2-step verification for RuneScape (concept)

[Mercifull]

Note: This is a modified version of my post on the RSOF [QFC]277-278-105-63939404[/QFC]

 

Introduction

 

I think most people here know me, or at least know of me. I have been playing RuneScape on and off for well over 10 years now some people here may have met me at RuneFest in 2010 or 2011. Like many other people in the past I've been the victim of account thefts and lost what would probably now be the equivalent of billions of GP (loss of partyhats). It's an incredibly furstrating and stressful experience and it's not always the users fault. 0-day exploits and social engineering methods as well as the more common keylogging and phishing scams.

 

I have created a concept (well put together more like rather than inventing it) for a more secure way of logging in to RuneScape or any of Jagex properties. It's called 2-step verification and it is very similar to what Google uses as well as other games such as World of Warcraft, Diablo III, Rift, Star Wars: The Old Republic and many more.

 

Back in 2008 Jagex proposed a scheme whereby you could purchase a USB sized Secure key which you could use to generate a unique code to login. At the time Jagex were planning to offer an increased bankspace as an incentive to get people to purchase these keys unfortunately there was outrage from a vocal minority of the community about how paying real money (for a key) could get you an in-game advantage (more space) and so along with possibly prohibitively expensive costs the project was cancelled.

 

Fast forward to 2012 and the world and community is a different place. Security technologies have improved, smartphone usage has risen to over half of the population in America with similar figures in Europe and most of the western world. This means that mobile app authenticators have become much more viable, cost effective and easy to distribute.

 

Why this is needed

 

An authenticator prevents unauthorised access of a RuneScape account even if you are unlucky enough to have your password compromised meaning that noone can steal your in-game items or even cause you real life monetary loss by a malicious person using up your Solomon RuneCoins or Squeal of Fortune spins. The recent bannings of high profile dicers and the mugging of a player with an immitation firearm goes to show how much of a real value some people (legitimately or not) put on our characters and items. The theft of items can in theory net a malicious "hacker" thousands of pounds.

 

How to set it up

 

To set up 2-step verification you would go login to your account on the RuneScape homepage and go to your 'account settings'.

 

In the list of account options there would be a new line of text underneath the 'Recovery Questions' called '2-step verification'. Clicking the + sign would expand the information where you would then get the options of setting it up in three different ways.

1. SMS text message on your mobile phone
   
2. Smartphone app
   
3. Secure key
   

You MUST enter your mobile phone regardless of which option you choose to set up, this is incase you cannot get online using the smartphone app, perhaps it is out of sync with the server or your smartphone is broken and you are using a backup phone with your normal SIM, or if you have broken or lost your secure key.

If you only choose option 1 then after you have typed your mobile phone number in you will be sent an SMS text message with a special code. You then need to verify this code on the RuneScape homepage. You will then have option 1 SMS verification enabled. I will explain how it works when trying to login shortly.

 

If you choose option 2 then you will first need to enter your phone number as with option 1 but after you have verified the number you need to go to an additional step. You will then be instructed to download an app for your smartphone. Apps would be available for the key providers iOS (iPhone, iPad, iPod touch), Android and WindowsPhone7.5 (or WP8 when it's out). If you do not have a compatible phone then you can click a button to simply choose option 1 or you can cancel the process all together. Once you have downloaded the correct app you can press the next button online. To syncronise your account you would choose the option in the app to add an account and a barcode scanner would activate on the phone. On the browser screen a barcode would be showing and you would be instructed to scan this using your phone. Once you have done this another verification code would show on your phone. You simply type this into the browser box provided press 'complete verification' and then it would be enabled.

 

Option 3 is slightly different and is effectively the canned original idea from Jagex about using a dedicated secure key about the same size as a USB stick which generates a unique code every minute or so. To set this up you would first have to order this from the Jagex store. These could be sold as a cost of around $10 plus post and packaging. To activate this you would need to type in the code that shows on the key into the the runescape homepage set up first and then it would work just the same as options 1 and 2 where you have to type in the verification showing on the key on login to the game or website. If you lose the key you can use the backup phone number you provided in an earlier step to request a code to login to the runescape homepage and deactivate 2-step verification until you order a new one or change your method to option 1 or 2.

 

How it works

 

The look of the app could be comething like the concept below (please forgive my naff photoshop skills). Basically on opening the app it shows a large 8 digit verification code which changes every minute and then a new one is displayed.

