Jagex Account Guardian

[decebal]

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

 

That's because you were inactive around the time Tip.it was hacked last year. There were a lot of older accounts that (stupidly, IMO) had their emails tied to their runescape account/same password/etc. And because their recovery system was still pretty bad then, it didn't take much to hijack another account.

I occassionally read the forums when they were hacked, I wasn't fully inactive. And yes, I do realize that some fansites were hijacked, although I did not know of Zybez or Draynor being hacked. I was under the impression that the damage done by the hackers was minimal. Before jumping the gun, have there been any credible reports of users losing their runescape account because of these hackings? I am probably missing a lot of information as I was preoccupied with other things at the time. Sorry in advance if this has been discussed before and I just missed it.

[tripsis]

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

 

That's because you were inactive around the time Tip.it was hacked last year. There were a lot of older accounts that (stupidly, IMO) had their emails tied to their runescape account/same password/etc. And because their recovery system was still pretty bad then, it didn't take much to hijack another account.

I occassionally read the forums when they were hacked, I wasn't fully inactive. And yes, I do realize that some fansites were hijacked, although I did not know of Zybez or Draynor being hacked. I was under the impression that the damage done by the hackers was minimal. Before jumping the gun, have there been any credible reports of users losing their runescape account because of these hackings? I am probably missing a lot of information as I was preoccupied with other things at the time. Sorry in advance if this has been discussed before and I just missed it.

 

Well think of it like this. The hackers got database bumps of multiple huge fan sites, which includes username, e-mail, password hashes (in the case of DI -- plain text passwords) and IP information at the least. Now consider that most of those passwords had low strength/security and that many people use the same passwords on e-mail, fansites, and/or RuneScape. If these people used the same password on the fan sites that they did on RuneScape, that's automatic account access. If they used the same e-mail account on fansites as they did RuneScape, that allowed hackers to try to brute force/recover the e-mail accounts, and then use the e-mail accounts to recover RuneScape accounts. Then consider that everyone and their mother in the hacking world wanted a piece of these databases. People bought the entire database, or individual member information, etc. You can only imagine how many accounts they went after.

 

Now, a lot of those counts were probably old, inactive accounts, so you won't have heard the account owners complaining about it. But a lot of those people were also regular, current players. Not everyone's account was hacked, and not everyone's password hash was cracked (I assume), but even a small portion of a 100k-200k membership database is huge.

 

If you had lurked some hacker forums during the time of the attacks (which I did and I'm sure a lot of other people did), you would have seen just how many people bragged about getting a piece of x database and then recovering y account, etc.

[decebal]

Either way I'm just stating that this implementation is a very smart move by Jagex and several other companies (e.g Steam owner, Valve) and definitely will cut down the hacking cases of a lot of active accounts. Of course, while it isn't foolproof (as you've proved me) it's still an excellent preventive measure in the case big forums get hacked into again.

While it will cut down on the cases, most people on here are disappointed because this isn't the best security measure to implement (e.g. two step is a lot more foolproof). Also, I haven't heard of anybody losing their RS account because of a big forum hack yet in Runescape.

 

That's because you were inactive around the time Tip.it was hacked last year. There were a lot of older accounts that (stupidly, IMO) had their emails tied to their runescape account/same password/etc. And because their recovery system was still pretty bad then, it didn't take much to hijack another account.

I occassionally read the forums when they were hacked, I wasn't fully inactive. And yes, I do realize that some fansites were hijacked, although I did not know of Zybez or Draynor being hacked. I was under the impression that the damage done by the hackers was minimal. Before jumping the gun, have there been any credible reports of users losing their runescape account because of these hackings? I am probably missing a lot of information as I was preoccupied with other things at the time. Sorry in advance if this has been discussed before and I just missed it.

 

Well think of it like this. The hackers got database bumps of multiple huge fan sites, which includes username, e-mail, password hashes (in the case of DI -- plain text passwords) and IP information at the least. Now consider that most of those passwords had low strength/security and that many people use the same passwords on e-mail, fansites, and/or RuneScape. If these people used the same password on the fan sites that they did on RuneScape, that's automatic account access. If they used the same e-mail account on fansites as they did RuneScape, that allowed hackers to try to brute force/recover the e-mail accounts, and then use the e-mail accounts to recover RuneScape accounts. Then consider that everyone and their mother in the hacking world wanted a piece of these databases. People bought the entire database, or individual member information, etc. You can only imagine how many accounts they went after.

