul in the shortest amount of time.

 

So they only needed to wait three days for the PIN to expire, which was very easy considering the person is inactive, so she did not know that her PIN had a cancellation request pending on it. The perpetrators stole about 175 billion GP from the person's account, which was also her entire bank, and dispersed the ill-gotten wealth amongst themselves and traded other people whom they did not know to show what they had stolen. In the process, the infiltrator had went into the person's clan chat and publicly framed another very wealthy player for the scheme, and then promptly logged out. The schemers were dealt with pretty quickly seeing as how they posted pictures of their gains. The victim's account was locked, and the intruders were permenantly banned.

 

The person had a bank PIN, she was just inactive so it was easy for the perpetrators to forcefully expire it. I'm sure someone with her level of wealth would take some of the most cautious measures to ensure that her computer were safe from any keyloggers or trojans and the like. It's a fallacy to assume that the reason her account was broken into was because her computer was insecure. The people recovered the account, so it's most likely that the information they used to recover it, if the person was smart, was very personal. If she was not paying as much attention when setting her recoveries, she most likely used information that would only take a few minutes to retrieve the aforementioned account.

 

These are my own thoughts now, but I think it's safe to presume that the information used could not endanger her real life wealth, meaning the information was personal but not necessarily harmful, because it makes no sense to retrieve someone's credit card number or social security and use them to crack into someone's account on a video game when potentially more could be made from stealing from the former.

 

I also think since so many rares have now left the game because the accounts were banned or locked, that rares will experience quite a sharp rise in price. And since the victim in question is also inactive, I doubt if she knows her account has even been broken into. She is in for quite a surprise when she logs back on. :-/

[Alphanos]

The above is an excellent reason to avoid linking things like a Facebook account to a Runescape account. Although I understand their marketing incentive, it is irresponsible for Jagex to advocate these connections, security-wise.

 

Regarding the effect on the rate market, any actual effect will be solely due to unfounded panic. Most estimates have put the lost items at closer to 200 billion, but more importantly these items weren't in the market to begin with. The player who lost the items was well-known to hoard rares, not putting them back into the market. If anything, her newfound lack of wealth should decrease demand for rares, since if she should return to Runescape it will take her much longer to resume acquiring and hoarding rares.

 

I don't know the exact means used by the perpetrators to gain the relevant recovery answers for the account in question. Maybe the account's owner really is partially to blame for connecting Runescape and social networking accounts, but many players do this, and Jagex is now encouraging it. If Jagex proposes recovery questions that could be answered by i.e. viewing the account holder's Facebook page, and also encourages players to associate their Runescape and social networking accounts, doesn't that place at least some of the responsibility on them?

[Star_Fox]

Correct me if I'm wrong, Geek, but I believe a majority of those rares were sold to the public before the ban took place. So

in theory, rares might dip a little or even crash for that matter since one of the biggest rare hoarders are gone. A youtube

video shows the hacked acc pleading to give all the items away and quitting by framing a known person. The hacked acc

actually instead, sold the items, including the santa hats for a considerably cheaper price. The certain youtube video also has pictures

of the hack that took place when santas and green partyhats were being sold to the GE. So the rares stolen might have a

very minimal effect on the market, but I can't speculate that rares may rise since so many hoarded rares have now reached

circulation again.

 

The FOE people used personal information to "recover" the account. My guess is that this was

all done from sensitive information leaked by her Facebook, Twitter, or even her RS clan chat and Youtube channel.

 

~My last post was when I just figured this out. So sorry if I sound a little contradicted.

[glasscube]

I don't know the exact means used by the perpetrators to gain the relevant recovery answers for the account in question.

There have been bugs in the recovery system before, so it wouldn't surprise me. It used to be possible to randomly recover really old accounts.

[Tim]

Karma came and hit her for her greedyness. Doesn't bother me one bit.

[RU_Insane]

The above is an excellent reason to avoid linking things like a Facebook account to a Runescape account. Although I understand their marketing incentive, it is irresponsible for Jagex to advocate these connections, security-wise.

 

Regarding the effect on the rate market, any actual effect will be solely due to unfounded panic. Most estimates have put the lost items at closer to 200 billion, but more importantly these items weren't in the market to begin with. The player who lost the items was well-known to hoard rares, not putting them back into the market. If anything, her newfound lack of wealth should decrease demand for rares, since if she should return to Runescape it will take her much longer to resume acquiring and hoarding rares.

 

I don't know the exact means used by the perpetrators to gain the relevant recovery answers for the account in question. Maybe the account's owner really is partially to blame for connecting Runescape and social networking accounts, but many players do this, and Jagex is now encouraging it. If Jagex proposes recovery questions that could be answered by i.e. viewing the account holder's Facebook page, and also encourages players to associate their Runescape and social networking accounts, doesn't that place at least some of the responsibility on them?

 

Nicely worded. I agree that some of the blame is potentially on Jagex for encouraging players to associate their accounts with such personal data. It goes against their advice to keep their recoveries personal, but a few key recovery questions and other pertinent information could be deduced simply from viewing a profile page like FaceBook that disseminates such personal information.

