Jagex Account Guardian

[Stev]

True, but on a scale, it takes more effort to detect bots than to break them, I would imagine.

True. However, it depends.

 

Jagex spends months and months designing the nuke, Optimus, and others to break them... And it's only temporarily. You could even go so far as to say that they've put forth just as much effort into breaking them as detecting them. And we can all agree that their detection systems are garbage to say the least. :P.

 

And you're right; there is no permanent break. I believe that's why Jagex removed the quote, "which will permanently deal with," from the micortrasactions post.

[Sy_Accursed]

True, but on a scale, it takes more effort to detect bots than to break them, I would imagine.

True. However, it depends.

 

Jagex spends months and months designing the nuke, Optimus, and others to break them... And it's only temporarily. You could even go so far as to say that they've put forth just as much effort into breaking them as detecting them. And we can all agree that their detection systems are garbage to say the least. :P.

 

And you're right; there is no permanent break. I believe that's why Jagex removed the quote, "which will permanently deal with," from the micortrasactions post.

 

I don't think it's true that it takes more to detect a bot than to break it.

 

I mean lets take an injection box for example.

If you discover the injection, which is an anomaly a normal player would not cause, it seems to me like it'd take more work to find a way to block it than it does to make a script that notices that anomaly and applies a ban to the relevant account.

 

After all breaking them requires noting how they are doing it then finding clever ways to make that no longer functional without breaking the game as a whole; detecting them for auto-bans simply requires noting how they are doing it and having a script dole out a ban to accounts doing it.

[Arceus]

This has been officially added to the game now! Should I set it up or wait? :shock:

[Kaur]

This has been officially added to the game now! Should I set it up or wait? :shock:

Does not work yet. Clicking 'enable' does nothing.

 

 

Wondering what info they use for identifying the devices. IP? Do they store some file on our hd? mac address?

[Arceus]

It should work but the high load seems to be crashing it.

[Piu]

Chrisso said on RSOF that it's being slow right now due to the load.

 

.. or Arceus just beat me to it.

[Kaur]

 

No guardian for me :|

[Mercifull]

What a real shame. Considering MMG comes from a security background I expected a lot more.

 

The Jagex Account Guardian uses a combination of email addresses and unchangeable security questions to enable devices/computers which means that accounts are STILL suseptible to remote attacks. Because they cannot be changed once set its a massive security hole if someone manages to find them out.

 

It's an interesting addition and no doubt WILL make people's accounts more secure but I'm very dissapointed they didn't go down the route I wanted them to. Expect phishing and keylogging to boom.

 

The thing that makes a 2-step authenticator so secure is because the code used for access changes every 30 seconds and because you need physical access to the device or mobile phone of the account holder. The system Jagex has implemented does not protect against phishing (as they will just make pages that claim cookies have expired or something so you need to read your computer) nor against much more serious keylogging software which can also compromise your banking details.

 

So on that note if anyone here wants to activate the JAG then make sure your email provider DOES have 2-step authentication such as Gmail and activate that as well!

[Clan_Chat_Op]

I would highly recommend tip it users to not use the account guardian until it is updated down the road. Because you can't change the answers or look them up again, if you

 

1) get keylogged - the hacker will forever have access to your account

 

2) you will never beable to change your answers and you will be at their mercy.

[HunterDexter]

Uhm, what happens if you only choose this computer to log into your account, but due some overheating your computer is broken and unrepairable (happened to me twice :o), this means you cannot play on your account anymore? Or am I totally wrong here? :s

[Arceus]

HunterDexter, as long as you have access to your email, you would try accessing it from an "unauthorized" device and have to go through security checks (recovery questions and so forth) but then you could use it from another device.

[Demoli]

You can register on new devices, provided you answer the questions right.

[Kaur]

Oh boy this is going to be annoying. I change my IP way too often and it uses the IP for device recognition.

Out of all the options they had to choose the worst!

[Sy_Accursed]

This does add some security for sure, but it does have flaws. Also I think the leylogger thing someone mention is going ott. Yes if you get keylogged and type in the answers you are screwed.

