Jagex Account Guardian

[Arceus]

Jagex Account Guardian...not all it's 'jag'ed up to be?

[Riptide_Mage]

My guess is they register mac address, as this is unique per computer for sure, though that can be faked if you know what you are doing. Still it requires an attacker to know the mac address.... But it's still susceptible to remote attack.. Just use a two step verification process >.>

 

MAC Addresses are extremely easy to spoof and can easily be scanned and harvested by any device on a network.

[Platinum_Myr]

True, but a bit more difficult to steal the mac address of a random person on rs for hacking.. still easily doable if you get keylogged.

 

Two-step verification with a phone is the right solution... Separate device, random code each time. Easy to implement.

[@Dan3HitU]

Hmm, I simply just don't understand why they didn't make this more simpler.

 

Something like this could have done:

 

You (or someone) tries to login to your account (it won't count if you log out and in, only if your ip changes as an example), you're then put into a "waiting queue", the mobile-phone registered to the account then receives an auto-mated text message with say an 8-digit code, you must then type that code into the box present at the "waiting queue" in order to continue to login, you have 2 attempts and if you fail both attempts then your account is locked for 1 hour. Obviously if you enter the code correctly you're then taken to the game.

 

All the above is only applied if you've activated that setting, obviously there could be others.

[Mercifull]

It gets worse. The things Jagex have chosen as security questions are things which can very easily be found out by using Facebook or other social networks or even through general conversation!

 

I'm furious! I want to be able to ask my own questions, questions which noone can know the answer unless they were physically in my house for example. This is an outrage.

[Platinum_Myr]

It gets worse. The things Jagex have chosen as security questions are things which can very easily be found out by using Facebook or other social networks or even through general conversation!

 

I'm furious! I want to be able to ask my own questions, questions which noone can know the answer unless they were physically in my house for example. This is an outrage.

 

Make up questions and answer those instead of the ones they ask. You should always use random answers to security questions.

[Arceus]

Mercifull, in the past you could just click on the text for the question and be free to enter your own question. Is that no longer the case?

[Sy_Accursed]

It gets worse. The things Jagex have chosen as security questions are things which can very easily be found out by using Facebook or other social networks or even through general conversation!

 

I'm furious! I want to be able to ask my own questions, questions which noone can know the answer unless they were physically in my house for example. This is an outrage.

 

It did annoy me a bit you couldn't pick your own BUUUUUT I don't think most of them are all that easy to get via FB/convo without it being obvious.

None of the 5 I picked would be gettable via fb or anywhere on the internet to my knowledge.

I almost used 'eldest cousin' but then I realised I don't even know that answer.

 

@Arceus this has never existed in the past. You can do that for recovery questions, but it does not let you do it for the JAG questions.

[Kaur]

You DO NOT HAVE TO put the correct answers to those questions.

For example

Question: What is your favorite sports team?

Answer: biggorillawithbanana

 

I would honestly like to know how would someone find that answer from your facebook.

All you need is a piece of paper somewhere safe to write the answers down.

 

 

 

@Dan3HitU

Set the email on 2step verification. You now have 3step verification!

[Mercifull]

And how do you remember which silly answer goes with which question? If you have to write it down then its a flawed system as it could be lost or accidently destroyed.

[Kaur]

Use your brains and imagination. Make backups. Hide one copy at home. Hide another in your grandpas wheelchair. Bury one into the graveyard. Carve the answers into a nearby tree.

[HunterDexter]

And a lot of my friends are already having problems with logging in. Their dynamics IPs hold them from logging in. Something is wrong with the system.

[Kimberly]

Having physical copies of anything that relates to your security is bad design. That's the issue, not their imagination. Of course they can and will do what you were suggesting. Chances are they already did previously. But they're understandably frustrated that they're making the same mistakes they did with the account recovery system. They said this would be a way to secure your account when the means to do so leave you vulnerable.

[Jonanananas]

It gets worse. The things Jagex have chosen as security questions are things which can very easily be found out by using Facebook or other social networks or even through general conversation!

 

I'm furious! I want to be able to ask my own questions, questions which noone can know the answer unless they were physically in my house for example. This is an outrage.

 

Make up questions and answer those instead of the ones they ask. You should always use random answers to security questions.

 

The thing is, I'd wager that the majority of people who get hacked probably will never think of something like that. Don't want to say that everyone who gets hacked was just stupid and not watching out, but well...it adds a lot. I guess this system makes you safe from hacking through keylogging (As long as you didn't have a keylogger on the comp while setting the questions and no keylogger when on a different device either). A lot of people will still be able to hacked through social engineering like before, and probably also through phishing (Yeah jagex stresses that you can't change them, but those who enter their password on a phish site, unless it should be an extremely good one, will probably also enter their jag questions if asked)

 

 

And as others mentioned, this still has the huge flaw that you will have to write down the answers somewhere.

 

Really disappointed in this, it could have been so much better so easily.

[Sy_Accursed]

I still say the questions are obscure enough to not be easily found online.

 

I mean mother's middle name? Middle names don't exactly come up all over fb for most.

Eldest cousins name? Gonna take a fair bit of a leg work to piece together that relation from fb alone due to marriages and such like and that's even assuming you are friends on fb with such relatives.

First best friend and first holiday? Again probably not exactly easy to find on fb and possibly a bit fishy to ask about conversationally.