 

Especially with how FaceBook is centered around connecting with old friends and family it seems, the relevant information for one to reconnect with a signifigant figure is made publicly avalible, and that same personal information that really at best, only your family should know about you is of course made public because FaceBook capitalizes on connections.

 

It's not FaceBook's fault of course, but the way Jagex approached the issue of advertising themselves (although other gaming companies do it too I suppose) completely eschewed any personal connection that FaceBook capitalizes on as an objective to keep their site running. If it's personal information that can endanger your account, keep it personal. If that same information exists on your public profile where you're going to link it with Jagex, don't link it, because other people can draw connections between your game account information and personal information.

 

In short, I would also agree that it's partly the account owner's fault for not fully thinking through the ramifications of associating themselves with Jagex on a site not affiliated with it, but Jagex chooses to advertise itself on. Had FaceBook and Jagex been official partners, such information would been eschewed from being divulged because Jagex could easily control the flow of personal details pouring through between the two sites by setting limits.

 

They would foresee these security threats because they're not in the exact frame of mind -- that is to advertise by taking advantage of what FaceBook gives them to do whatever -- rather than to set their own objectives with their own predefined limits as to how to reach them. In short, if Jagex had advertised themselves through a medium where they could control the flow of information being divulged, Jagex could advertise themselves to the public successfuly while also ensuring that no one could endanger their account by posting sensitive data.

 

Correct me if I'm wrong, Geek, but I believe a majority of those rares were sold to the public before the ban took place. So in theory, rares might dip a little or even crash for that matter since one of the biggest rare hoarders are gone. A youtube video shows the hacked acc pleading to give all the items away and quitting by framing a known person. The hacked acc actually instead, sold the items, including the santa hats for a considerably cheaper price. The certain youtube video also has pictures of the hack that took place when santas and green partyhats were being sold to the GE. So the rares stolen might have a very minimal effect on the market, but I can't speculate that rares may rise since so many hoarded rares have now reached circulation again.

 

The FOE people used personal information to "recover" the account. My guess is that this was

all done from sensitive information leaked by her Facebook, Twitter, or even her RS clan chat and Youtube channel.

 

~My last post was when I just figured this out. So sorry if I sound a little contradicted.

 

I've heard about rares being sold before they were banned. Since I presume the buyers got the rares for cheaper than usual, they have an incentive to sell them to make a quick profit, as opposed to the items technically not existing on the market either way because the rares are just sitting in her bank. So since I presume they'll be on the market, prices will definitely fluctuate. I would think the prices would go up because the people they sold the rares too would be looking to profit. The only factor I foresee changing any price drastically is panic trading. Since a profit is to be made from those rares, the stolen rares are obviously existing on the market.

 

Since the majority of rares have been sold as opposed to the minority banned, it's fallacious to assume that prices will go up simply because the perpretators were banned. The majority of the stolen rares are being traded on the market, so the same supply of rares meets the demand as before. Thus, according to basic economics, the prices should not fluctuate outside their parameters defined by this sustained supply and demand. My mistake espoused the opposite conclusion in my closing thoughts of my first post. However, since the vast amount of the populace seems to be in direct opposition to critical thinking, they will of course panic and cause prices to rise.

 

An interesting explanation I heard is that, should Chessy ever return to RuneScape and find herself looted, demand and thus prices would fall for rares because Chessy would be regaining her wealth. The populace would know that Chessy is no longer in possession of these rares, so it would be pointless for the demand to rise because demand assumes that supply still exists. However, even if the vast amount of rares were instead banned as opposed to being redistributed through the market, demand would fall because those rares were gone -- and you can't demand something you know someone doesn't have. Interesting take on the issue. It's not what I espouse, but interesting nonetheless.

[Star_Fox]

Karma came and hit her for her greedyness. Doesn't bother me one bit.

 

On the contrary, she did teach the unfortunate how to make money, provide new methods and schemes to make profit,

donated to fans/subscribers and made friends with plenty of Jagex moderators. I can't say this is Karma's work

but yeh, I personally don't like her either and I rather this happen than the opposite. :rolleyes:

[Nopenope]

Runescape is quite the interesting game.

[RU_Insane]

Karma came and hit her for her greedyness. Doesn't bother me one bit.

 

On the contrary, she did teach the unfortunate how to make money, provide new methods and schemes to make profit,

donated to fans/subscribers and made friends with plenty of Jagex moderators. I can't say this is Karma's work

but yeh, I personally don't like her either and I rather this happen than the opposite. :rolleyes:

 

She seems to be a very kind soul from what I've heard of her. She gave crucial flipping advice to budding merchants. She had cash, but she gave knowledge, which can only work to produce in reciprocity. Give her a few mill and she'll be back in a few months to what I hope will be a large fraction of her former wealth. By then far more wealth will have entered the game and been distributed amongst the populace than what has been lost by one!

[Civu]

She didn't really get ''hacked'', her account got recovered somehow. The hacker made a topic on foe-rs.com/forums (final ownage elite forums) but it got locked and hidden very fast. If jagex gives her stuff back they will have to give everyone who loses things to hacks from now on stuff back and that us too much work for them, that's why they don't do it I think + people will lie about it etc