 

BUT one would assume you are not keylogged most of the time and the golden rule applies of if you DO get keylogged you do scans etc. BEFORE password changes. Plus even if you got keylogged there's not much cause for you to be typing the answers in; it only asks for them from new devices so you shouldn't be using them all that frequently (unless via librarys etc often) and even then it involves an email link as well.

It would seem to be a rather extreme cause of you effed up if they did manage to abuse you via the JAG using key logging as they'd require all 5 answers, access to your email and your rs log on data, plus one would imagine there is a way to block/ban a device if you get the email and are like wtf no thats not me.

[Platinum_Myr]

Why the heck does it not just txt a verification code to a cellphone number... :c (and text a new random one each time so you can't keylog)

 

Could even have it able to call a homephone and have automated voice read out numbers...

 

This does add some security for sure, but it does have flaws. Also I think the leylogger thing someone mention is going ott. Yes if you get keylogged and type in the answers you are screwed. BUT one would assume you are not keylogged most of the time and the golden rule applies of if you DO get keylogged you do scans etc. BEFORE password changes. Plus even if you got keylogged there's not much cause for you to be typing the answers in; it only asks for them from new devices so you shouldn't be using them all that frequently (unless via librarys etc often) and even then it seems to suggest you'd need to click an email link to even hit the question stage.

 

And I wouldn't bother even turning it on if I was using multiple new computers like at libraries all the time

[HunterDexter]

Oh boy this is going to be annoying. I change my IP way too often and it uses the IP for device recognition.

Out of all the options they had to choose the worst!

 

Are you sure it works with IP's? Because here in Belgium everyone has a dynamic IP. :s

[Sy_Accursed]

Oh boy this is going to be annoying. I change my IP way too often and it uses the IP for device recognition.

Out of all the options they had to choose the worst!

 

Are you sure it works with IP's? Because here in Belgium everyone has a dynamic IP. :s

 

I don't think it does because pretty much every modern router uses dynamic ips and in account settings it calles it 'registration ip address' which to me implies "this is the ip it was registered from" opposed to "this is the ip that is allowed" especially since I had to register both my computers independently and they have the same ip. If it was using ip to identify I'd of only needed to do it for one of them for both to work.

[Kaur]

Oh boy this is going to be annoying. I change my IP way too often and it uses the IP for device recognition.

Out of all the options they had to choose the worst!

 

Are you sure it works with IP's? Because here in Belgium everyone has a dynamic IP. :s

 

I don't think it does because pretty much every modern router uses dynamic ips and in account settings it calles it 'registration ip address' which to me implies "this is the ip it was registered from" opposed to "this is the ip that is allowed" especially since I had to register both my computers independently and they have the same ip. If it was using ip to identify I'd of only needed to do it for one of them for both to work.

 

It does, I tested.

[Platinum_Myr]

I assume it tests the same way it can tell whether you're on the same computer or not. You can't log in from two accounts on the same computer without spam loading them at the same time..

[Mercifull]

Any by having it based on IP (which for many people might change fairly often) a phishing site could appear to be more legitimate as having to re-enter details fairly often would become the norm and not something to be alarmed about.

 

As I said before I'm just disappinted really. Jagex missed a trick here by not providing something at full strength available. An authenticator device/app/sms/voicecode facility would mean that I could give you my RuneScape username & password, my email adddress username & password AND install a keylogger onto my computer and you still wouldn't be able to get into my account.

[Platinum_Myr]

My guess is they register mac address, as this is unique per computer for sure, though that can be faked if you know what you are doing. Still it requires an attacker to know the mac address.... But it's still susceptible to remote attack.. Just use a two step verification process >.>

[Sy_Accursed]

Sweet jesus only Jagex could take a brilliant concept (2 step verification) implement it in a slightly iffy way (using email and questions) AND make a primary component of device identification something that changes frequently for most of the internet users in the world seeing as dynamic ips are the norm these days thus rendering longterm verification utterly pointless.

[Kaur]

 

Something obviously went wrong...

[Sy_Accursed]

 

Something obviously went wrong...

 

Thank god its a [rooster] up and not intentional.

[Byzantus]

 

Something obviously went wrong...

So in case you would ever forget your answers, you're basically screwed if your current PC breaks? :?

I'd better write those answers down...