City where parents first met? Again not really fb plastered data.

 

Unless you reallllllly are sharing tmi only it's quite easy for such answers to not be discoverable.

[Kimberly]

Not really easily, Jonanananas. It would have been a lot more expensive for them to do a proper 2-step verification. I'll admit it's pretty clever that they basically rely on email's 2-step verification to do the work for them, but they're still using it in conjunction with a broken system.

 

The thing is, it would have been worth every penny. And they should have those pennies to spare now that the community is more or less open to MT's. I'm grateful for whatever extra security I can get from Jagex...once the system works properly...But they're lagging behind in this department and they have been for years. You would think that now would be the time to actually invest some more money into it, considering the show they've made of being competitive in their industry.

[Platinum_Myr]

But enough information along those lines is stored and they can ask people who know you. Yes, unlikely in runescape, but social engineering works very well in a lot of situations.

[Sy_Accursed]

But enough information along those lines is stored and they can ask people who know you. Yes, unlikely in runescape, but social engineering works very well in a lot of situations.

 

It's still kinda a long shot.

I mean I'm fairly certain none of my friends could answer most of the questions.

Sure some friends from when I was like 5 might know frist best friend and my brothers would know mother's middle name and where parents met; but beyond that no-one would have the answers and even if people did try to get answers out of them it's not things you can ask without looking very weird and I'm confident anyone they did ask would be like wtf why would you need to know that?

[Mercifull]

I suppose in theory its also possible for someone who has managed to install a RAT on a victims computer to control it remotely and transfer gold and items that way. I'm obviously being quite critical here and a lot of the scenarios I am proposing would be incredibly rare but my main point is that they are making similar mistakes as with the current recovery system and a proper 2-step verification system would prevent all of them.

[Randox]

Should have posted yesterday, knew it would be an overhaul to their existing system, not what the rest of the world is doing (you can tell because they gave it a cute name).

 

I am a bit leery of this system though. On the face it's pretty good, especially if your IP is slow to change. Since you are only asked for the questions when using a new device or IP, a keylogger would have to wait until this happens, or be waiting on that new device for you. This should give your AV ample time to figure out things aren't on the up and up, and tell you what's going on (and hopefully deal with it). Needless to say, you should ideallly be running full scans with an up to date (and appropriate) program every time you are going to need to enter those questions.

 

My issue is the security gained by never being able to change the answers. The best way to use these questions is as 5 additional (very high quality) passwords, that should be total gibberish. Since you will hopefully almost never be using any of them, you will have to record them someplace, or use something painfully obvious so that you will actually be able to remember them (if you can remember a password that you never use, it means that password is a piece of garbage and the gods of computer security should strike you down where you stand). For me, this would be my blackberry which can store passwords as encrypted files, that in turn need their own password to decrypt so that they can be viewed. But then I would be relying on my phone to be a perfect device that will never break (and because I don't want all of my eggs in one basket, I keep my RS pass only in my head). But that puts me one hardware fault, or one wet phone, from having a very limited period of time left to use my account.

 

I'll have to think about this.

[Sy_Accursed]

Should have posted yesterday, knew it would be an overhaul to their existing system, not what the rest of the world is doing (you can tell because they gave it a cute name).

 

I am a bit leery of this system though. On the face it's pretty good, especially if your IP is slow to change. Since you are only asked for the questions when using a new device or IP, a keylogger would have to wait until this happens, or be waiting on that new device for you. This should give your AV ample time to figure out things aren't on the up and up, and tell you what's going on (and hopefully deal with it). Needless to say, you should ideallly be running full scans with an up to date (and appropriate) program every time you are going to need to enter those questions.

 

My issue is the security gained by never being able to change the answers. The best way to use these questions is as 5 additional (very high quality) passwords, that should be total gibberish. Since you will hopefully almost never be using any of them, you will have to record them someplace, or use something painfully obvious so that you will actually be able to remember them (if you can remember a password that you never use, it means that password is a piece of garbage and the gods of computer security should strike you down where you stand). For me, this would be my blackberry which can store passwords as encrypted files, that in turn need their own password to decrypt so that they can be viewed. But then I would be relying on my phone to be a perfect device that will never break (and because I don't want all of my eggs in one basket, I keep my RS pass only in my head). But that puts me one hardware fault, or one wet phone, from having a very limited period of time left to use my account.

 

I'll have to think about this.

 

It's not supposed to need redoing when ip changes, this is a bug someone posted jmod quotes a page or 2 back that shows this is the case

[Ruinous Edge]

With all the promise of 2-step verification, I must say Jagex's proposed system is very very poor. It's not that much better than my recovery questions, random answers to the questions they gave me, which I ultimately had to write down somewhere leaving a physical trace that could be lost/destroyed accidently.

Once again so much promise for an update, only for so much disappointment in the finished product.

[Donnie]

Its Jagex. The same company that disappoints on most of their hyped updates and failed on making a second MMO thrice

[Randox]

It will do the job of protecting your account if your keylogged, or phished well enough (or at lest it will 10 times, until all the possible combinations of questions are used). Not needing a new IP as a bug is good, that reduces how often you need to use it ('never' being ideal).

 

And I think I know how to generate questions that I will be able to remember, yet wont be painfully obvious to anyone who knows me. I'll use a cipher.

[strilmus]

Not being able to come up with your own questions is baffling, considering that the current password recovery system allows this in the first place.