Anyone hacked lately?

[Logdotzip]

i wish old accounts had the option to change their login name to an email. if you kept that email secret from everyone, i literally think you would be unhackable. i doubt it would be too hard to implement.

[ForsakenMage]

i wish old accounts had the option to change their login name to an email. if you kept that email secret from everyone, i literally think you would be unhackable. i doubt it would be too hard to implement.

Well I wouldn't say unhackable, just less likely.

 

Wish the idea of of the dongle came through back then. :( I wouldn't mind shelling out $30 or so for double authentication log in.

[Logdotzip]

well how would it be hackable? they would need the email to login, and if no one ever knew it other than you, poof problem solved. only risk is someone behind your back physically watching you enter it in. so long as you make sure you have no keyloggers, since recoveries suck for security

[SixFootOne]

well how would it be hackable? they would need the email to login, and if no one ever knew it other than you, poof problem solved. only risk is someone behind your back physically watching you enter it in. so long as you make sure you have no keyloggers, since recoveries suck for security

 

Well for example if someone were to hack a fansite, see that you post pictures with your account and choose you as a target. Then use the email you use to log into the forum as a login name for rs. Obviously using that rs email for the fansite as well wouldn't be a very safe idea for said user, but typically people get hacked from slip ups just like that. There are plenty of people who use the same emails/passwords for everything. But yes it would increase account security a lot. The problem is most people are not very aware of account/internet security until it is too late. Especially when you look at how free rs is (all things considered you can sign up and play from just about anywhere at anytime and have a large "casual" userbase) i see only a minority taking security seriously. There would also be ways of luring people into emailing them. Now if you only used that email for rs you could be very safe. But i don't think that would be a very likely scenario for most rs users (or internet users).

[jasignhagj]

If you could switch your login to a new email, you could just make a throwaway that you would never use again. Then the only way you could be compromised is by a keylogger or Jagex recovering your account to someone else.

[deyan2]

It's most likely Jagex helping the hackers.

 

Nowadays most J-mods know less about the game and the players as the players know themself.

Loads of old pro accounts are hacked nowadays while loads of players know the real history about the account and J-mods don't.

Hackers just tell Jagex they haven't played on the account for ages so forgot what the passwords and such where.

 

Examples of hacked persons (some of them even after the real accountowner died!) are:

Longterm rank 1 F2p: Mendark 9

Longterm rank 2 P2p: The Old Nite

One of the richest persons out there: Chessy018 (yes I really think the hackers couldn't hack her without help of Jagex)

 

And these are just a few I know, most likely there are many many more.

[_YB_]

It's most likely Jagex helping the hackers.

 

Nowadays most J-mods know less about the game and the players as the players know themself.

Loads of old pro accounts are hacked nowadays while loads of players know the real history about the account and J-mods don't.

Hackers just tell Jagex they haven't played on the account for ages so forgot what the passwords and such where.

Examples of hacked persons (some of them even after the real accountowner died!) are:

Longterm rank 1 F2p: Mendark 9

Longterm rank 2 P2p: The Old Nite

One of the richest persons out there: Chessy018 (yes I really think the hackers couldn't hack her without help of Jagex)

 

And these are just a few I know, most likely there are many many more.

Wrong, you need atleast one correct password to get it accepted. They get their passwords from forum databases.

[999134]

I've been hacked twice, first one a monthish ago for bank cleaned (opver 3bil lost, had been making overloads from stewing so no pin :wall: :wall: )

I'm still not sure how that happened, they had my password not recovered (they didn't even change it), and there was no way it could have guessed.

Then more recently I got phished through an email that got past my spam filter, my phishing website blocker and was from noreply@jagex... , but pin + always banking items is your friend.

 

 

I've had hundreds of phishing attempts on my youtube channel, nearly every day I have to clear/block people posting phishing links on my videos.

 

3hit how much did you lose?

[pulli23]

Yes MD5 is possible to "reverse": however you won't reverse the password, instead you reverse to something that will also be accepted as password. Using a salt like you mentioned (md5("string" + "salt_string")) would indeed reverse engineer to a workable password. However due to the nature of this, you won't be able to split the "salt" and the password parts. So you won't be able to use the reverse engineered "password" on any other site than the original site (as the salt would be random for each site).

 

Furthermore, IPB uses a double-salted password: MD5("pass" + MD5(salt)) +MD5(salt), making it impossible to reverse engineer unless you knew the salt in advance.

[DarkDude]

People seem to think that an authenticator would solve all problems. While it would greatly decrease the number of people getting phished and keylogged for their account compromised and that'd be great. You have to also consider what would happen if you lost the key? You'd need some way to recover your account and that way would most likely be identical to the system that's in place now for account recovery as there's not many better methods of account recovery out there in my opinion. 99% of companies use email recovery which is as secure as your email, although it seems Jagex are switching more and more towards that method of recovery. I know Blizzard ask you for things such as CD-keys for recovery but that'd be impossible for Jagex to do. So yeah, they'd either have to come up with an entirely new method or continue with the system they have even if they did introduce an authenticator.

[@Dan3HitU]

 

3hit how much did you lose?

I'd say over a billion.

 

Although this may sound biased...

I do think accounts that are gotten into or any account that does "weird acts" such as drop all items/expensive items or are traded should have their account restored to before the acts.

 

However, I do think this may not be possible due to further trades between accounts and such, but there should be something to prevent it happening.

[Kimberly]

So yeah, they'd either have to come up with an entirely new method or continue with the system they have even if they did introduce an authenticator.