 

 

If you have enabled 2-step verification then when you log in to the RuneScape webpage, forums etc you will be taken to a second page after the username/password which asks you for the verification code. If you have chosen the SMS option then you will shortly recieve a code which is valid for one use only to allow you to login. If you have chosen to use the app option then you will need to type in the code displayed before the timer runs out. If you optn the app and see it's about to change simply wait a few seconds for the next code to be displayed. A small tick box would show under the verification box which says 'remember this computer for 30 days'. This would use cookies to remember your computer so you wouldn't need to enter a verification code each and every time. If you have your browser set to clear cookies regularly then you will need to enter the code in more often.

 

Logging in to the game would work in a similar way. You type your username and password as normal and before you get to the lobby you are asked for the verification code. This works exactly the same as logging in to the website and also gives you a 'remember' tick box.

 

What to do if you lose your phone or get a new number

 

Well there's a few things that Jagex could do. For example you could set up a backup phone number from a family member or trusted friend or Jagex could provide an emergency one use backup code which you will be asked to print out and put in your wallet for safe keeping. With this could could login to update your phone number. Otherwise you would have to go through the recovery questions just like a forgotten password.

Costs

 

Ideally options 1 (SMS) and 2 (app) should be free to the player. However I understand that this would require significant development time to work with the Jagex billing system and so the maximum I would suggest Jagex charge woudl be 69p/$0.99 or whatever the minimum fee for apps are on the relevant app stores. A dedicated secure key would obviously have a charge because it is a physical device with manufacturing cost. Other game companies sell these for around the $10 range.

 

Other bits

 

This is just an initial concept I have devised based on my experience of other services which use similar things.

 

This would be entirely optional and so noone would be forced into this.

 

There are immense benefits to this which means that if you lose your password to a phishing site, 0-day exploit or even if you are keylogged or sell victim to a phishing site a "hacker" could notaccess your account. 2-step verification works because of the two types of things you need to access your account something you know (password) and something you physically have (phone). This would also save Jagex significant time in dealing with investigating account thefts and returning accounts to the rightful owner.

 

Obviously Jagex recovery system would need significant rework too to prevent the social engineering away of accounts via the Jagex recovery system being gamed as someone could just claim they simultaniously forgot their password and also got a new phone/deleted authenticator app etc. I feel that if this were to be implemented there also needs to be radical improvements of the recovery system. I strongly believe that the recovery system is the weak link and so even with activated 2-step verification it would need vast improvements as well.

 

New guidelines should be published on how to create more secure recovery questions. With so much personal information available via social networks, YouTube and even searching whois databases people should be discouraged from recovery questions such as “mother’s maiden name”, “first school”, “pet’s name”, “favourite band” etc. Instead people should use information which is easy for a player to remember or find out but impossible for a person to remotely discover. For example “The first 5 numbers from a vehicle identification number” or “Print number from the painting hanging in the hallway”. There are many suggestions from people on this forum and on the RSOF on how to improve the recovery process but the crux is what happens after someone has successfully entered sufficient information.

 

If a person has activated 2-step verification then on a successful recovery claim a person does not get to choose what the password should be, instead a password is created by the Jagex recovery system and sent via SMS to the number they used on setup. If a person does not have this phone number anymore they can opt to also have a copy of the new password also sent to the backup phone number. This way even if a malicious “hacker” has managed to find out enough information to impersonate me to Jagex support, without physical access to my phone they cannot access my account.

 

I think I've got everything in my head down. I hope this make sense.

 

[Hamtaro]

Ah, yes. I remember being very excited when they were discussing that USB because my dad had one for his high security clearance at his job. I think I would much rather prefer the smartphone option now, though, seeing as I just purchased a Droid.

 

Two-step verification is a great idea and it would probably end up saving customer service a lot of time in the end.

[Kaida23]

I was always disappointed that they never implemented the security dongles. I remember my mother having one nearly 20 years ago to access the secure systems at her work when she was at home and always thought it was a good idea.

 

I think you make an excellent suggestion for securing our accounts. Given how prevelant smartphones are, I'm sure it would be fairly easy to develop an app that does nothing but generate a seemingly random code every 1-5 minutes. Something similar may even exist already.

[Sy_Accursed]

I think the app idea in particular (seeing as the usb was deemed non-financially viable) would be a wise move as more security never hurt and would certainly ease pressure on customer services. Only bit I disagree with is that account hacking/theft is often not your fault, simply because it really is.