 

Now, a lot of those counts were probably old, inactive accounts, so you won't have heard the account owners complaining about it. But a lot of those people were also regular, current players. Not everyone's account was hacked, and not everyone's password hash was cracked (I assume), but even a small portion of a 100k-200k membership database is huge.

 

If you had lurked some hacker forums during the time of the attacks (which I did and I'm sure a lot of other people did), you would have seen just how many people bragged about getting a piece of x database and then recovering y account, etc.

I do know that much, I read the PM you sent me months back, and I knew about the rest you didn't mention in the PM. I find it easy to believe that people have lost rs accounts in the hacks, however I haven't yet heard of any notable account hacks (as in, accounts worth a significant amount on the RWT market, not RS celebrities) where the hijacking occured because of a fansite hack.

 

That being said, I am willing to agree that there is a very high chance that highly valued accounts have been compromised, so a discussion isn't exactly required anymore.

[Tres]

finally can be safe with my 30b bank....im going to put some random things in answers but i only write them to paper as i have written every other account related detail (with dates) so in case i have to recover later i can provide all changes details with accurate dates to max out providing info.

i dont plan to add jag to more than 1 account i dont see necessary to protect my other accounts with max 10m bank

[X3EN]

finally can be safe with my 30b bank....im going to put some random things in answers but i only write them to paper as i have written every other account related detail (with dates) so in case i have to recover later i can provide all changes details with accurate dates to max out providing info.

i dont plan to add jag to more than 1 account i dont see necessary to protect my other accounts with max 10m bank

 

If someone manages to get your password and your recoveries (which can be changed) right, he will definitely pass through another set of Q&As that can never be changed.

[Jonanananas]

Recoveries don't exist anymore.

 

The fact is that to get hacked, the hacker, has to get your password, email adresss, possibly login name, and your JAG questions. It will be quite hard to get hold of that as in most cases, you'll have to be succesful through two different methods - e.g. keylogging AND social engineering.

[Mercifull]

Interestingly someone tried a "forgot administrator password request" on my emails this morning. They didn't succeed.

[Tres]

Interestingly someone tried a "forgot administrator password request" on my emails this morning. They didn't succeed.

 

what that exactly mean?

[Mercifull]

Well my emails are a custom domain using Google Apps for business. I have 2-step verification enabled which means the only way to get access would be to submit an administrator request to google, a copy was sent to me. This COULD be someone attempting to gain access to my emails as one part of gaining access to an account. Who knows. Just seems a bit of a coincidence to get it so soon after activating JAG.

[Blaze The Movie Fan]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

[tripsis]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

Treat recovery questions as additional passwords (random characters that don't answer the question). Then either write the answers down in real life, or store them in an encrypted file/application.

[Omali]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

 

If only someone had invented a device that could store information in a non-digital format. Like a real life version of that notepad program.

[Jonanananas]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

 

Figuring out your questions doesn't help them though. They still need your password, possibly login name, and e-mail.

 

JAG questions are not recovery questions, which were indeed quite flawed

[Mercifull]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

Treat recovery questions as additional passwords (random characters that don't answer the question). Then either write the answers down in real life, or store them in an encrypted file/application.

Yeah but you shoudlnt have to. A system should be secure enough to stand on its own not rely on 3rd party email providers that DO have 2-step verification or by writing down answers/using a password manager.

[Ruinous Edge]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

Treat recovery questions as additional passwords (random characters that don't answer the question). Then either write the answers down in real life, or store them in an encrypted file/application.

Yeah but you shoudlnt have to. A system should be secure enough to stand on its own not rely on 3rd party email providers that DO have 2-step verification or by writing down answers/using a password manager.

+1'd Jagex need to implement there own 2 step verification on Runescape accounts, if Google can do it on there email, so can Jagex on there player's accounts.

[tripsis]

I have one big issue with that so-called security. It's asking for recovery questions. I hate recovery questions because anyone who knows me can figure out the answers. And if it's something no one knows about it's usually nonsensical questions with answers you'll forget quickly.

 

I never supported recovery questions, and never will. They don't help at all.

Treat recovery questions as additional passwords (random characters that don't answer the question). Then either write the answers down in real life, or store them in an encrypted file/application.

Yeah but you shoudlnt have to. A system should be secure enough to stand on its own not rely on 3rd party email providers that DO have 2-step verification or by writing down answers/using a password manager.

 

I agree. They need 2 step verification. I was just explaining how he could utilize the system that we *do* have.