 

I would be happy if they either made it so their current recovery system worked (far too many people attempting to recover accs with membership agreement pins, old passwords, etc and getting denied)

 

Or a system that, so long as I keep the item safe, doubles my chances that I'll never have to deal with another automaton that doesn't read recovery forms again.

[pulli23]

I wish there was a system that actually disabled recovery attempts. So I don't have to fear that corner, why does anyone actually "looses" a password? - Don't you store important ones?

[lordkafei]

Today's phish leads to a URL in the .cc TLD (Cocos Islands): http://whois.domaintools.com/co.cc It's registered in Gyeonggi-do Province, ROK.

 

As usual, the full headers are too large to paste into Jagex puny 2000-character post window.

 

X-Originating-IP: [218.104.72.98] - You guessed it - Beijing China (using the Hefei City ISP)

The return path of the email, oddly enough, leads to an email account tied to this Facebook group: http://www.facebook.com/group.php?gid=116172681727280

 

Anyone know any Asking Alexandria fans?

[Mercifull]

co.cc isnt a proper tld. the actual tld is just .cc and the domain name is co. their business is mainly supplying bulk subdomains blah.co.cc to spammers which is why google dumped all 11 million domains *.co.cc from search results in july.

 

Of more interest is where the email came from rather than the host of the phishing site.

[Tres]

I dont think Jagex will listen anything anymore...there is been good suggestions to give players more security option but nothing is done.

 

In example:

-custom bank pin reset timer up to 365 days (7 days is just joke and cannot take longer breaks)

-email or message box confirmation if account is tried to log in from different isp

-recovery answers more inportant (heard that 1 correct one can result success recovery)

 

I had to recover 2 of my own accounts once...i knew they had nothing stat or item wise but i just wanted them for use...i got both in first try basically with 0 info.

 

Old accounts are in most danger because of lack of security options in past...im sure about all active oldschoolers know how many remarkable old accounts been stolen already (Tks, Zonghui, Ladykilljoy, L6vi..just to mention some known ones)

 

Most common mistakes ppl does: they use their rs account username as forum username, they use same email for fansite forum registration, msn, facebook etc what they use with jagex.

 

 

We all know jagex pretty much doesnt give a damn about account security anymore so i dont expect any changes in that section anytime soon. I would personally pay extra if having good security options there...I personally havent been hacked so far during my rs career but i dont see it being impossible at all i probably just been lucky so far.

 

In 8th right before exp weekend i received genuine info email from jagex someone trying to reset one of my accounts password but it was related to account that i rarely play anymore...its easier to track those attempts since i use different registered email to different accounts.

[deyan2]

First of all, give any account a trademute after beïng succesfull appealed so the only thing a account can do is trading along GE (no trades the normal way).

This means:

No staking

No trading with the tradewindow

No wildy

No droptrade

 

 

Also:

Allow players to ask for a trademute.

Loads of players never stake for money or trade the normal way after the Grand Exchange existed, so what's the point of risking your bank all the time?

 

 

This is not the first time trademutes have been thought out, before GE came it seemed to be the greatest sollution against bots.

It seemed to me like a lot of fun, 100ths of hours of botwork and then suddenly realise you can't trade any more so you can't sell your products for rl money anyway XD.

 

Somehow Jagex never made it happening...

 

I wouldn't even have problems with it if P-mods could give trademutes.

[The Dark Lord]

 

i advise you all to make an entirely separate gmail account to register to your rs account, tell no one about it, and make it only be recoverable through a text from your phone. makes things a lot safer.

 

How do you do this?

[obfuscator]

 

i advise you all to make an entirely separate gmail account to register to your rs account, tell no one about it, and make it only be recoverable through a text from your phone. makes things a lot safer.

 

How do you do this?

I believe it's "Change recovery options" under "Account settings".

[Rampage RS]

I'm guessing it's possible too, if your account was registered with facebook, for someone to actually go to your page on fb and find out your information for recoverys and such.

[totalpwnage]

One of the big reasons a lot of people got hacked is that the DI forums database got hacked and leaked.

 

There is an entire team that is dedicated to recovering accounts. They can get your account with JUST ONE OLD PASSWORD. That's how bad the recovery system is now.

[demby123]

nobody wants to hack any of my accounts. :sad:

[fallout]

I wish I thought about 'No-items-returns' policy before starting to play RuneScape. Never again I will play a wealth based game with policy like that. Lost my wealth too after about a year of inactivity, but I think my laptop that I played with back in the time was just compromised. No virus scan detects anything on that laptop, but when using UnHackMe antirootkit tool, it cannot remove few suspicious files so I guess it's very well hidden malicious software.

[Yay0siris]

if you went into any sites before you left and went to a website outside of rs that can clearly give them your password or you traded with someone you traded with before you took the time off its just have you took the time off if you get a guy that wanted to trade you for stuff he wanted to get rid of basiscally someone who has alot of money can put a hacking virus on one of his items and trade you it which can lead to hacking and removal from items and other stuff it was probably your last trade before you left for a while. just make sure you trust the person you trade and you are friends with

 

[lordkafei]

Today’s phish takes a different approach: “RuneScape invited to join Senior Member” The URL mentions “loyalty points” - a particularly [wagon]ed approach, as I haven’t been P2P since that program started.

 

The phishing URL is in the Tokelau TLD and resolves to http://www.ip2location.com/93.170.52.20 - Alfa Telecom in the Netherlands

Originating IP: http://www.ip2location.com/98.139.91.248 - Yahoo Mail