Keyloggers - avoidable with commonsense and good AV

Phishing scams - avoidable with commonsense

Password gained by other means - avoidable if you do not use same pass on other sites or share it with 'friends' etc.

Recovery scam - certainly a flaw in Jagex recovery here, but even so if you're email is insecure enough to be hacked by any of above means for this to work it's still kinda your fault.

 

Having said that however these still cause issues because people (as a general collective) are utter [wagon]es with no commonsense and thus fall prey to all these, so would definitely be a good move as it would reduce hacking to:

a) [wagon] who did not activate 2 step verification (much like the current class who lose their entire bank to a hacking as they never bothered with a bank pin)

b) [wagon] who gave their pass to a friend AND let them get the app/device to complete step 2.

Both of which in my humble opinion probably deserve to be hacked just to learn the lesson.

 

I was always disappointed that they never implemented the security dongles. I remember my mother having one nearly 20 years ago to access the secure systems at her work when she was at home and always thought it was a good idea.

 

I think you make an excellent suggestion for securing our accounts. Given how prevelant smartphones are, I'm sure it would be fairly easy to develop an app that does nothing but generate a seemingly random code every 1-5 minutes. Something similar may even exist already.

Something similar already does exist for certain, the most prevalent example is the gmail 2 step verification which can text you a code when you try to log on and/or can be synchronised with a smartphone app that generates 1 code every 30 seconds or so that serves the same purpose.

[Kimberly]

Moved to RS Suggestions

[Mercifull]

It's a shame it's been moved to suggestions (where it will no longer get the recognition it deserves) as I felt this had potential to be a big discussion on methods of securing accounts which is very much relevant to RuneScape General.

 

If anyone is aware of the Mat Honan "epic hacking" story they will know that account thefts can happen even to seasonsed security journalists. He notes that had he enabled Google's 2-step verification system he would have not lost all his data (and faced a $1600 bill from a recovery company to get it back). I now use it on all my google accounts and it's really simple to set up.

 

How to set up 2-step verification on Google.

Edited August 20, 2012 by Kimberly
Please don't double post

[decebal]

Well, this is a sugegstion after all.

 

I enjoy this concept. Jagex already has a mobile presence, so they know how apps work. I wouldn't mind an authenticator attached to my account, it has saved my Blizzard account in the past.

[Mercifull]

Yeah you're right it is a suggestion. I suppose I should have put more effort into my thread to make it more of a discussion. I was hoping to get a bit of activity and debate about it all rather than me just shoving my idea infront of everyone.

[Warlover]

They'll likely get around to it once bot-fever has run out.

 

I imagine that these sort of things take a lot time to plan, develop and implement. I don't reckon we'll see this for at least a year minimum even if they started it today.

[Mercifull]

In a way this might also prevent casual bot usage (i.e not goldfarmers). As a software bot would be unable to physically access your phone or secure key it wouldn't be able to login to any accounts with 2-step verification activated. That would mean that little Timmy has to decide the tradeoff between gaining a bit of hunting xp/chinchompas for selling while at school/work/whatever or having the higher level of account security. It would mean that accounts which use bots are guaranteed to be less secure and easier to "hack". People who might only be casual botters could be put off if it meant they were more at risk of having their items stolen.

 

It may also prevent character sharing for the same reasons that you would have to make the trade off between being able to break the rules or having a more secure account. If players had to constantly disable and enable the 2-step verification every time they wanted to play legit or bot/char share I'm sure people would steer away from it. There is also the risk that the person you are sharing with sets up 2-step verification and locks you out.

[Fred_S]

This is things i want them to use the money the get on, JAGeX should be aware that when a user is hacked it is highly likely for that user to give up on their game because all their work was for nothing. Thus losing a monthly member, sof user? salamon user? Why give up this potential income *tsk tsk* Its worth to implement.

[Sy_Accursed]

This is things i want them to use the money the get on, JAGeX should be aware that when a user is hacked it is highly likely for that user to give up on their game because all their work was for nothing. Thus losing a monthly member, sof user? salamon user? Why give up this potential income *tsk tsk* Its worth to implement.

 

I don't think a lot of hackees quit entirely, especially as most do not lose EVERYTHING. Certainly what you are wearing can be worth a good portion of your bank but unless you have no bank-pin you have at least 3 days (if not 7) in which you cash pile and bank is entirely safe.

 

Of course they could abuse you're stats and any left-over runecoins and spins but at the same time I'd question why anyone would leave a mass of runecoins or spins unused? Surely anyone who buys them would buy them for a purpose and then have few to none left. And 'abusing' your stats is hardly a game breaker for most players seeing as un-wanted xp only really exists for pures.

[Ruinous Edge]

I'd definitely back a 2 step verification on runescape accounts, like I already have with my gmail account, a lot more secureand keeps hackers out a lot more affectively.

I'd even go as far as purchase a secure key, was excited when they announced them in 2008 and was eagerly awaiting the shop selling them even if they did give no in-game advantage i.e. bank space other than a more secure account.

[Fallstar]

Security dongles or two step verification would be a great idea.

 

A few months ago my account was compromised and I had become complacent and no longer banked all my items before logging out. I lost a blue partyhat, an elysian, a set of Pernix and other items.

 

At the very least we should be able to PIN lock our equipment as well as our banks and money pouches.

[Nobody]

_{It saddens me that the federal governenment implemented this years ago but Jagex still does not have some form of secure verification system.}

[Mercifull]

I don't think a lot of hackees quit entirely, especially as most do not lose EVERYTHING. Certainly what you are wearing can be worth a good portion of your bank but unless you have no bank-pin you have at least 3 days (if not 7) in which you cash pile and bank is entirely safe.

I agree, but for new players who haven't invested as much time in the game yet I think it might make them find a different game. Or at least put people off from spending money on things like spins and runecoins

[firebird308]

People that don't have cellphones seem to be slightly screwed by your suggestion.

[stonewall337]

costs too much so jagex won't do it. There is a reason their CS is so bad, they just don't care as much.

[Mercifull]

People that don't have cellphones seem to be slightly screwed by your suggestion.

Not screwed as such, just wont be able to take advantage of the more secure system.

[Mercifull]

costs too much so jagex won't do it. There is a reason their CS is so bad, they just don't care as much.

But I believe this would SAVE Jagex money by not needing to have so many CS staff dedicated to account thefts and hackings.

[Ruinous Edge]

costs too much so jagex won't do it. There is a reason their CS is so bad, they just don't care as much.

But I believe this would SAVE Jagex money by not needing to have so many CS staff dedicated to account thefts and hackings.

The initial set up cost may be high, but should offset itself with the reduction in CS workers Jagex needs to hire, therefore saving Jagex money in the long run, but seeing the attitude IVPex are taking valuing a fast return over slow profit I'm not holding my breath..we can dream I suppose: :)

[TheElf]

 

In the list of account options there would be a new line of text underneath the 'Recovery Questions' called '2-step verification'. Clicking the + sign would expand the information where you would then get the options of setting it up in three different ways.

1. SMS text message on your mobile phone
   
2. Smartphone app
   
3. Secure key
   

SMS text message would cost money for JAGEX as they have to pay for each and every message sent. It isn't feasible to give that for free, if we think about free to play accounts.

 

Secure key and Smartphone app combination would probably be Vasco Digipass Go 6 or 7, due to lack of direct competition. The algorithm used in mobile authenticator software is implemented on PC as well, and I think most botting software would be updated to generate authentication keys based on your restore code.

 

Otherwise I would support this idea. But I think this two side notes should influence the costs and the effects on the bot problem.

[Mercifull]

That's why the text messages should cost standard rate which means they come off the recievers credit (PAYG) or allowance (contract) and do not cost Jagex. I don't understand what you say about botting software able to generate authentication codes. I don't see how this would be possible. Has there been any cases where the algorothm has been broken in this way? Vasco's algorithms and products are not just copyrighted but patented. Anyone that even attempts to reverse engineer as part of a runescape bot it is gonna get pwned by the courts.

[Mercifull]

I suppose in theory you could run the mobile app in an Android emulator on a pc but how would you scan the barcode to sync with the secure system?

[MageUK]

FYI myself and a few other developers have been pushing them to do this for years, since before they even suggested it themselves back in 2008. I brought it up last year myself as well in some private forums with them, as well as again more recently this year, and they always say the suggestions will be passed on but either they aren't or the team who gets them isn't interested in putting in the time to do this.

 

The idea always gets the support of the people in those forums and as you can see, generally gets public support (because why wouldn't it?) but nothing seems to be done.